34 files changed, 1575 insertions, 907 deletions
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index be36feabb16a..ab8c6d87f758 100644
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -15,12 +15,11 @@
 #ifndef __AA_FILE_H
 #define __AA_FILE_H
-#include <linux/path.h>
 #include "domain.h"
 #include "match.h"
 struct aa_profile;
+struct path;
 /*
 * We use MAY_EXEC, MAY_WRITE, MAY_READ, MAY_APPEND and the following flags
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index 734a6d35112c..a4a863997bd5 100644
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -15,6 +15,7 @@
 #ifndef __AA_MATCH_H
 #define __AA_MATCH_H
+#include <linux/kref.h>
 #include <linux/workqueue.h>
 #define DFA_NOMATCH                     0
@@ -27,7 +28,7 @@
 * The format used for transition tables is based on the GNU flex table
 * file format (--tables-file option; see Table File Format in the flex
 * info pages and the flex sources for documentation). The magic number
- * used in the header is 0x1B5E783D insted of 0xF13C57B1 though, because
+ * used in the header is 0x1B5E783D instead of 0xF13C57B1 though, because
 * the YY_ID_CHK (check) and YY_ID_DEF (default) tables are used
 * slightly differently (see the apparmor-parser package).
 */
diff --git a/security/capability.c b/security/capability.c
index 2a5df2b7da83..ab3d807accc3 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -12,11 +12,6 @@
 #include <linux/security.h>
-static int cap_sysctl(ctl_table *table, int op)
-{
-        return 0;
-}
 static int cap_syslog(int type)
 {
        return 0;
@@ -59,6 +54,11 @@ static int cap_sb_copy_data(char *orig, char *copy)
        return 0;
 }
+static int cap_sb_remount(struct super_block *sb, void *data)
+{
+        return 0;
+}
 static int cap_sb_kern_mount(struct super_block *sb, int flags, void *data)
 {
        return 0;
@@ -118,7 +118,8 @@ static void cap_inode_free_security(struct inode *inode)
 }
 static int cap_inode_init_security(struct inode *inode, struct inode *dir,
-                                   char **name, void **value, size_t *len)
+                                   const struct qstr *qstr, char **name,
+                                   void **value, size_t *len)
 {
        return -EOPNOTSUPP;
 }
@@ -880,7 +881,6 @@ void __init security_fixup_ops(struct security_operations *ops)
        set_to_cap_if_null(ops, capable);
        set_to_cap_if_null(ops, quotactl);
        set_to_cap_if_null(ops, quota_on);
-        set_to_cap_if_null(ops, sysctl);
        set_to_cap_if_null(ops, syslog);
        set_to_cap_if_null(ops, settime);
        set_to_cap_if_null(ops, vm_enough_memory);
@@ -892,6 +892,7 @@ void __init security_fixup_ops(struct security_operations *ops)
        set_to_cap_if_null(ops, sb_alloc_security);
        set_to_cap_if_null(ops, sb_free_security);
        set_to_cap_if_null(ops, sb_copy_data);
+        set_to_cap_if_null(ops, sb_remount);
        set_to_cap_if_null(ops, sb_kern_mount);
        set_to_cap_if_null(ops, sb_show_options);
        set_to_cap_if_null(ops, sb_statfs);
diff --git a/security/keys/Makefile b/security/keys/Makefile
index 6c941050f573..1bf090a885fe 100644
--- a/security/keys/Makefile
+++ b/security/keys/Makefile
@@ -13,8 +13,8 @@ obj-y := \
        request_key_auth.o \
        user_defined.o
-obj-$(CONFIG_TRUSTED_KEYS) += trusted_defined.o
+obj-$(CONFIG_TRUSTED_KEYS) += trusted.o
-obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted_defined.o
+obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted.o
 obj-$(CONFIG_KEYS_COMPAT) += compat.o
 obj-$(CONFIG_PROC_FS) += proc.o
 obj-$(CONFIG_SYSCTL) += sysctl.o
diff --git a/security/keys/compat.c b/security/keys/compat.c
index 792c0a611a6d..338b510e9027 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -1,4 +1,4 @@
-/* compat.c: 32-bit compatibility syscall for 64-bit systems
+/* 32-bit compatibility syscall for 64-bit systems
 *
 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
@@ -12,15 +12,58 @@
 #include <linux/syscalls.h>
 #include <linux/keyctl.h>
 #include <linux/compat.h>
+#include <linux/slab.h>
 #include "internal.h"
-/*****************************************************************************/
 /*
- * the key control system call, 32-bit compatibility version for 64-bit archs
+ * Instantiate a key with the specified compatibility multipart payload and
- * - this should only be called if the 64-bit arch uses weird pointers in
+ * link the key into the destination keyring if one is given.
- *   32-bit mode or doesn't guarantee that the top 32-bits of the argument
+ *
- *   registers on taking a 32-bit syscall are zero
+ * The caller must have the appropriate instantiation permit set for this to
- * - if you can, you should call sys_keyctl directly
+ * work (see keyctl_assume_authority).  No other permissions are required.
+ *
+ * If successful, 0 will be returned.
+ */
+long compat_keyctl_instantiate_key_iov(
+        key_serial_t id,
+        const struct compat_iovec __user *_payload_iov,
+        unsigned ioc,
+        key_serial_t ringid)
+{
+        struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
+        long ret;
+        if (_payload_iov == 0 || ioc == 0)
+                goto no_payload;
+        ret = compat_rw_copy_check_uvector(WRITE, _payload_iov, ioc,
+                                           ARRAY_SIZE(iovstack),
+                                           iovstack, &iov);
+        if (ret < 0)
+                return ret;
+        if (ret == 0)
+                goto no_payload_free;
+        ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
+        if (iov != iovstack)
+                kfree(iov);
+        return ret;
+no_payload_free:
+        if (iov != iovstack)
+                kfree(iov);
+no_payload:
+        return keyctl_instantiate_key_common(id, NULL, 0, 0, ringid);
+}
+/*
+ * The key control system call, 32-bit compatibility version for 64-bit archs
+ *
+ * This should only be called if the 64-bit arch uses weird pointers in 32-bit
+ * mode or doesn't guarantee that the top 32-bits of the argument registers on
+ * taking a 32-bit syscall are zero.  If you can, you should call sys_keyctl()
+ * directly.
 */
 asmlinkage long compat_sys_keyctl(u32 option,
                                  u32 arg2, u32 arg3, u32 arg4, u32 arg5)
@@ -85,8 +128,14 @@ asmlinkage long compat_sys_keyctl(u32 option,
        case KEYCTL_SESSION_TO_PARENT:
                return keyctl_session_to_parent();
+        case KEYCTL_REJECT:
+                return keyctl_reject_key(arg2, arg3, arg4, arg5);
+        case KEYCTL_INSTANTIATE_IOV:
+                return compat_keyctl_instantiate_key_iov(
+                        arg2, compat_ptr(arg3), arg4, arg5);
        default:
                return -EOPNOTSUPP;
        }
+}
-} /* end compat_sys_keyctl() */
diff --git a/security/keys/encrypted_defined.c b/security/keys/encrypted.c
index 32d27c858388..69907a58a683 100644
--- a/security/keys/encrypted_defined.c
+++ b/security/keys/encrypted.c
@@ -30,7 +30,7 @@
 #include <crypto/sha.h>
 #include <crypto/aes.h>
-#include "encrypted_defined.h"
+#include "encrypted.h"
 static const char KEY_TRUSTED_PREFIX[] = "trusted:";
 static const char KEY_USER_PREFIX[] = "user:";
@@ -765,8 +765,7 @@ static long encrypted_read(const struct key *key, char __user *buffer,
        size_t asciiblob_len;
        int ret;
-        epayload = rcu_dereference_protected(key->payload.data,
+        epayload = rcu_dereference_key(key);
-                                  rwsem_is_locked(&((struct key *)key)->sem));
        /* returns the hex encoded iv, encrypted-data, and hmac as ascii */
        asciiblob_len = epayload->datablob_len + ivsize + 1
diff --git a/security/keys/encrypted_defined.h b/security/keys/encrypted.h
index cef5e2f2b7d1..cef5e2f2b7d1 100644
--- a/security/keys/encrypted_defined.h
+++ b/security/keys/encrypted.h
diff --git a/security/keys/gc.c b/security/keys/gc.c
index a46e825cbf02..89df6b5f203c 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -32,8 +32,8 @@ static time_t key_gc_next_run = LONG_MAX;
 static time_t key_gc_new_timer;
 /*
- * Schedule a garbage collection run
+ * Schedule a garbage collection run.
- * - precision isn't particularly important
+ * - time precision isn't particularly important
 */
 void key_schedule_gc(time_t gc_at)
 {
@@ -61,8 +61,9 @@ static void key_gc_timer_func(unsigned long data)
 }
 /*
- * Garbage collect pointers from a keyring
+ * Garbage collect pointers from a keyring.
- * - return true if we altered the keyring
+ *
+ * Return true if we altered the keyring.
 */
 static bool key_gc_keyring(struct key *keyring, time_t limit)
        __releases(key_serial_lock)
@@ -107,9 +108,8 @@ do_gc:
 }
 /*
- * Garbage collector for keys
+ * Garbage collector for keys.  This involves scanning the keyrings for dead,
- * - this involves scanning the keyrings for dead, expired and revoked keys
+ * expired and revoked keys that have overstayed their welcome
- *   that have overstayed their welcome
 */
 static void key_garbage_collector(struct work_struct *work)
 {
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 56a133d8f37d..07a025f81902 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -1,4 +1,4 @@
-/* internal.h: authentication token and access key management internal defs
+/* Authentication token and access key management internal defs
 *
 * Copyright (C) 2003-5, 2007 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
@@ -35,10 +35,12 @@ extern struct key_type key_type_user;
 /*****************************************************************************/
 /*
- * keep track of keys for a user
+ * Keep track of keys for a user.
- * - this needs to be separate to user_struct to avoid a refcount-loop
+ *
- *   (user_struct pins some keyrings which pin this struct)
+ * This needs to be separate to user_struct to avoid a refcount-loop
- * - this also keeps track of keys under request from userspace for this UID
+ * (user_struct pins some keyrings which pin this struct).
+ *
+ * We also keep track of keys under request from userspace for this UID here.
 */
 struct key_user {
        struct rb_node          node;
@@ -62,7 +64,7 @@ extern struct key_user *key_user_lookup(uid_t uid,
 extern void key_user_put(struct key_user *user);
 /*
- * key quota limits
+ * Key quota limits.
 * - root has its own separate limits to everyone else
 */
 extern unsigned key_quota_root_maxkeys;
@@ -85,13 +87,13 @@ extern void key_type_put(struct key_type *ktype);
 extern int __key_link_begin(struct key *keyring,
                            const struct key_type *type,
                            const char *description,
-                            struct keyring_list **_prealloc);
+                            unsigned long *_prealloc);
 extern int __key_link_check_live_key(struct key *keyring, struct key *key);
 extern void __key_link(struct key *keyring, struct key *key,
-                       struct keyring_list **_prealloc);
+                       unsigned long *_prealloc);
 extern void __key_link_end(struct key *keyring,
                           struct key_type *type,
-                           struct keyring_list *prealloc);
+                           unsigned long prealloc);
 extern key_ref_t __keyring_search_one(key_ref_t keyring_ref,
                                      const struct key_type *type,
@@ -146,13 +148,13 @@ extern unsigned key_gc_delay;
 extern void keyring_gc(struct key *keyring, time_t limit);
 extern void key_schedule_gc(time_t expiry_at);
-/*
- * check to see whether permission is granted to use a key in the desired way
- */
 extern int key_task_permission(const key_ref_t key_ref,
                               const struct cred *cred,
                               key_perm_t perm);
+/*
+ * Check to see whether permission is granted to use a key in the desired way.
+ */
 static inline int key_permission(const key_ref_t key_ref, key_perm_t perm)
 {
        return key_task_permission(key_ref, current_cred(), perm);
@@ -168,7 +170,7 @@ static inline int key_permission(const key_ref_t key_ref, key_perm_t perm)
 #define KEY_ALL         0x3f    /* all the above permissions */
 /*
- * request_key authorisation
+ * Authorisation record for request_key().
 */
 struct request_key_auth {
        struct key              *target_key;
@@ -188,7 +190,7 @@ extern struct key *request_key_auth_new(struct key *target,
 extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
 /*
- * keyctl functions
+ * keyctl() functions
 */
 extern long keyctl_get_keyring_ID(key_serial_t, int);
 extern long keyctl_join_session_keyring(const char __user *);
@@ -212,9 +214,17 @@ extern long keyctl_assume_authority(key_serial_t);
 extern long keyctl_get_security(key_serial_t keyid, char __user *buffer,
                                size_t buflen);
 extern long keyctl_session_to_parent(void);
+extern long keyctl_reject_key(key_serial_t, unsigned, unsigned, key_serial_t);
+extern long keyctl_instantiate_key_iov(key_serial_t,
+                                       const struct iovec __user *,
+                                       unsigned, key_serial_t);
+extern long keyctl_instantiate_key_common(key_serial_t,
+                                          const struct iovec __user *,
+                                          unsigned, size_t, key_serial_t);
 /*
- * debugging key validation
+ * Debugging key validation
 */
 #ifdef KEY_DEBUGGING
 extern void __key_check(const struct key *);
diff --git a/security/keys/key.c b/security/keys/key.c
index c1eac8084ade..f7f9d93f08d9 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -39,10 +39,10 @@ static DECLARE_RWSEM(key_types_sem);
 static void key_cleanup(struct work_struct *work);
 static DECLARE_WORK(key_cleanup_task, key_cleanup);
-/* we serialise key instantiation and link */
+/* We serialise key instantiation and link */
 DEFINE_MUTEX(key_construction_mutex);
-/* any key who's type gets unegistered will be re-typed to this */
+/* Any key who's type gets unegistered will be re-typed to this */
 static struct key_type key_type_dead = {
        .name           = "dead",
 };
@@ -56,10 +56,9 @@ void __key_check(const struct key *key)
 }
 #endif
-/*****************************************************************************/
 /*
- * get the key quota record for a user, allocating a new record if one doesn't
+ * Get the key quota record for a user, allocating a new record if one doesn't
- * already exist
+ * already exist.
 */
 struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns)
 {
@@ -67,7 +66,7 @@ struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns)
        struct rb_node *parent = NULL;
        struct rb_node **p;
- try_again:
+try_again:
        p = &key_user_tree.rb_node;
        spin_lock(&key_user_lock);
@@ -124,18 +123,16 @@ struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns)
        goto out;
        /* okay - we found a user record for this UID */
- found:
+found:
        atomic_inc(&user->usage);
        spin_unlock(&key_user_lock);
        kfree(candidate);
- out:
+out:
        return user;
+}
-} /* end key_user_lookup() */
-/*****************************************************************************/
 /*
- * dispose of a user structure
+ * Dispose of a user structure
 */
 void key_user_put(struct key_user *user)
 {
@@ -146,14 +143,11 @@ void key_user_put(struct key_user *user)
                kfree(user);
        }
+}
-} /* end key_user_put() */
-/*****************************************************************************/
 /*
- * assign a key the next unique serial number
+ * Allocate a serial number for a key.  These are assigned randomly to avoid
- * - these are assigned randomly to avoid security issues through covert
+ * security issues through covert channel problems.
- *   channel problems
 */
 static inline void key_alloc_serial(struct key *key)
 {
@@ -211,18 +205,36 @@ serial_exists:
                if (key->serial < xkey->serial)
                        goto attempt_insertion;
        }
+}
-} /* end key_alloc_serial() */
+/**
+ * key_alloc - Allocate a key of the specified type.
-/*****************************************************************************/
+ * @type: The type of key to allocate.
-/*
+ * @desc: The key description to allow the key to be searched out.
- * allocate a key of the specified type
+ * @uid: The owner of the new key.
- * - update the user's quota to reflect the existence of the key
+ * @gid: The group ID for the new key's group permissions.
- * - called from a key-type operation with key_types_sem read-locked by
+ * @cred: The credentials specifying UID namespace.
- *   key_create_or_update()
+ * @perm: The permissions mask of the new key.
- *   - this prevents unregistration of the key type
+ * @flags: Flags specifying quota properties.
- * - upon return the key is as yet uninstantiated; the caller needs to either
+ *
- *   instantiate the key or discard it before returning
+ * Allocate a key of the specified type with the attributes given.  The key is
+ * returned in an uninstantiated state and the caller needs to instantiate the
+ * key before returning.
+ *
+ * The user's key count quota is updated to reflect the creation of the key and
+ * the user's key data quota has the default for the key type reserved.  The
+ * instantiation function should amend this as necessary.  If insufficient
+ * quota is available, -EDQUOT will be returned.
+ *
+ * The LSM security modules can prevent a key being created, in which case
+ * -EACCES will be returned.
+ *
+ * Returns a pointer to the new key if successful and an error code otherwise.
+ *
+ * Note that the caller needs to ensure the key type isn't uninstantiated.
+ * Internally this can be done by locking key_types_sem.  Externally, this can
+ * be done by either never unregistering the key type, or making sure
+ * key_alloc() calls don't race with module unloading.
 */
 struct key *key_alloc(struct key_type *type, const char *desc,
                      uid_t uid, gid_t gid, const struct cred *cred,
@@ -237,6 +249,14 @@ struct key *key_alloc(struct key_type *type, const char *desc,
        if (!desc || !*desc)
                goto error;
+        if (type->vet_description) {
+                ret = type->vet_description(desc);
+                if (ret < 0) {
+                        key = ERR_PTR(ret);
+                        goto error;
+                }
+        }
        desclen = strlen(desc) + 1;
        quotalen = desclen + type->def_datalen;
@@ -344,14 +364,19 @@ no_quota:
        key_user_put(user);
        key = ERR_PTR(-EDQUOT);
        goto error;
+}
-} /* end key_alloc() */
 EXPORT_SYMBOL(key_alloc);
-/*****************************************************************************/
+/**
-/*
+ * key_payload_reserve - Adjust data quota reservation for the key's payload
- * reserve an amount of quota for the key's payload
+ * @key: The key to make the reservation for.
+ * @datalen: The amount of data payload the caller now wants.
+ *
+ * Adjust the amount of the owning user's key data quota that a key reserves.
+ * If the amount is increased, then -EDQUOT may be returned if there isn't
+ * enough free quota available.
+ *
+ * If successful, 0 is returned.
 */
 int key_payload_reserve(struct key *key, size_t datalen)
 {
@@ -384,22 +409,21 @@ int key_payload_reserve(struct key *key, size_t datalen)
                key->datalen = datalen;
        return ret;
+}
-} /* end key_payload_reserve() */
 EXPORT_SYMBOL(key_payload_reserve);
-/*****************************************************************************/
 /*
- * instantiate a key and link it into the target keyring atomically
+ * Instantiate a key and link it into the target keyring atomically.  Must be
- * - called with the target keyring's semaphore writelocked
+ * called with the target keyring's semaphore writelocked.  The target key's
+ * semaphore need not be locked as instantiation is serialised by
+ * key_construction_mutex.
 */
 static int __key_instantiate_and_link(struct key *key,
                                      const void *data,
                                      size_t datalen,
                                      struct key *keyring,
                                      struct key *authkey,
-                                      struct keyring_list **_prealloc)
+                                      unsigned long *_prealloc)
 {
        int ret, awaken;
@@ -441,12 +465,23 @@ static int __key_instantiate_and_link(struct key *key,
                wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT);
        return ret;
+}
-} /* end __key_instantiate_and_link() */
+/**
+ * key_instantiate_and_link - Instantiate a key and link it into the keyring.
-/*****************************************************************************/
+ * @key: The key to instantiate.
-/*
+ * @data: The data to use to instantiate the keyring.
- * instantiate a key and link it into the target keyring atomically
+ * @datalen: The length of @data.
+ * @keyring: Keyring to create a link in on success (or NULL).
+ * @authkey: The authorisation token permitting instantiation.
+ *
+ * Instantiate a key that's in the uninstantiated state using the provided data
+ * and, if successful, link it in to the destination keyring if one is
+ * supplied.
+ *
+ * If successful, 0 is returned, the authorisation token is revoked and anyone
+ * waiting for the key is woken up.  If the key was already instantiated,
+ * -EBUSY will be returned.
 */
 int key_instantiate_and_link(struct key *key,
                             const void *data,
@@ -454,7 +489,7 @@ int key_instantiate_and_link(struct key *key,
                             struct key *keyring,
                             struct key *authkey)
 {
-        struct keyring_list *prealloc;
+        unsigned long prealloc;
        int ret;
        if (keyring) {
@@ -471,21 +506,38 @@ int key_instantiate_and_link(struct key *key,
                __key_link_end(keyring, key->type, prealloc);
        return ret;
+}
-} /* end key_instantiate_and_link() */
 EXPORT_SYMBOL(key_instantiate_and_link);
-/*****************************************************************************/
+/**
-/*
+ * key_reject_and_link - Negatively instantiate a key and link it into the keyring.
- * negatively instantiate a key and link it into the target keyring atomically
+ * @key: The key to instantiate.
+ * @timeout: The timeout on the negative key.
+ * @error: The error to return when the key is hit.
+ * @keyring: Keyring to create a link in on success (or NULL).
+ * @authkey: The authorisation token permitting instantiation.
+ *
+ * Negatively instantiate a key that's in the uninstantiated state and, if
+ * successful, set its timeout and stored error and link it in to the
+ * destination keyring if one is supplied.  The key and any links to the key
+ * will be automatically garbage collected after the timeout expires.
+ *
+ * Negative keys are used to rate limit repeated request_key() calls by causing
+ * them to return the stored error code (typically ENOKEY) until the negative
+ * key expires.
+ *
+ * If successful, 0 is returned, the authorisation token is revoked and anyone
+ * waiting for the key is woken up.  If the key was already instantiated,
+ * -EBUSY will be returned.
 */
-int key_negate_and_link(struct key *key,
+int key_reject_and_link(struct key *key,
                        unsigned timeout,
+                        unsigned error,
                        struct key *keyring,
                        struct key *authkey)
 {
-        struct keyring_list *prealloc;
+        unsigned long prealloc;
        struct timespec now;
        int ret, awaken, link_ret = 0;
@@ -507,6 +559,7 @@ int key_negate_and_link(struct key *key,
                atomic_inc(&key->user->nikeys);
                set_bit(KEY_FLAG_NEGATIVE, &key->flags);
                set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
+                key->type_data.reject_error = -error;
                now = current_kernel_time();
                key->expiry = now.tv_sec + timeout;
                key_schedule_gc(key->expiry + key_gc_delay);
@@ -535,22 +588,22 @@ int key_negate_and_link(struct key *key,
                wake_up_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT);
        return ret == 0 ? link_ret : ret;
+}
+EXPORT_SYMBOL(key_reject_and_link);
-} /* end key_negate_and_link() */
-EXPORT_SYMBOL(key_negate_and_link);
-/*****************************************************************************/
 /*
- * do cleaning up in process context so that we don't have to disable
+ * Garbage collect keys in process context so that we don't have to disable
- * interrupts all over the place
+ * interrupts all over the place.
+ *
+ * key_put() schedules this rather than trying to do the cleanup itself, which
+ * means key_put() doesn't have to sleep.
 */
 static void key_cleanup(struct work_struct *work)
 {
        struct rb_node *_n;
        struct key *key;
- go_again:
+go_again:
        /* look for a dead key in the tree */
        spin_lock(&key_serial_lock);
@@ -564,7 +617,7 @@ static void key_cleanup(struct work_struct *work)
        spin_unlock(&key_serial_lock);
        return;
- found_dead_key:
+found_dead_key:
        /* we found a dead key - once we've removed it from the tree, we can
         * drop the lock */
        rb_erase(&key->serial_node, &key_serial_tree);
@@ -601,14 +654,15 @@ static void key_cleanup(struct work_struct *work)
        /* there may, of course, be more than one key to destroy */
        goto go_again;
+}
-} /* end key_cleanup() */
+/**
+ * key_put - Discard a reference to a key.
-/*****************************************************************************/
+ * @key: The key to discard a reference from.
-/*
+ *
- * dispose of a reference to a key
+ * Discard a reference to a key, and when all the references are gone, we
- * - when all the references are gone, we schedule the cleanup task to come and
+ * schedule the cleanup task to come and pull it out of the tree in process
- *   pull it out of the tree in definite process context
+ * context at some later time.
 */
 void key_put(struct key *key)
 {
@@ -618,14 +672,11 @@ void key_put(struct key *key)
                if (atomic_dec_and_test(&key->usage))
                        schedule_work(&key_cleanup_task);
        }
+}
-} /* end key_put() */
 EXPORT_SYMBOL(key_put);
-/*****************************************************************************/
 /*
- * find a key by its serial number
+ * Find a key by its serial number.
 */
 struct key *key_lookup(key_serial_t id)
 {
@@ -647,11 +698,11 @@ struct key *key_lookup(key_serial_t id)
                        goto found;
        }
- not_found:
+not_found:
        key = ERR_PTR(-ENOKEY);
        goto error;
- found:
+found:
        /* pretend it doesn't exist if it is awaiting deletion */
        if (atomic_read(&key->usage) == 0)
                goto not_found;
@@ -661,16 +712,16 @@ struct key *key_lookup(key_serial_t id)
         */
        atomic_inc(&key->usage);
- error:
+error:
        spin_unlock(&key_serial_lock);
        return key;
+}
-} /* end key_lookup() */
-/*****************************************************************************/
 /*
- * find and lock the specified key type against removal
+ * Find and lock the specified key type against removal.
- * - we return with the sem readlocked
+ *
+ * We return with the sem read-locked if successful.  If the type wasn't
+ * available -ENOKEY is returned instead.
 */
 struct key_type *key_type_lookup(const char *type)
 {
@@ -688,26 +739,23 @@ struct key_type *key_type_lookup(const char *type)
        up_read(&key_types_sem);
        ktype = ERR_PTR(-ENOKEY);
- found_kernel_type:
+found_kernel_type:
        return ktype;
+}
-} /* end key_type_lookup() */
-/*****************************************************************************/
 /*
- * unlock a key type
+ * Unlock a key type locked by key_type_lookup().
 */
 void key_type_put(struct key_type *ktype)
 {
        up_read(&key_types_sem);
+}
-} /* end key_type_put() */
-/*****************************************************************************/
 /*
- * attempt to update an existing key
+ * Attempt to update an existing key.
- * - the key has an incremented refcount
+ *
- * - we need to put the key if we get an error
+ * The key is given to us with an incremented refcount that we need to discard
+ * if we get an error.
 */
 static inline key_ref_t __key_update(key_ref_t key_ref,
                                     const void *payload, size_t plen)
@@ -742,13 +790,32 @@ error:
        key_put(key);
        key_ref = ERR_PTR(ret);
        goto out;
+}
-} /* end __key_update() */
+/**
+ * key_create_or_update - Update or create and instantiate a key.
-/*****************************************************************************/
+ * @keyring_ref: A pointer to the destination keyring with possession flag.
-/*
+ * @type: The type of key.
- * search the specified keyring for a key of the same description; if one is
+ * @description: The searchable description for the key.
- * found, update it, otherwise add a new one
+ * @payload: The data to use to instantiate or update the key.
+ * @plen: The length of @payload.
+ * @perm: The permissions mask for a new key.
+ * @flags: The quota flags for a new key.
+ *
+ * Search the destination keyring for a key of the same description and if one
+ * is found, update it, otherwise create and instantiate a new one and create a
+ * link to it from that keyring.
+ *
+ * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be
+ * concocted.
+ *
+ * Returns a pointer to the new key if successful, -ENODEV if the key type
+ * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the
+ * caller isn't permitted to modify the keyring or the LSM did not permit
+ * creation of the key.
+ *
+ * On success, the possession flag from the keyring ref will be tacked on to
+ * the key ref before it is returned.
 */
 key_ref_t key_create_or_update(key_ref_t keyring_ref,
                               const char *type,
@@ -758,7 +825,7 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
                               key_perm_t perm,
                               unsigned long flags)
 {
-        struct keyring_list *prealloc;
+        unsigned long prealloc;
        const struct cred *cred = current_cred();
        struct key_type *ktype;
        struct key *keyring, *key = NULL;
@@ -855,14 +922,21 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
        key_ref = __key_update(key_ref, payload, plen);
        goto error;
+}
-} /* end key_create_or_update() */
 EXPORT_SYMBOL(key_create_or_update);
-/*****************************************************************************/
+/**
-/*
+ * key_update - Update a key's contents.
- * update a key
+ * @key_ref: The pointer (plus possession flag) to the key.
+ * @payload: The data to be used to update the key.
+ * @plen: The length of @payload.
+ *
+ * Attempt to update the contents of a key with the given payload data.  The
+ * caller must be granted Write permission on the key.  Negative keys can be
+ * instantiated by this method.
+ *
+ * Returns 0 on success, -EACCES if not permitted and -EOPNOTSUPP if the key
+ * type does not support updating.  The key type may return other errors.
 */
 int key_update(key_ref_t key_ref, const void *payload, size_t plen)
 {
@@ -891,14 +965,17 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen)
 error:
        return ret;
+}
-} /* end key_update() */
 EXPORT_SYMBOL(key_update);
-/*****************************************************************************/
+/**
-/*
+ * key_revoke - Revoke a key.
- * revoke a key
+ * @key: The key to be revoked.
+ *
+ * Mark a key as being revoked and ask the type to free up its resources.  The
+ * revocation timeout is set and the key and all its links will be
+ * automatically garbage collected after key_gc_delay amount of time if they
+ * are not manually dealt with first.
 */
 void key_revoke(struct key *key)
 {
@@ -926,14 +1003,16 @@ void key_revoke(struct key *key)
        }
        up_write(&key->sem);
+}
-} /* end key_revoke() */
 EXPORT_SYMBOL(key_revoke);
-/*****************************************************************************/
+/**
-/*
+ * register_key_type - Register a type of key.
- * register a type of key
+ * @ktype: The new key type.
+ *
+ * Register a new key type.
+ *
+ * Returns 0 on success or -EEXIST if a type of this name already exists.
 */
 int register_key_type(struct key_type *ktype)
 {
@@ -953,17 +1032,19 @@ int register_key_type(struct key_type *ktype)
        list_add(&ktype->link, &key_types_list);
        ret = 0;
- out:
+out:
        up_write(&key_types_sem);
        return ret;
+}
-} /* end register_key_type() */
 EXPORT_SYMBOL(register_key_type);
-/*****************************************************************************/
+/**
-/*
+ * unregister_key_type - Unregister a type of key.
- * unregister a type of key
+ * @ktype: The key type.
+ *
+ * Unregister a key type and mark all the extant keys of this type as dead.
+ * Those keys of this type are then destroyed to get rid of their payloads and
+ * they and their links will be garbage collected as soon as possible.
 */
 void unregister_key_type(struct key_type *ktype)
 {
@@ -1010,14 +1091,11 @@ void unregister_key_type(struct key_type *ktype)
        up_write(&key_types_sem);
        key_schedule_gc(0);
+}
-} /* end unregister_key_type() */
 EXPORT_SYMBOL(unregister_key_type);
-/*****************************************************************************/
 /*
- * initialise the key management stuff
+ * Initialise the key management state.
 */
 void __init key_init(void)
 {
@@ -1037,5 +1115,4 @@ void __init key_init(void)
        rb_insert_color(&root_key_user.node,
                        &key_user_tree);
+}
-} /* end key_init() */
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 60924f6a52db..427fddcaeb19 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1,4 +1,4 @@
-/* keyctl.c: userspace keyctl operations
+/* Userspace key control operations
 *
 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
@@ -31,28 +31,24 @@ static int key_get_type_from_user(char *type,
        int ret;
        ret = strncpy_from_user(type, _type, len);
        if (ret < 0)
                return ret;
        if (ret == 0 || ret >= len)
                return -EINVAL;
        if (type[0] == '.')
                return -EPERM;
        type[len - 1] = '\0';
        return 0;
 }
-/*****************************************************************************/
 /*
- * extract the description of a new key from userspace and either add it as a
+ * Extract the description of a new key from userspace and either add it as a
- * new key to the specified keyring or update a matching key in that keyring
+ * new key to the specified keyring or update a matching key in that keyring.
- * - the keyring must be writable
+ *
- * - returns the new key's serial number
+ * The keyring must be writable so that we can attach the key to it.
- * - implements add_key()
+ *
+ * If successful, the new key's serial number is returned, otherwise an error
+ * code is returned.
 */
 SYSCALL_DEFINE5(add_key, const char __user *, _type,
                const char __user *, _description,
@@ -132,19 +128,20 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
        kfree(description);
 error:
        return ret;
+}
-} /* end sys_add_key() */
-/*****************************************************************************/
 /*
- * search the process keyrings for a matching key
+ * Search the process keyrings and keyring trees linked from those for a
- * - nested keyrings may also be searched if they have Search permission
+ * matching key.  Keyrings must have appropriate Search permission to be
- * - if a key is found, it will be attached to the destination keyring if
+ * searched.
- *   there's one specified
+ *
- * - /sbin/request-key will be invoked if _callout_info is non-NULL
+ * If a key is found, it will be attached to the destination keyring if there's
- *   - the _callout_info string will be passed to /sbin/request-key
+ * one specified and the serial number of the key will be returned.
- *   - if the _callout_info string is empty, it will be rendered as "-"
+ *
- * - implements request_key()
+ * If no key is found, /sbin/request-key will be invoked if _callout_info is
+ * non-NULL in an attempt to create a key.  The _callout_info string will be
+ * passed to /sbin/request-key to aid with completing the request.  If the
+ * _callout_info string is "" then it will be changed to "-".
 */
 SYSCALL_DEFINE4(request_key, const char __user *, _type,
                const char __user *, _description,
@@ -222,14 +219,14 @@ error2:
        kfree(description);
 error:
        return ret;
+}
-} /* end sys_request_key() */
-/*****************************************************************************/
 /*
- * get the ID of the specified process keyring
+ * Get the ID of the specified process keyring.
- * - the keyring must have search permission to be found
+ *
- * - implements keyctl(KEYCTL_GET_KEYRING_ID)
+ * The requested keyring must have search permission to be found.
+ *
+ * If successful, the ID of the requested keyring will be returned.
 */
 long keyctl_get_keyring_ID(key_serial_t id, int create)
 {
@@ -248,13 +245,17 @@ long keyctl_get_keyring_ID(key_serial_t id, int create)
        key_ref_put(key_ref);
 error:
        return ret;
+}
-} /* end keyctl_get_keyring_ID() */
-/*****************************************************************************/
 /*
- * join the session keyring
+ * Join a (named) session keyring.
- * - implements keyctl(KEYCTL_JOIN_SESSION_KEYRING)
+ *
+ * Create and join an anonymous session keyring or join a named session
+ * keyring, creating it if necessary.  A named session keyring must have Search
+ * permission for it to be joined.  Session keyrings without this permit will
+ * be skipped over.
+ *
+ * If successful, the ID of the joined session keyring will be returned.
 */
 long keyctl_join_session_keyring(const char __user *_name)
 {
@@ -277,14 +278,17 @@ long keyctl_join_session_keyring(const char __user *_name)
 error:
        return ret;
+}
-} /* end keyctl_join_session_keyring() */
-/*****************************************************************************/
 /*
- * update a key's data payload
+ * Update a key's data payload from the given data.
- * - the key must be writable
+ *
- * - implements keyctl(KEYCTL_UPDATE)
+ * The key must grant the caller Write permission and the key type must support
+ * updating for this to work.  A negative key can be positively instantiated
+ * with this call.
+ *
+ * If successful, 0 will be returned.  If the key type does not support
+ * updating, then -EOPNOTSUPP will be returned.
 */
 long keyctl_update_key(key_serial_t id,
                       const void __user *_payload,
@@ -326,14 +330,17 @@ error2:
        kfree(payload);
 error:
        return ret;
+}
-} /* end keyctl_update_key() */
-/*****************************************************************************/
 /*
- * revoke a key
+ * Revoke a key.
- * - the key must be writable
+ *
- * - implements keyctl(KEYCTL_REVOKE)
+ * The key must be grant the caller Write or Setattr permission for this to
+ * work.  The key type should give up its quota claim when revoked.  The key
+ * and any links to the key will be automatically garbage collected after a
+ * certain amount of time (/proc/sys/kernel/keys/gc_delay).
+ *
+ * If successful, 0 is returned.
 */
 long keyctl_revoke_key(key_serial_t id)
 {
@@ -358,14 +365,14 @@ long keyctl_revoke_key(key_serial_t id)
        key_ref_put(key_ref);
 error:
        return ret;
+}
-} /* end keyctl_revoke_key() */
-/*****************************************************************************/
 /*
- * clear the specified process keyring
+ * Clear the specified keyring, creating an empty process keyring if one of the
- * - the keyring must be writable
+ * special keyring IDs is used.
- * - implements keyctl(KEYCTL_CLEAR)
+ *
+ * The keyring must grant the caller Write permission for this to work.  If
+ * successful, 0 will be returned.
 */
 long keyctl_keyring_clear(key_serial_t ringid)
 {
@@ -383,15 +390,18 @@ long keyctl_keyring_clear(key_serial_t ringid)
        key_ref_put(keyring_ref);
 error:
        return ret;
+}
-} /* end keyctl_keyring_clear() */
-/*****************************************************************************/
 /*
- * link a key into a keyring
+ * Create a link from a keyring to a key if there's no matching key in the
- * - the keyring must be writable
+ * keyring, otherwise replace the link to the matching key with a link to the
- * - the key must be linkable
+ * new key.
- * - implements keyctl(KEYCTL_LINK)
+ *
+ * The key must grant the caller Link permission and the the keyring must grant
+ * the caller Write permission.  Furthermore, if an additional link is created,
+ * the keyring's quota will be extended.
+ *
+ * If successful, 0 will be returned.
 */
 long keyctl_keyring_link(key_serial_t id, key_serial_t ringid)
 {
@@ -417,15 +427,16 @@ error2:
        key_ref_put(keyring_ref);
 error:
        return ret;
+}
-} /* end keyctl_keyring_link() */
-/*****************************************************************************/
 /*
- * unlink the first attachment of a key from a keyring
+ * Unlink a key from a keyring.
- * - the keyring must be writable
+ *
- * - we don't need any permissions on the key
+ * The keyring must grant the caller Write permission for this to work; the key
- * - implements keyctl(KEYCTL_UNLINK)
+ * itself need not grant the caller anything.  If the last link to a key is
+ * removed then that key will be scheduled for destruction.
+ *
+ * If successful, 0 will be returned.
 */
 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid)
 {
@@ -451,19 +462,20 @@ error2:
        key_ref_put(keyring_ref);
 error:
        return ret;
+}
-} /* end keyctl_keyring_unlink() */
-/*****************************************************************************/
 /*
- * describe a user key
+ * Return a description of a key to userspace.
- * - the key must have view permission
+ *
- * - if there's a buffer, we place up to buflen bytes of data into it
+ * The key must grant the caller View permission for this to work.
- * - unless there's an error, we return the amount of description available,
+ *
- *   irrespective of how much we may have copied
+ * If there's a buffer, we place up to buflen bytes of data into it formatted
- * - the description is formatted thus:
+ * in the following way:
+ *
 *      type;uid;gid;perm;description<NUL>
- * - implements keyctl(KEYCTL_DESCRIBE)
+ *
+ * If successful, we return the amount of description available, irrespective
+ * of how much we may have copied into the buffer.
 */
 long keyctl_describe_key(key_serial_t keyid,
                         char __user *buffer,
@@ -531,18 +543,17 @@ error2:
        key_ref_put(key_ref);
 error:
        return ret;
+}
-} /* end keyctl_describe_key() */
-/*****************************************************************************/
 /*
- * search the specified keyring for a matching key
+ * Search the specified keyring and any keyrings it links to for a matching
- * - the start keyring must be searchable
+ * key.  Only keyrings that grant the caller Search permission will be searched
- * - nested keyrings may also be searched if they are searchable
+ * (this includes the starting keyring).  Only keys with Search permission can
- * - only keys with search permission may be found
+ * be found.
- * - if a key is found, it will be attached to the destination keyring if
+ *
- *   there's one specified
+ * If successful, the found key will be linked to the destination keyring if
- * - implements keyctl(KEYCTL_SEARCH)
+ * supplied and the key has Link permission, and the found key ID will be
+ * returned.
 */
 long keyctl_keyring_search(key_serial_t ringid,
                           const char __user *_type,
@@ -626,18 +637,17 @@ error2:
        kfree(description);
 error:
        return ret;
+}
-} /* end keyctl_keyring_search() */
-/*****************************************************************************/
 /*
- * read a user key's payload
+ * Read a key's payload.
- * - the keyring must be readable or the key must be searchable from the
+ *
- *   process's keyrings
+ * The key must either grant the caller Read permission, or it must grant the
- * - if there's a buffer, we place up to buflen bytes of data into it
+ * caller Search permission when searched for from the process keyrings.
- * - unless there's an error, we return the amount of data in the key,
+ *
- *   irrespective of how much we may have copied
+ * If successful, we place up to buflen bytes of data into the buffer, if one
- * - implements keyctl(KEYCTL_READ)
+ * is provided, and return the amount of data that is available in the key,
+ * irrespective of how much we copied into the buffer.
 */
 long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
 {
@@ -688,15 +698,22 @@ error2:
        key_put(key);
 error:
        return ret;
+}
-} /* end keyctl_read_key() */
-/*****************************************************************************/
 /*
- * change the ownership of a key
+ * Change the ownership of a key
- * - the keyring owned by the changer
+ *
- * - if the uid or gid is -1, then that parameter is not changed
+ * The key must grant the caller Setattr permission for this to work, though
- * - implements keyctl(KEYCTL_CHOWN)
+ * the key need not be fully instantiated yet.  For the UID to be changed, or
+ * for the GID to be changed to a group the caller is not a member of, the
+ * caller must have sysadmin capability.  If either uid or gid is -1 then that
+ * attribute is not changed.
+ *
+ * If the UID is to be changed, the new user must have sufficient quota to
+ * accept the key.  The quota deduction will be removed from the old user to
+ * the new user should the attribute be changed.
+ *
+ * If successful, 0 will be returned.
 */
 long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid)
 {
@@ -796,14 +813,14 @@ quota_overrun:
        zapowner = newowner;
        ret = -EDQUOT;
        goto error_put;
+}
-} /* end keyctl_chown_key() */
-/*****************************************************************************/
 /*
- * change the permission mask on a key
+ * Change the permission mask on a key.
- * - the keyring owned by the changer
+ *
- * - implements keyctl(KEYCTL_SETPERM)
+ * The key must grant the caller Setattr permission for this to work, though
+ * the key need not be fully instantiated yet.  If the caller does not have
+ * sysadmin capability, it may only change the permission on keys that it owns.
 */
 long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
 {
@@ -838,11 +855,11 @@ long keyctl_setperm_key(key_serial_t id, key_perm_t perm)
        key_put(key);
 error:
        return ret;
+}
-} /* end keyctl_setperm_key() */
 /*
- * get the destination keyring for instantiation
+ * Get the destination keyring for instantiation and check that the caller has
+ * Write permission on it.
 */
 static long get_instantiation_keyring(key_serial_t ringid,
                                      struct request_key_auth *rka,
@@ -879,7 +896,7 @@ static long get_instantiation_keyring(key_serial_t ringid,
 }
 /*
- * change the request_key authorisation key on the current process
+ * Change the request_key authorisation key on the current process.
 */
 static int keyctl_change_reqkey_auth(struct key *key)
 {
@@ -895,15 +912,35 @@ static int keyctl_change_reqkey_auth(struct key *key)
        return commit_creds(new);
 }
-/*****************************************************************************/
 /*
- * instantiate the key with the specified payload, and, if one is given, link
+ * Copy the iovec data from userspace
- * the key into the keyring
 */
-long keyctl_instantiate_key(key_serial_t id,
+static long copy_from_user_iovec(void *buffer, const struct iovec *iov,
-                            const void __user *_payload,
+                                 unsigned ioc)
-                            size_t plen,
+{
-                            key_serial_t ringid)
+        for (; ioc > 0; ioc--) {
+                if (copy_from_user(buffer, iov->iov_base, iov->iov_len) != 0)
+                        return -EFAULT;
+                buffer += iov->iov_len;
+                iov++;
+        }
+        return 0;
+}
+/*
+ * Instantiate a key with the specified payload and link the key into the
+ * destination keyring if one is given.
+ *
+ * The caller must have the appropriate instantiation permit set for this to
+ * work (see keyctl_assume_authority).  No other permissions are required.
+ *
+ * If successful, 0 will be returned.
+ */
+long keyctl_instantiate_key_common(key_serial_t id,
+                                   const struct iovec *payload_iov,
+                                   unsigned ioc,
+                                   size_t plen,
+                                   key_serial_t ringid)
 {
        const struct cred *cred = current_cred();
        struct request_key_auth *rka;
@@ -932,7 +969,7 @@ long keyctl_instantiate_key(key_serial_t id,
        /* pull the payload in if one was supplied */
        payload = NULL;
-        if (_payload) {
+        if (payload_iov) {
                ret = -ENOMEM;
                payload = kmalloc(plen, GFP_KERNEL);
                if (!payload) {
@@ -944,8 +981,8 @@ long keyctl_instantiate_key(key_serial_t id,
                                goto error;
                }
-                ret = -EFAULT;
+                ret = copy_from_user_iovec(payload, payload_iov, ioc);
-                if (copy_from_user(payload, _payload, plen) != 0)
+                if (ret < 0)
                        goto error2;
        }
@@ -973,22 +1010,127 @@ error2:
                vfree(payload);
 error:
        return ret;
+}
+/*
+ * Instantiate a key with the specified payload and link the key into the
+ * destination keyring if one is given.
+ *
+ * The caller must have the appropriate instantiation permit set for this to
+ * work (see keyctl_assume_authority).  No other permissions are required.
+ *
+ * If successful, 0 will be returned.
+ */
+long keyctl_instantiate_key(key_serial_t id,
+                            const void __user *_payload,
+                            size_t plen,
+                            key_serial_t ringid)
+{
+        if (_payload && plen) {
+                struct iovec iov[1] = {
+                        [0].iov_base = (void __user *)_payload,
+                        [0].iov_len  = plen
+                };
+                return keyctl_instantiate_key_common(id, iov, 1, plen, ringid);
+        }
+        return keyctl_instantiate_key_common(id, NULL, 0, 0, ringid);
+}
+/*
+ * Instantiate a key with the specified multipart payload and link the key into
+ * the destination keyring if one is given.
+ *
+ * The caller must have the appropriate instantiation permit set for this to
+ * work (see keyctl_assume_authority).  No other permissions are required.
+ *
+ * If successful, 0 will be returned.
+ */
+long keyctl_instantiate_key_iov(key_serial_t id,
+                                const struct iovec __user *_payload_iov,
+                                unsigned ioc,
+                                key_serial_t ringid)
+{
+        struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
+        long ret;
+        if (_payload_iov == 0 || ioc == 0)
+                goto no_payload;
+        ret = rw_copy_check_uvector(WRITE, _payload_iov, ioc,
+                                    ARRAY_SIZE(iovstack), iovstack, &iov);
+        if (ret < 0)
+                return ret;
+        if (ret == 0)
+                goto no_payload_free;
+        ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
+        if (iov != iovstack)
+                kfree(iov);
+        return ret;
-} /* end keyctl_instantiate_key() */
+no_payload_free:
+        if (iov != iovstack)
+                kfree(iov);
+no_payload:
+        return keyctl_instantiate_key_common(id, NULL, 0, 0, ringid);
+}
-/*****************************************************************************/
 /*
- * negatively instantiate the key with the given timeout (in seconds), and, if
+ * Negatively instantiate the key with the given timeout (in seconds) and link
- * one is given, link the key into the keyring
+ * the key into the destination keyring if one is given.
+ *
+ * The caller must have the appropriate instantiation permit set for this to
+ * work (see keyctl_assume_authority).  No other permissions are required.
+ *
+ * The key and any links to the key will be automatically garbage collected
+ * after the timeout expires.
+ *
+ * Negative keys are used to rate limit repeated request_key() calls by causing
+ * them to return -ENOKEY until the negative key expires.
+ *
+ * If successful, 0 will be returned.
 */
 long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
 {
+        return keyctl_reject_key(id, timeout, ENOKEY, ringid);
+}
+/*
+ * Negatively instantiate the key with the given timeout (in seconds) and error
+ * code and link the key into the destination keyring if one is given.
+ *
+ * The caller must have the appropriate instantiation permit set for this to
+ * work (see keyctl_assume_authority).  No other permissions are required.
+ *
+ * The key and any links to the key will be automatically garbage collected
+ * after the timeout expires.
+ *
+ * Negative keys are used to rate limit repeated request_key() calls by causing
+ * them to return the specified error code until the negative key expires.
+ *
+ * If successful, 0 will be returned.
+ */
+long keyctl_reject_key(key_serial_t id, unsigned timeout, unsigned error,
+                       key_serial_t ringid)
+{
        const struct cred *cred = current_cred();
        struct request_key_auth *rka;
        struct key *instkey, *dest_keyring;
        long ret;
-        kenter("%d,%u,%d", id, timeout, ringid);
+        kenter("%d,%u,%u,%d", id, timeout, error, ringid);
+        /* must be a valid error code and mustn't be a kernel special */
+        if (error <= 0 ||
+            error >= MAX_ERRNO ||
+            error == ERESTARTSYS ||
+            error == ERESTARTNOINTR ||
+            error == ERESTARTNOHAND ||
+            error == ERESTART_RESTARTBLOCK)
+                return -EINVAL;
        /* the appropriate instantiation authorisation key must have been
         * assumed before calling this */
@@ -1008,7 +1150,7 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
                goto error;
        /* instantiate the key and link it into a keyring */
-        ret = key_negate_and_link(rka->target_key, timeout,
+        ret = key_reject_and_link(rka->target_key, timeout, error,
                                  dest_keyring, instkey);
        key_put(dest_keyring);
@@ -1020,13 +1162,14 @@ long keyctl_negate_key(key_serial_t id, unsigned timeout, key_serial_t ringid)
 error:
        return ret;
+}
-} /* end keyctl_negate_key() */
-/*****************************************************************************/
 /*
- * set the default keyring in which request_key() will cache keys
+ * Read or set the default keyring in which request_key() will cache keys and
- * - return the old setting
+ * return the old setting.
+ *
+ * If a process keyring is specified then this will be created if it doesn't
+ * yet exist.  The old setting will be returned if successful.
 */
 long keyctl_set_reqkey_keyring(int reqkey_defl)
 {
@@ -1079,12 +1222,19 @@ set:
 error:
        abort_creds(new);
        return ret;
+}
-} /* end keyctl_set_reqkey_keyring() */
-/*****************************************************************************/
 /*
- * set or clear the timeout for a key
+ * Set or clear the timeout on a key.
+ *
+ * Either the key must grant the caller Setattr permission or else the caller
+ * must hold an instantiation authorisation token for the key.
+ *
+ * The timeout is either 0 to clear the timeout, or a number of seconds from
+ * the current time.  The key and any links to the key will be automatically
+ * garbage collected after the timeout expires.
+ *
+ * If successful, 0 is returned.
 */
 long keyctl_set_timeout(key_serial_t id, unsigned timeout)
 {
@@ -1136,12 +1286,24 @@ okay:
        ret = 0;
 error:
        return ret;
+}
-} /* end keyctl_set_timeout() */
-/*****************************************************************************/
 /*
- * assume the authority to instantiate the specified key
+ * Assume (or clear) the authority to instantiate the specified key.
+ *
+ * This sets the authoritative token currently in force for key instantiation.
+ * This must be done for a key to be instantiated.  It has the effect of making
+ * available all the keys from the caller of the request_key() that created a
+ * key to request_key() calls made by the caller of this function.
+ *
+ * The caller must have the instantiation key in their process keyrings with a
+ * Search permission grant available to the caller.
+ *
+ * If the ID given is 0, then the setting will be cleared and 0 returned.
+ *
+ * If the ID given has a matching an authorisation key, then that key will be
+ * set and its ID will be returned.  The authorisation key can be read to get
+ * the callout information passed to request_key().
 */
 long keyctl_assume_authority(key_serial_t id)
 {
@@ -1178,16 +1340,17 @@ long keyctl_assume_authority(key_serial_t id)
        ret = authkey->serial;
 error:
        return ret;
+}
-} /* end keyctl_assume_authority() */
 /*
- * get the security label of a key
+ * Get a key's the LSM security label.
- * - the key must grant us view permission
+ *
- * - if there's a buffer, we place up to buflen bytes of data into it
+ * The key must grant the caller View permission for this to work.
- * - unless there's an error, we return the amount of information available,
+ *
- *   irrespective of how much we may have copied (including the terminal NUL)
+ * If there's a buffer, then up to buflen bytes of data will be placed into it.
- * - implements keyctl(KEYCTL_GET_SECURITY)
+ *
+ * If successful, the amount of information available will be returned,
+ * irrespective of how much was copied (including the terminal NUL).
 */
 long keyctl_get_security(key_serial_t keyid,
                         char __user *buffer,
@@ -1242,10 +1405,16 @@ long keyctl_get_security(key_serial_t keyid,
 }
 /*
- * attempt to install the calling process's session keyring on the process's
+ * Attempt to install the calling process's session keyring on the process's
- * parent process
+ * parent process.
- * - the keyring must exist and must grant us LINK permission
+ *
- * - implements keyctl(KEYCTL_SESSION_TO_PARENT)
+ * The keyring must exist and must grant the caller LINK permission, and the
+ * parent process must be single-threaded and must have the same effective
+ * ownership as this process and mustn't be SUID/SGID.
+ *
+ * The keyring will be emplaced on the parent when it next resumes userspace.
+ *
+ * If successful, 0 will be returned.
 */
 long keyctl_session_to_parent(void)
 {
@@ -1348,9 +1517,8 @@ error_keyring:
 #endif /* !TIF_NOTIFY_RESUME */
 }
-/*****************************************************************************/
 /*
- * the key control system call
+ * The key control system call
 */
 SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
                unsigned long, arg4, unsigned long, arg5)
@@ -1436,8 +1604,20 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
        case KEYCTL_SESSION_TO_PARENT:
                return keyctl_session_to_parent();
+        case KEYCTL_REJECT:
+                return keyctl_reject_key((key_serial_t) arg2,
+                                         (unsigned) arg3,
+                                         (unsigned) arg4,
+                                         (key_serial_t) arg5);
+        case KEYCTL_INSTANTIATE_IOV:
+                return keyctl_instantiate_key_iov(
+                        (key_serial_t) arg2,
+                        (const struct iovec __user *) arg3,
+                        (unsigned) arg4,
+                        (key_serial_t) arg5);
        default:
                return -EOPNOTSUPP;
        }
+}
-} /* end sys_keyctl() */
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index d37f713e73ce..cdd2f3f88c88 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -25,14 +25,16 @@
                (keyring)->payload.subscriptions,                       \
                rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))
+#define KEY_LINK_FIXQUOTA 1UL
 /*
- * when plumbing the depths of the key tree, this sets a hard limit set on how
+ * When plumbing the depths of the key tree, this sets a hard limit
- * deep we're willing to go
+ * set on how deep we're willing to go.
 */
 #define KEYRING_SEARCH_MAX_DEPTH 6
 /*
- * we keep all named keyrings in a hash to speed looking them up
+ * We keep all named keyrings in a hash to speed looking them up.
 */
 #define KEYRING_NAME_HASH_SIZE  (1 << 5)
@@ -50,7 +52,9 @@ static inline unsigned keyring_hash(const char *desc)
 }
 /*
- * the keyring type definition
+ * The keyring key type definition.  Keyrings are simply keys of this type and
+ * can be treated as ordinary keys in addition to having their own special
+ * operations.
 */
 static int keyring_instantiate(struct key *keyring,
                               const void *data, size_t datalen);
@@ -71,19 +75,17 @@ struct key_type key_type_keyring = {
        .describe       = keyring_describe,
        .read           = keyring_read,
 };
 EXPORT_SYMBOL(key_type_keyring);
 /*
- * semaphore to serialise link/link calls to prevent two link calls in parallel
+ * Semaphore to serialise link/link calls to prevent two link calls in parallel
- * introducing a cycle
+ * introducing a cycle.
 */
 static DECLARE_RWSEM(keyring_serialise_link_sem);
-/*****************************************************************************/
 /*
- * publish the name of a keyring so that it can be found by name (if it has
+ * Publish the name of a keyring so that it can be found by name (if it has
- * one)
+ * one).
 */
 static void keyring_publish_name(struct key *keyring)
 {
@@ -102,13 +104,12 @@ static void keyring_publish_name(struct key *keyring)
                write_unlock(&keyring_name_lock);
        }
+}
-} /* end keyring_publish_name() */
-/*****************************************************************************/
 /*
- * initialise a keyring
+ * Initialise a keyring.
- * - we object if we were given any data
+ *
+ * Returns 0 on success, -EINVAL if given any data.
 */
 static int keyring_instantiate(struct key *keyring,
                               const void *data, size_t datalen)
@@ -123,23 +124,20 @@ static int keyring_instantiate(struct key *keyring,
        }
        return ret;
+}
-} /* end keyring_instantiate() */
-/*****************************************************************************/
 /*
- * match keyrings on their name
+ * Match keyrings on their name
 */
 static int keyring_match(const struct key *keyring, const void *description)
 {
        return keyring->description &&
                strcmp(keyring->description, description) == 0;
+}
-} /* end keyring_match() */
-/*****************************************************************************/
 /*
- * dispose of the data dangling from the corpse of a keyring
+ * Clean up a keyring when it is destroyed.  Unpublish its name if it had one
+ * and dispose of its data.
 */
 static void keyring_destroy(struct key *keyring)
 {
@@ -164,12 +162,10 @@ static void keyring_destroy(struct key *keyring)
                        key_put(klist->keys[loop]);
                kfree(klist);
        }
+}
-} /* end keyring_destroy() */
-/*****************************************************************************/
 /*
- * describe the keyring
+ * Describe a keyring for /proc.
 */
 static void keyring_describe(const struct key *keyring, struct seq_file *m)
 {
@@ -187,13 +183,12 @@ static void keyring_describe(const struct key *keyring, struct seq_file *m)
        else
                seq_puts(m, ": empty");
        rcu_read_unlock();
+}
-} /* end keyring_describe() */
-/*****************************************************************************/
 /*
- * read a list of key IDs from the keyring's contents
+ * Read a list of key IDs from the keyring's contents in binary form
- * - the keyring's semaphore is read-locked
+ *
+ * The keyring's semaphore is read-locked by the caller.
 */
 static long keyring_read(const struct key *keyring,
                         char __user *buffer, size_t buflen)
@@ -241,12 +236,10 @@ static long keyring_read(const struct key *keyring,
 error:
        return ret;
+}
-} /* end keyring_read() */
-/*****************************************************************************/
 /*
- * allocate a keyring and link into the destination keyring
+ * Allocate a keyring and link into the destination keyring.
 */
 struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
                          const struct cred *cred, unsigned long flags,
@@ -269,20 +262,42 @@ struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
        }
        return keyring;
+}
-} /* end keyring_alloc() */
+/**
+ * keyring_search_aux - Search a keyring tree for a key matching some criteria
-/*****************************************************************************/
+ * @keyring_ref: A pointer to the keyring with possession indicator.
-/*
+ * @cred: The credentials to use for permissions checks.
- * search the supplied keyring tree for a key that matches the criterion
+ * @type: The type of key to search for.
- * - perform a breadth-then-depth search up to the prescribed limit
+ * @description: Parameter for @match.
- * - we only find keys on which we have search permission
+ * @match: Function to rule on whether or not a key is the one required.
- * - we use the supplied match function to see if the description (or other
+ *
- *   feature of interest) matches
+ * Search the supplied keyring tree for a key that matches the criteria given.
- * - we rely on RCU to prevent the keyring lists from disappearing on us
+ * The root keyring and any linked keyrings must grant Search permission to the
- * - we return -EAGAIN if we didn't find any matching key
+ * caller to be searchable and keys can only be found if they too grant Search
- * - we return -ENOKEY if we only found negative matching keys
+ * to the caller. The possession flag on the root keyring pointer controls use
- * - we propagate the possession attribute from the keyring ref to the key ref
+ * of the possessor bits in permissions checking of the entire tree.  In
+ * addition, the LSM gets to forbid keyring searches and key matches.
+ *
+ * The search is performed as a breadth-then-depth search up to the prescribed
+ * limit (KEYRING_SEARCH_MAX_DEPTH).
+ *
+ * Keys are matched to the type provided and are then filtered by the match
+ * function, which is given the description to use in any way it sees fit.  The
+ * match function may use any attributes of a key that it wishes to to
+ * determine the match.  Normally the match function from the key type would be
+ * used.
+ *
+ * RCU is used to prevent the keyring key lists from disappearing without the
+ * need to take lots of locks.
+ *
+ * Returns a pointer to the found key and increments the key usage count if
+ * successful; -EAGAIN if no matching keys were found, or if expired or revoked
+ * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the
+ * specified keyring wasn't a keyring.
+ *
+ * In the case of a successful return, the possession attribute from
+ * @keyring_ref is propagated to the returned key reference.
 */
 key_ref_t keyring_search_aux(key_ref_t keyring_ref,
                             const struct cred *cred,
@@ -337,7 +352,7 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
                        goto error_2;
                if (key->expiry && now.tv_sec >= key->expiry)
                        goto error_2;
-                key_ref = ERR_PTR(-ENOKEY);
+                key_ref = ERR_PTR(key->type_data.reject_error);
                if (kflags & (1 << KEY_FLAG_NEGATIVE))
                        goto error_2;
                goto found;
@@ -386,7 +401,7 @@ descend:
                /* we set a different error code if we pass a negative key */
                if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
-                        err = -ENOKEY;
+                        err = key->type_data.reject_error;
                        continue;
                }
@@ -444,17 +459,16 @@ error_2:
        rcu_read_unlock();
 error:
        return key_ref;
+}
-} /* end keyring_search_aux() */
+/**
+ * keyring_search - Search the supplied keyring tree for a matching key
-/*****************************************************************************/
+ * @keyring: The root of the keyring tree to be searched.
-/*
+ * @type: The type of keyring we want to find.
- * search the supplied keyring tree for a key that matches the criterion
+ * @description: The name of the keyring we want to find.
- * - perform a breadth-then-depth search up to the prescribed limit
+ *
- * - we only find keys on which we have search permission
+ * As keyring_search_aux() above, but using the current task's credentials and
- * - we readlock the keyrings as we search down the tree
+ * type's default matching function.
- * - we return -EAGAIN if we didn't find any matching key
- * - we return -ENOKEY if we only found negative matching keys
 */
 key_ref_t keyring_search(key_ref_t keyring,
                         struct key_type *type,
@@ -465,16 +479,23 @@ key_ref_t keyring_search(key_ref_t keyring,
        return keyring_search_aux(keyring, current->cred,
                                  type, description, type->match);
+}
-} /* end keyring_search() */
 EXPORT_SYMBOL(keyring_search);
-/*****************************************************************************/
 /*
- * search the given keyring only (no recursion)
+ * Search the given keyring only (no recursion).
- * - keyring must be locked by caller
+ *
- * - caller must guarantee that the keyring is a keyring
+ * The caller must guarantee that the keyring is a keyring and that the
+ * permission is granted to search the keyring as no check is made here.
+ *
+ * RCU is used to make it unnecessary to lock the keyring key list here.
+ *
+ * Returns a pointer to the found key with usage count incremented if
+ * successful and returns -ENOKEY if not found.  Revoked keys and keys not
+ * providing the requested permission are skipped over.
+ *
+ * If successful, the possession indicator is propagated from the keyring ref
+ * to the returned key reference.
 */
 key_ref_t __keyring_search_one(key_ref_t keyring_ref,
                               const struct key_type *ktype,
@@ -514,14 +535,18 @@ found:
        atomic_inc(&key->usage);
        rcu_read_unlock();
        return make_key_ref(key, possessed);
+}
-} /* end __keyring_search_one() */
-/*****************************************************************************/
 /*
- * find a keyring with the specified name
+ * Find a keyring with the specified name.
- * - all named keyrings are searched
+ *
- * - normally only finds keyrings with search permission for the current process
+ * All named keyrings in the current user namespace are searched, provided they
+ * grant Search permission directly to the caller (unless this check is
+ * skipped).  Keyrings whose usage points have reached zero or who have been
+ * revoked are skipped.
+ *
+ * Returns a pointer to the keyring with the keyring's refcount having being
+ * incremented on success.  -ENOKEY is returned if a key could not be found.
 */
 struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
 {
@@ -569,15 +594,14 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
 out:
        read_unlock(&keyring_name_lock);
        return keyring;
+}
-} /* end find_keyring_by_name() */
-/*****************************************************************************/
 /*
- * see if a cycle will will be created by inserting acyclic tree B in acyclic
+ * See if a cycle will will be created by inserting acyclic tree B in acyclic
- * tree A at the topmost level (ie: as a direct child of A)
+ * tree A at the topmost level (ie: as a direct child of A).
- * - since we are adding B to A at the top level, checking for cycles should
+ *
- *   just be a matter of seeing if node A is somewhere in tree B
+ * Since we are adding B to A at the top level, checking for cycles should just
+ * be a matter of seeing if node A is somewhere in tree B.
 */
 static int keyring_detect_cycle(struct key *A, struct key *B)
 {
@@ -657,11 +681,10 @@ too_deep:
 cycle_detected:
        ret = -EDEADLK;
        goto error;
+}
-} /* end keyring_detect_cycle() */
 /*
- * dispose of a keyring list after the RCU grace period, freeing the unlinked
+ * Dispose of a keyring list after the RCU grace period, freeing the unlinked
 * key
 */
 static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
@@ -675,14 +698,14 @@ static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
 }
 /*
- * preallocate memory so that a key can be linked into to a keyring
+ * Preallocate memory so that a key can be linked into to a keyring.
 */
 int __key_link_begin(struct key *keyring, const struct key_type *type,
-                     const char *description,
+                     const char *description, unsigned long *_prealloc)
-                     struct keyring_list **_prealloc)
        __acquires(&keyring->sem)
 {
        struct keyring_list *klist, *nklist;
+        unsigned long prealloc;
        unsigned max;
        size_t size;
        int loop, ret;
@@ -725,6 +748,7 @@ int __key_link_begin(struct key *keyring, const struct key_type *type,
                                /* note replacement slot */
                                klist->delkey = nklist->delkey = loop;
+                                prealloc = (unsigned long)nklist;
                                goto done;
                        }
                }
@@ -739,6 +763,7 @@ int __key_link_begin(struct key *keyring, const struct key_type *type,
        if (klist && klist->nkeys < klist->maxkeys) {
                /* there's sufficient slack space to append directly */
                nklist = NULL;
+                prealloc = KEY_LINK_FIXQUOTA;
        } else {
                /* grow the key list */
                max = 4;
@@ -773,8 +798,9 @@ int __key_link_begin(struct key *keyring, const struct key_type *type,
                nklist->keys[nklist->delkey] = NULL;
        }
+        prealloc = (unsigned long)nklist | KEY_LINK_FIXQUOTA;
 done:
-        *_prealloc = nklist;
+        *_prealloc = prealloc;
        kleave(" = 0");
        return 0;
@@ -792,10 +818,10 @@ error_krsem:
 }
 /*
- * check already instantiated keys aren't going to be a problem
+ * Check already instantiated keys aren't going to be a problem.
- * - the caller must have called __key_link_begin()
+ *
- * - don't need to call this for keys that were created since __key_link_begin()
+ * The caller must have called __key_link_begin(). Don't need to call this for
- *   was called
+ * keys that were created since __key_link_begin() was called.
 */
 int __key_link_check_live_key(struct key *keyring, struct key *key)
 {
@@ -807,17 +833,20 @@ int __key_link_check_live_key(struct key *keyring, struct key *key)
 }
 /*
- * link a key into to a keyring
+ * Link a key into to a keyring.
- * - must be called with __key_link_begin() having being called
+ *
- * - discard already extant link to matching key if there is one
+ * Must be called with __key_link_begin() having being called.  Discards any
+ * already extant link to matching key if there is one, so that each keyring
+ * holds at most one link to any given key of a particular type+description
+ * combination.
 */
 void __key_link(struct key *keyring, struct key *key,
-                struct keyring_list **_prealloc)
+                unsigned long *_prealloc)
 {
        struct keyring_list *klist, *nklist;
-        nklist = *_prealloc;
+        nklist = (struct keyring_list *)(*_prealloc & ~KEY_LINK_FIXQUOTA);
-        *_prealloc = NULL;
+        *_prealloc = 0;
        kenter("%d,%d,%p", keyring->serial, key->serial, nklist);
@@ -852,34 +881,54 @@ void __key_link(struct key *keyring, struct key *key,
 }
 /*
- * finish linking a key into to a keyring
+ * Finish linking a key into to a keyring.
- * - must be called with __key_link_begin() having being called
+ *
+ * Must be called with __key_link_begin() having being called.
 */
 void __key_link_end(struct key *keyring, struct key_type *type,
-                    struct keyring_list *prealloc)
+                    unsigned long prealloc)
        __releases(&keyring->sem)
 {
        BUG_ON(type == NULL);
        BUG_ON(type->name == NULL);
-        kenter("%d,%s,%p", keyring->serial, type->name, prealloc);
+        kenter("%d,%s,%lx", keyring->serial, type->name, prealloc);
        if (type == &key_type_keyring)
                up_write(&keyring_serialise_link_sem);
        if (prealloc) {
-                kfree(prealloc);
+                if (prealloc & KEY_LINK_FIXQUOTA)
-                key_payload_reserve(keyring,
+                        key_payload_reserve(keyring,
-                                    keyring->datalen - KEYQUOTA_LINK_BYTES);
+                                            keyring->datalen -
+                                            KEYQUOTA_LINK_BYTES);
+                kfree((struct keyring_list *)(prealloc & ~KEY_LINK_FIXQUOTA));
        }
        up_write(&keyring->sem);
 }
-/*
+/**
- * link a key to a keyring
+ * key_link - Link a key to a keyring
+ * @keyring: The keyring to make the link in.
+ * @key: The key to link to.
+ *
+ * Make a link in a keyring to a key, such that the keyring holds a reference
+ * on that key and the key can potentially be found by searching that keyring.
+ *
+ * This function will write-lock the keyring's semaphore and will consume some
+ * of the user's key data quota to hold the link.
+ *
+ * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring,
+ * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is
+ * full, -EDQUOT if there is insufficient key data quota remaining to add
+ * another link or -ENOMEM if there's insufficient memory.
+ *
+ * It is assumed that the caller has checked that it is permitted for a link to
+ * be made (the keyring should have Write permission and the key Link
+ * permission).
 */
 int key_link(struct key *keyring, struct key *key)
 {
-        struct keyring_list *prealloc;
+        unsigned long prealloc;
        int ret;
        key_check(keyring);
@@ -895,12 +944,24 @@ int key_link(struct key *keyring, struct key *key)
        return ret;
 }
 EXPORT_SYMBOL(key_link);
-/*****************************************************************************/
+/**
-/*
+ * key_unlink - Unlink the first link to a key from a keyring.
- * unlink the first link to a key from a keyring
+ * @keyring: The keyring to remove the link from.
+ * @key: The key the link is to.
+ *
+ * Remove a link from a keyring to a key.
+ *
+ * This function will write-lock the keyring's semaphore.
+ *
+ * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if
+ * the key isn't linked to by the keyring or -ENOMEM if there's insufficient
+ * memory.
+ *
+ * It is assumed that the caller has checked that it is permitted for a link to
+ * be removed (the keyring should have Write permission; no permissions are
+ * required on the key).
 */
 int key_unlink(struct key *keyring, struct key *key)
 {
@@ -968,15 +1029,12 @@ nomem:
        ret = -ENOMEM;
        up_write(&keyring->sem);
        goto error;
+}
-} /* end key_unlink() */
 EXPORT_SYMBOL(key_unlink);
-/*****************************************************************************/
 /*
- * dispose of a keyring list after the RCU grace period, releasing the keys it
+ * Dispose of a keyring list after the RCU grace period, releasing the keys it
- * links to
+ * links to.
 */
 static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
 {
@@ -989,13 +1047,15 @@ static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
                key_put(klist->keys[loop]);
        kfree(klist);
+}
-} /* end keyring_clear_rcu_disposal() */
+/**
+ * keyring_clear - Clear a keyring
-/*****************************************************************************/
+ * @keyring: The keyring to clear.
-/*
+ *
- * clear the specified process keyring
+ * Clear the contents of the specified keyring.
- * - implements keyctl(KEYCTL_CLEAR)
+ *
+ * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring.
 */
 int keyring_clear(struct key *keyring)
 {
@@ -1027,15 +1087,13 @@ int keyring_clear(struct key *keyring)
        }
        return ret;
+}
-} /* end keyring_clear() */
 EXPORT_SYMBOL(keyring_clear);
-/*****************************************************************************/
 /*
- * dispose of the links from a revoked keyring
+ * Dispose of the links from a revoked keyring.
- * - called with the key sem write-locked
+ *
+ * This is called with the key sem write-locked.
 */
 static void keyring_revoke(struct key *keyring)
 {
@@ -1050,11 +1108,10 @@ static void keyring_revoke(struct key *keyring)
                rcu_assign_pointer(keyring->payload.subscriptions, NULL);
                call_rcu(&klist->rcu, keyring_clear_rcu_disposal);
        }
+}
-} /* end keyring_revoke() */
 /*
- * Determine whether a key is dead
+ * Determine whether a key is dead.
 */
 static bool key_is_dead(struct key *key, time_t limit)
 {
@@ -1063,7 +1120,12 @@ static bool key_is_dead(struct key *key, time_t limit)
 }
 /*
- * Collect garbage from the contents of a keyring
+ * Collect garbage from the contents of a keyring, replacing the old list with
+ * a new one with the pointers all shuffled down.
+ *
+ * Dead keys are classed as oned that are flagged as being dead or are revoked,
+ * expired or negative keys that were revoked or expired before the specified
+ * limit.
 */
 void keyring_gc(struct key *keyring, time_t limit)
 {
diff --git a/security/keys/permission.c b/security/keys/permission.c
index 28645502cd0d..c35b5229e3cd 100644
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
@@ -1,4 +1,4 @@
-/* permission.c: key permission determination
+/* Key permission checking
 *
 * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
@@ -13,18 +13,19 @@
 #include <linux/security.h>
 #include "internal.h"
-/*****************************************************************************/
 /**
 * key_task_permission - Check a key can be used
- * @key_ref: The key to check
+ * @key_ref: The key to check.
- * @cred: The credentials to use
+ * @cred: The credentials to use.
- * @perm: The permissions to check for
+ * @perm: The permissions to check for.
 *
 * Check to see whether permission is granted to use a key in the desired way,
 * but permit the security modules to override.
 *
- * The caller must hold either a ref on cred or must hold the RCU readlock or a
+ * The caller must hold either a ref on cred or must hold the RCU readlock.
- * spinlock.
+ *
+ * Returns 0 if successful, -EACCES if access is denied based on the
+ * permissions bits or the LSM check.
 */
 int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
                        key_perm_t perm)
@@ -79,14 +80,16 @@ use_these_perms:
        /* let LSM be the final arbiter */
        return security_key_permission(key_ref, cred, perm);
+}
-} /* end key_task_permission() */
 EXPORT_SYMBOL(key_task_permission);
-/*****************************************************************************/
+/**
-/*
+ * key_validate - Validate a key.
- * validate a key
+ * @key: The key to be validated.
+ *
+ * Check that a key is valid, returning 0 if the key is okay, -EKEYREVOKED if
+ * the key's type has been removed or if the key has been revoked or
+ * -EKEYEXPIRED if the key has expired.
 */
 int key_validate(struct key *key)
 {
@@ -111,7 +114,5 @@ int key_validate(struct key *key)
 error:
        return ret;
+}
-} /* end key_validate() */
 EXPORT_SYMBOL(key_validate);
diff --git a/security/keys/proc.c b/security/keys/proc.c
index 70373966816e..525cf8a29cdd 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -1,4 +1,4 @@
-/* proc.c: proc files for key database enumeration
+/* procfs files for key database enumeration
 *
 * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
@@ -60,9 +60,8 @@ static const struct file_operations proc_key_users_fops = {
        .release        = seq_release,
 };
-/*****************************************************************************/
 /*
- * declare the /proc files
+ * Declare the /proc files.
 */
 static int __init key_proc_init(void)
 {
@@ -79,14 +78,13 @@ static int __init key_proc_init(void)
                panic("Cannot create /proc/key-users\n");
        return 0;
+}
-} /* end key_proc_init() */
 __initcall(key_proc_init);
-/*****************************************************************************/
 /*
- * implement "/proc/keys" to provides a list of the keys on the system
+ * Implement "/proc/keys" to provide a list of the keys on the system that
+ * grant View permission to the caller.
 */
 #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
@@ -293,9 +291,9 @@ static struct rb_node *key_user_first(struct rb_root *r)
        return __key_user_next(n);
 }
-/*****************************************************************************/
 /*
- * implement "/proc/key-users" to provides a list of the key users
+ * Implement "/proc/key-users" to provides a list of the key users and their
+ * quotas.
 */
 static int proc_key_users_open(struct inode *inode, struct file *file)
 {
@@ -351,5 +349,4 @@ static int proc_key_users_show(struct seq_file *m, void *v)
                   maxbytes);
        return 0;
 }
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 504bdd2452bd..930634e45149 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -1,4 +1,4 @@
-/* Management of a process's keyrings
+/* Manage a process's keyrings
 *
 * Copyright (C) 2004-2005, 2008 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
@@ -21,13 +21,13 @@
 #include <asm/uaccess.h>
 #include "internal.h"
-/* session keyring create vs join semaphore */
+/* Session keyring create vs join semaphore */
 static DEFINE_MUTEX(key_session_mutex);
-/* user keyring creation semaphore */
+/* User keyring creation semaphore */
 static DEFINE_MUTEX(key_user_keyring_mutex);
-/* the root user's tracking struct */
+/* The root user's tracking struct */
 struct key_user root_key_user = {
        .usage          = ATOMIC_INIT(3),
        .cons_lock      = __MUTEX_INITIALIZER(root_key_user.cons_lock),
@@ -38,9 +38,8 @@ struct key_user root_key_user = {
        .user_ns        = &init_user_ns,
 };
-/*****************************************************************************/
 /*
- * install user and user session keyrings for a particular UID
+ * Install the user and user session keyrings for the current process's UID.
 */
 int install_user_keyrings(void)
 {
@@ -122,7 +121,8 @@ error:
 }
 /*
- * install a fresh thread keyring directly to new credentials
+ * Install a fresh thread keyring directly to new credentials.  This keyring is
+ * allowed to overrun the quota.
 */
 int install_thread_keyring_to_cred(struct cred *new)
 {
@@ -138,7 +138,7 @@ int install_thread_keyring_to_cred(struct cred *new)
 }
 /*
- * install a fresh thread keyring, discarding the old one
+ * Install a fresh thread keyring, discarding the old one.
 */
 static int install_thread_keyring(void)
 {
@@ -161,9 +161,10 @@ static int install_thread_keyring(void)
 }
 /*
- * install a process keyring directly to a credentials struct
+ * Install a process keyring directly to a credentials struct.
- * - returns -EEXIST if there was already a process keyring, 0 if one installed,
+ *
- *   and other -ve on any other error
+ * Returns -EEXIST if there was already a process keyring, 0 if one installed,
+ * and other value on any other error
 */
 int install_process_keyring_to_cred(struct cred *new)
 {
@@ -192,8 +193,11 @@ int install_process_keyring_to_cred(struct cred *new)
 }
 /*
- * make sure a process keyring is installed
+ * Make sure a process keyring is installed for the current process.  The
- * - we
+ * existing process keyring is not replaced.
+ *
+ * Returns 0 if there is a process keyring by the end of this function, some
+ * error otherwise.
 */
 static int install_process_keyring(void)
 {
@@ -214,7 +218,7 @@ static int install_process_keyring(void)
 }
 /*
- * install a session keyring directly to a credentials struct
+ * Install a session keyring directly to a credentials struct.
 */
 int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
 {
@@ -254,8 +258,8 @@ int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
 }
 /*
- * install a session keyring, discarding the old one
+ * Install a session keyring, discarding the old one.  If a keyring is not
- * - if a keyring is not supplied, an empty one is invented
+ * supplied, an empty one is invented.
 */
 static int install_session_keyring(struct key *keyring)
 {
@@ -275,9 +279,8 @@ static int install_session_keyring(struct key *keyring)
        return commit_creds(new);
 }
-/*****************************************************************************/
 /*
- * the filesystem user ID changed
+ * Handle the fsuid changing.
 */
 void key_fsuid_changed(struct task_struct *tsk)
 {
@@ -288,12 +291,10 @@ void key_fsuid_changed(struct task_struct *tsk)
                tsk->cred->thread_keyring->uid = tsk->cred->fsuid;
                up_write(&tsk->cred->thread_keyring->sem);
        }
+}
-} /* end key_fsuid_changed() */
-/*****************************************************************************/
 /*
- * the filesystem group ID changed
+ * Handle the fsgid changing.
 */
 void key_fsgid_changed(struct task_struct *tsk)
 {
@@ -304,16 +305,28 @@ void key_fsgid_changed(struct task_struct *tsk)
                tsk->cred->thread_keyring->gid = tsk->cred->fsgid;
                up_write(&tsk->cred->thread_keyring->sem);
        }
+}
-} /* end key_fsgid_changed() */
-/*****************************************************************************/
 /*
- * search only my process keyrings for the first matching key
+ * Search the process keyrings attached to the supplied cred for the first
- * - we use the supplied match function to see if the description (or other
+ * matching key.
- *   feature of interest) matches
+ *
- * - we return -EAGAIN if we didn't find any matching key
+ * The search criteria are the type and the match function.  The description is
- * - we return -ENOKEY if we found only negative matching keys
+ * given to the match function as a parameter, but doesn't otherwise influence
+ * the search.  Typically the match function will compare the description
+ * parameter to the key's description.
+ *
+ * This can only search keyrings that grant Search permission to the supplied
+ * credentials.  Keyrings linked to searched keyrings will also be searched if
+ * they grant Search permission too.  Keys can only be found if they grant
+ * Search permission to the credentials.
+ *
+ * Returns a pointer to the key with the key usage count incremented if
+ * successful, -EAGAIN if we didn't find any matching key or -ENOKEY if we only
+ * matched negative keys.
+ *
+ * In the case of a successful return, the possession attribute is set on the
+ * returned key reference.
 */
 key_ref_t search_my_process_keyrings(struct key_type *type,
                                     const void *description,
@@ -428,13 +441,13 @@ found:
        return key_ref;
 }
-/*****************************************************************************/
 /*
- * search the process keyrings for the first matching key
+ * Search the process keyrings attached to the supplied cred for the first
- * - we use the supplied match function to see if the description (or other
+ * matching key in the manner of search_my_process_keyrings(), but also search
- *   feature of interest) matches
+ * the keys attached to the assumed authorisation key using its credentials if
- * - we return -EAGAIN if we didn't find any matching key
+ * one is available.
- * - we return -ENOKEY if we found only negative matching keys
+ *
+ * Return same as search_my_process_keyrings().
 */
 key_ref_t search_process_keyrings(struct key_type *type,
                                  const void *description,
@@ -489,24 +502,33 @@ key_ref_t search_process_keyrings(struct key_type *type,
 found:
        return key_ref;
+}
-} /* end search_process_keyrings() */
-/*****************************************************************************/
 /*
- * see if the key we're looking at is the target key
+ * See if the key we're looking at is the target key.
 */
 int lookup_user_key_possessed(const struct key *key, const void *target)
 {
        return key == target;
+}
-} /* end lookup_user_key_possessed() */
-/*****************************************************************************/
 /*
- * lookup a key given a key ID from userspace with a given permissions mask
+ * Look up a key ID given us by userspace with a given permissions mask to get
- * - don't create special keyrings unless so requested
+ * the key it refers to.
- * - partially constructed keys aren't found unless requested
+ *
+ * Flags can be passed to request that special keyrings be created if referred
+ * to directly, to permit partially constructed keys to be found and to skip
+ * validity and permission checks on the found key.
+ *
+ * Returns a pointer to the key with an incremented usage count if successful;
+ * -EINVAL if the key ID is invalid; -ENOKEY if the key ID does not correspond
+ * to a key or the best found key was a negative key; -EKEYREVOKED or
+ * -EKEYEXPIRED if the best found key was revoked or expired; -EACCES if the
+ * found key doesn't grant the requested permit or the LSM denied access to it;
+ * or -ENOMEM if a special keyring couldn't be created.
+ *
+ * In the case of a successful return, the possession attribute is set on the
+ * returned key reference.
 */
 key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
                          key_perm_t perm)
@@ -711,15 +733,18 @@ invalid_key:
 reget_creds:
        put_cred(cred);
        goto try_again;
+}
-} /* end lookup_user_key() */
-/*****************************************************************************/
 /*
- * join the named keyring as the session keyring if possible, or attempt to
+ * Join the named keyring as the session keyring if possible else attempt to
- * create a new one of that name if not
+ * create a new one of that name and join that.
- * - if the name is NULL, an empty anonymous keyring is installed instead
+ *
- * - named session keyring joining is done with a semaphore held
+ * If the name is NULL, an empty anonymous keyring will be installed as the
+ * session keyring.
+ *
+ * Named session keyrings are joined with a semaphore held to prevent the
+ * keyrings from going away whilst the attempt is made to going them and also
+ * to prevent a race in creating compatible session keyrings.
 */
 long join_session_keyring(const char *name)
 {
@@ -791,8 +816,8 @@ error:
 }
 /*
- * Replace a process's session keyring when that process resumes userspace on
+ * Replace a process's session keyring on behalf of one of its children when
- * behalf of one of its children
+ * the target  process is about to resume userspace execution.
 */
 void key_replace_session_keyring(void)
 {
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index 0ea52d25a6bd..df3c0417ee40 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -39,8 +39,14 @@ static int key_wait_bit_intr(void *flags)
        return signal_pending(current) ? -ERESTARTSYS : 0;
 }
-/*
+/**
- * call to complete the construction of a key
+ * complete_request_key - Complete the construction of a key.
+ * @cons: The key construction record.
+ * @error: The success or failute of the construction.
+ *
+ * Complete the attempt to construct a key.  The key will be negated
+ * if an error is indicated.  The authorisation key will be revoked
+ * unconditionally.
 */
 void complete_request_key(struct key_construction *cons, int error)
 {
@@ -58,23 +64,33 @@ void complete_request_key(struct key_construction *cons, int error)
 }
 EXPORT_SYMBOL(complete_request_key);
+/*
+ * Initialise a usermode helper that is going to have a specific session
+ * keyring.
+ *
+ * This is called in context of freshly forked kthread before kernel_execve(),
+ * so we can simply install the desired session_keyring at this point.
+ */
 static int umh_keys_init(struct subprocess_info *info)
 {
        struct cred *cred = (struct cred*)current_cred();
        struct key *keyring = info->data;
-        /*
-         * This is called in context of freshly forked kthread before
-         * kernel_execve(), we can just change our ->session_keyring.
-         */
        return install_session_keyring_to_cred(cred, keyring);
 }
+/*
+ * Clean up a usermode helper with session keyring.
+ */
 static void umh_keys_cleanup(struct subprocess_info *info)
 {
        struct key *keyring = info->data;
        key_put(keyring);
 }
+/*
+ * Call a usermode helper with a specific session keyring.
+ */
 static int call_usermodehelper_keys(char *path, char **argv, char **envp,
                         struct key *session_keyring, enum umh_wait wait)
 {
@@ -91,7 +107,7 @@ static int call_usermodehelper_keys(char *path, char **argv, char **envp,
 }
 /*
- * request userspace finish the construction of a key
+ * Request userspace finish the construction of a key
 * - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>"
 */
 static int call_sbin_request_key(struct key_construction *cons,
@@ -198,8 +214,9 @@ error_alloc:
 }
 /*
- * call out to userspace for key construction
+ * Call out to userspace for key construction.
- * - we ignore program failure and go on key status instead
+ *
+ * Program failure is ignored in favour of key status.
 */
 static int construct_key(struct key *key, const void *callout_info,
                         size_t callout_len, void *aux,
@@ -246,9 +263,10 @@ static int construct_key(struct key *key, const void *callout_info,
 }
 /*
- * get the appropriate destination keyring for the request
+ * Get the appropriate destination keyring for the request.
- * - we return whatever keyring we select with an extra reference upon it which
+ *
- *   the caller must release
+ * The keyring selected is returned with an extra reference upon it which the
+ * caller must release.
 */
 static void construct_get_dest_keyring(struct key **_dest_keyring)
 {
@@ -321,9 +339,11 @@ static void construct_get_dest_keyring(struct key **_dest_keyring)
 }
 /*
- * allocate a new key in under-construction state and attempt to link it in to
+ * Allocate a new key in under-construction state and attempt to link it in to
- * the requested place
+ * the requested keyring.
- * - may return a key that's already under construction instead
+ *
+ * May return a key that's already under construction instead if there was a
+ * race between two thread calling request_key().
 */
 static int construct_alloc_key(struct key_type *type,
                               const char *description,
@@ -332,8 +352,8 @@ static int construct_alloc_key(struct key_type *type,
                               struct key_user *user,
                               struct key **_key)
 {
-        struct keyring_list *prealloc;
        const struct cred *cred = current_cred();
+        unsigned long prealloc;
        struct key *key;
        key_ref_t key_ref;
        int ret;
@@ -414,7 +434,7 @@ alloc_failed:
 }
 /*
- * commence key construction
+ * Commence key construction.
 */
 static struct key *construct_key_and_link(struct key_type *type,
                                          const char *description,
@@ -465,12 +485,32 @@ construction_failed:
        return ERR_PTR(ret);
 }
-/*
+/**
- * request a key
+ * request_key_and_link - Request a key and cache it in a keyring.
- * - search the process's keyrings
+ * @type: The type of key we want.
- * - check the list of keys being created or updated
+ * @description: The searchable description of the key.
- * - call out to userspace for a key if supplementary info was provided
+ * @callout_info: The data to pass to the instantiation upcall (or NULL).
- * - cache the key in an appropriate keyring
+ * @callout_len: The length of callout_info.
+ * @aux: Auxiliary data for the upcall.
+ * @dest_keyring: Where to cache the key.
+ * @flags: Flags to key_alloc().
+ *
+ * A key matching the specified criteria is searched for in the process's
+ * keyrings and returned with its usage count incremented if found.  Otherwise,
+ * if callout_info is not NULL, a key will be allocated and some service
+ * (probably in userspace) will be asked to instantiate it.
+ *
+ * If successfully found or created, the key will be linked to the destination
+ * keyring if one is provided.
+ *
+ * Returns a pointer to the key if successful; -EACCES, -ENOKEY, -EKEYREVOKED
+ * or -EKEYEXPIRED if an inaccessible, negative, revoked or expired key was
+ * found; -ENOKEY if no key was found and no @callout_info was given; -EDQUOT
+ * if insufficient key quota was available to create a new key; or -ENOMEM if
+ * insufficient memory was available.
+ *
+ * If the returned key was created, then it may still be under construction,
+ * and wait_for_key_construction() should be used to wait for that to complete.
 */
 struct key *request_key_and_link(struct key_type *type,
                                 const char *description,
@@ -524,8 +564,16 @@ error:
        return key;
 }
-/*
+/**
- * wait for construction of a key to complete
+ * wait_for_key_construction - Wait for construction of a key to complete
+ * @key: The key being waited for.
+ * @intr: Whether to wait interruptibly.
+ *
+ * Wait for a key to finish being constructed.
+ *
+ * Returns 0 if successful; -ERESTARTSYS if the wait was interrupted; -ENOKEY
+ * if the key was negated; or -EKEYREVOKED or -EKEYEXPIRED if the key was
+ * revoked or expired.
 */
 int wait_for_key_construction(struct key *key, bool intr)
 {
@@ -537,17 +585,24 @@ int wait_for_key_construction(struct key *key, bool intr)
        if (ret < 0)
                return ret;
        if (test_bit(KEY_FLAG_NEGATIVE, &key->flags))
-                return -ENOKEY;
+                return key->type_data.reject_error;
        return key_validate(key);
 }
 EXPORT_SYMBOL(wait_for_key_construction);
-/*
+/**
- * request a key
+ * request_key - Request a key and wait for construction
- * - search the process's keyrings
+ * @type: Type of key.
- * - check the list of keys being created or updated
+ * @description: The searchable description of the key.
- * - call out to userspace for a key if supplementary info was provided
+ * @callout_info: The data to pass to the instantiation upcall (or NULL).
- * - waits uninterruptible for creation to complete
+ *
+ * As for request_key_and_link() except that it does not add the returned key
+ * to a keyring if found, new keys are always allocated in the user's quota,
+ * the callout_info must be a NUL-terminated string and no auxiliary data can
+ * be passed.
+ *
+ * Furthermore, it then works as wait_for_key_construction() to wait for the
+ * completion of keys undergoing construction with a non-interruptible wait.
 */
 struct key *request_key(struct key_type *type,
                        const char *description,
@@ -572,12 +627,19 @@ struct key *request_key(struct key_type *type,
 }
 EXPORT_SYMBOL(request_key);
-/*
+/**
- * request a key with auxiliary data for the upcaller
+ * request_key_with_auxdata - Request a key with auxiliary data for the upcaller
- * - search the process's keyrings
+ * @type: The type of key we want.
- * - check the list of keys being created or updated
+ * @description: The searchable description of the key.
- * - call out to userspace for a key if supplementary info was provided
+ * @callout_info: The data to pass to the instantiation upcall (or NULL).
- * - waits uninterruptible for creation to complete
+ * @callout_len: The length of callout_info.
+ * @aux: Auxiliary data for the upcall.
+ *
+ * As for request_key_and_link() except that it does not add the returned key
+ * to a keyring if found and new keys are always allocated in the user's quota.
+ *
+ * Furthermore, it then works as wait_for_key_construction() to wait for the
+ * completion of keys undergoing construction with a non-interruptible wait.
 */
 struct key *request_key_with_auxdata(struct key_type *type,
                                     const char *description,
@@ -602,10 +664,18 @@ struct key *request_key_with_auxdata(struct key_type *type,
 EXPORT_SYMBOL(request_key_with_auxdata);
 /*
- * request a key (allow async construction)
+ * request_key_async - Request a key (allow async construction)
- * - search the process's keyrings
+ * @type: Type of key.
- * - check the list of keys being created or updated
+ * @description: The searchable description of the key.
- * - call out to userspace for a key if supplementary info was provided
+ * @callout_info: The data to pass to the instantiation upcall (or NULL).
+ * @callout_len: The length of callout_info.
+ *
+ * As for request_key_and_link() except that it does not add the returned key
+ * to a keyring if found, new keys are always allocated in the user's quota and
+ * no auxiliary data can be passed.
+ *
+ * The caller should call wait_for_key_construction() to wait for the
+ * completion of the returned key if it is still undergoing construction.
 */
 struct key *request_key_async(struct key_type *type,
                              const char *description,
@@ -620,9 +690,17 @@ EXPORT_SYMBOL(request_key_async);
 /*
 * request a key with auxiliary data for the upcaller (allow async construction)
- * - search the process's keyrings
+ * @type: Type of key.
- * - check the list of keys being created or updated
+ * @description: The searchable description of the key.
- * - call out to userspace for a key if supplementary info was provided
+ * @callout_info: The data to pass to the instantiation upcall (or NULL).
+ * @callout_len: The length of callout_info.
+ * @aux: Auxiliary data for the upcall.
+ *
+ * As for request_key_and_link() except that it does not add the returned key
+ * to a keyring if found and new keys are always allocated in the user's quota.
+ *
+ * The caller should call wait_for_key_construction() to wait for the
+ * completion of the returned key if it is still undergoing construction.
 */
 struct key *request_key_async_with_auxdata(struct key_type *type,
                                           const char *description,
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index 86747151ee5b..68164031a74e 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -1,4 +1,4 @@
-/* request_key_auth.c: request key authorisation controlling key def
+/* Request key authorisation token key definition.
 *
 * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
@@ -26,7 +26,7 @@ static void request_key_auth_destroy(struct key *);
 static long request_key_auth_read(const struct key *, char __user *, size_t);
 /*
- * the request-key authorisation key type definition
+ * The request-key authorisation key type definition.
 */
 struct key_type key_type_request_key_auth = {
        .name           = ".request_key_auth",
@@ -38,9 +38,8 @@ struct key_type key_type_request_key_auth = {
        .read           = request_key_auth_read,
 };
-/*****************************************************************************/
 /*
- * instantiate a request-key authorisation key
+ * Instantiate a request-key authorisation key.
 */
 static int request_key_auth_instantiate(struct key *key,
                                        const void *data,
@@ -48,12 +47,10 @@ static int request_key_auth_instantiate(struct key *key,
 {
        key->payload.data = (struct request_key_auth *) data;
        return 0;
+}
-} /* end request_key_auth_instantiate() */
-/*****************************************************************************/
 /*
- * reading a request-key authorisation key retrieves the callout information
+ * Describe an authorisation token.
 */
 static void request_key_auth_describe(const struct key *key,
                                      struct seq_file *m)
@@ -63,12 +60,10 @@ static void request_key_auth_describe(const struct key *key,
        seq_puts(m, "key:");
        seq_puts(m, key->description);
        seq_printf(m, " pid:%d ci:%zu", rka->pid, rka->callout_len);
+}
-} /* end request_key_auth_describe() */
-/*****************************************************************************/
 /*
- * read the callout_info data
+ * Read the callout_info data (retrieves the callout information).
 * - the key's semaphore is read-locked
 */
 static long request_key_auth_read(const struct key *key,
@@ -91,13 +86,12 @@ static long request_key_auth_read(const struct key *key,
        }
        return ret;
+}
-} /* end request_key_auth_read() */
-/*****************************************************************************/
 /*
- * handle revocation of an authorisation token key
+ * Handle revocation of an authorisation token key.
- * - called with the key sem write-locked
+ *
+ * Called with the key sem write-locked.
 */
 static void request_key_auth_revoke(struct key *key)
 {
@@ -109,12 +103,10 @@ static void request_key_auth_revoke(struct key *key)
                put_cred(rka->cred);
                rka->cred = NULL;
        }
+}
-} /* end request_key_auth_revoke() */
-/*****************************************************************************/
 /*
- * destroy an instantiation authorisation token key
+ * Destroy an instantiation authorisation token key.
 */
 static void request_key_auth_destroy(struct key *key)
 {
@@ -131,13 +123,11 @@ static void request_key_auth_destroy(struct key *key)
        key_put(rka->dest_keyring);
        kfree(rka->callout_info);
        kfree(rka);
+}
-} /* end request_key_auth_destroy() */
-/*****************************************************************************/
 /*
- * create an authorisation token for /sbin/request-key or whoever to gain
+ * Create an authorisation token for /sbin/request-key or whoever to gain
- * access to the caller's security data
+ * access to the caller's security data.
 */
 struct key *request_key_auth_new(struct key *target, const void *callout_info,
                                 size_t callout_len, struct key *dest_keyring)
@@ -228,12 +218,10 @@ error_alloc:
        kfree(rka);
        kleave("= %d", ret);
        return ERR_PTR(ret);
+}
-} /* end request_key_auth_new() */
-/*****************************************************************************/
 /*
- * see if an authorisation key is associated with a particular key
+ * See if an authorisation key is associated with a particular key.
 */
 static int key_get_instantiation_authkey_match(const struct key *key,
                                               const void *_id)
@@ -242,16 +230,11 @@ static int key_get_instantiation_authkey_match(const struct key *key,
        key_serial_t id = (key_serial_t)(unsigned long) _id;
        return rka->target_key->serial == id;
+}
-} /* end key_get_instantiation_authkey_match() */
-/*****************************************************************************/
 /*
- * get the authorisation key for instantiation of a specific key if attached to
+ * Search the current process's keyrings for the authorisation key for
- * the current process's keyrings
+ * instantiation of a key.
- * - this key is inserted into a keyring and that is set as /sbin/request-key's
- *   session keyring
- * - a target_id of zero specifies any valid token
 */
 struct key *key_get_instantiation_authkey(key_serial_t target_id)
 {
@@ -278,5 +261,4 @@ struct key *key_get_instantiation_authkey(key_serial_t target_id)
 error:
        return authkey;
+}
-} /* end key_get_instantiation_authkey() */
diff --git a/security/keys/trusted_defined.c b/security/keys/trusted.c
index 975e9f29a52c..c99b9368368c 100644
--- a/security/keys/trusted_defined.c
+++ b/security/keys/trusted.c
@@ -29,7 +29,7 @@
 #include <linux/tpm.h>
 #include <linux/tpm_command.h>
-#include "trusted_defined.h"
+#include "trusted.h"
 static const char hmac_alg[] = "hmac(sha1)";
 static const char hash_alg[] = "sha1";
@@ -101,11 +101,13 @@ static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
                if (dlen == 0)
                        break;
                data = va_arg(argp, unsigned char *);
-                if (data == NULL)
+                if (data == NULL) {
-                        return -EINVAL;
+                        ret = -EINVAL;
+                        break;
+                }
                ret = crypto_shash_update(&sdesc->shash, data, dlen);
                if (ret < 0)
-                        goto out;
+                        break;
        }
        va_end(argp);
        if (!ret)
@@ -146,14 +148,17 @@ static int TSS_authhmac(unsigned char *digest, const unsigned char *key,
                if (dlen == 0)
                        break;
                data = va_arg(argp, unsigned char *);
-                ret = crypto_shash_update(&sdesc->shash, data, dlen);
+                if (!data) {
-                if (ret < 0) {
+                        ret = -EINVAL;
-                        va_end(argp);
+                        break;
-                        goto out;
                }
+                ret = crypto_shash_update(&sdesc->shash, data, dlen);
+                if (ret < 0)
+                        break;
        }
        va_end(argp);
-        ret = crypto_shash_final(&sdesc->shash, paramdigest);
+        if (!ret)
+                ret = crypto_shash_final(&sdesc->shash, paramdigest);
        if (!ret)
                ret = TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE,
                                  paramdigest, TPM_NONCE_SIZE, h1,
@@ -222,13 +227,12 @@ static int TSS_checkhmac1(unsigned char *buffer,
                        break;
                dpos = va_arg(argp, unsigned int);
                ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
-                if (ret < 0) {
+                if (ret < 0)
-                        va_end(argp);
+                        break;
-                        goto out;
-                }
        }
        va_end(argp);
-        ret = crypto_shash_final(&sdesc->shash, paramdigest);
+        if (!ret)
+                ret = crypto_shash_final(&sdesc->shash, paramdigest);
        if (ret < 0)
                goto out;
@@ -316,13 +320,12 @@ static int TSS_checkhmac2(unsigned char *buffer,
                        break;
                dpos = va_arg(argp, unsigned int);
                ret = crypto_shash_update(&sdesc->shash, buffer + dpos, dlen);
-                if (ret < 0) {
+                if (ret < 0)
-                        va_end(argp);
+                        break;
-                        goto out;
-                }
        }
        va_end(argp);
-        ret = crypto_shash_final(&sdesc->shash, paramdigest);
+        if (!ret)
+                ret = crypto_shash_final(&sdesc->shash, paramdigest);
        if (ret < 0)
                goto out;
@@ -511,7 +514,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
        /* get session for sealing key */
        ret = osap(tb, &sess, keyauth, keytype, keyhandle);
        if (ret < 0)
-                return ret;
+                goto out;
        dump_sess(&sess);
        /* calculate encrypted authorization value */
@@ -519,11 +522,11 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
        memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE);
        ret = TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash);
        if (ret < 0)
-                return ret;
+                goto out;
        ret = tpm_get_random(tb, td->nonceodd, TPM_NONCE_SIZE);
        if (ret < 0)
-                return ret;
+                goto out;
        ordinal = htonl(TPM_ORD_SEAL);
        datsize = htonl(datalen);
        pcrsize = htonl(pcrinfosize);
@@ -552,7 +555,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
                                   &datsize, datalen, data, 0, 0);
        }
        if (ret < 0)
-                return ret;
+                goto out;
        /* build and send the TPM request packet */
        INIT_BUF(tb);
@@ -572,7 +575,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
        ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE);
        if (ret < 0)
-                return ret;
+                goto out;
        /* calculate the size of the returned Blob */
        sealinfosize = LOAD32(tb->data, TPM_DATA_OFFSET + sizeof(uint32_t));
@@ -591,6 +594,8 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
                memcpy(blob, tb->data + TPM_DATA_OFFSET, storedsize);
                *bloblen = storedsize;
        }
+out:
+        kfree(td);
        return ret;
 }
@@ -1027,6 +1032,7 @@ static int trusted_update(struct key *key, const void *data, size_t datalen)
        ret = datablob_parse(datablob, new_p, new_o);
        if (ret != Opt_update) {
                ret = -EINVAL;
+                kfree(new_p);
                goto out;
        }
        /* copy old key values, and reseal with new pcrs */
@@ -1070,8 +1076,7 @@ static long trusted_read(const struct key *key, char __user *buffer,
        char *bufp;
        int i;
-        p = rcu_dereference_protected(key->payload.data,
+        p = rcu_dereference_key(key);
-                        rwsem_is_locked(&((struct key *)key)->sem));
        if (!p)
                return -EINVAL;
        if (!buffer || buflen <= 0)
diff --git a/security/keys/trusted_defined.h b/security/keys/trusted.h
index 3249fbd2b653..3249fbd2b653 100644
--- a/security/keys/trusted_defined.h
+++ b/security/keys/trusted.h
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index e9aa07929656..c6ca8662a468 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -35,7 +35,6 @@ struct key_type key_type_user = {
 EXPORT_SYMBOL_GPL(key_type_user);
-/*****************************************************************************/
 /*
 * instantiate a user defined key
 */
@@ -65,12 +64,10 @@ int user_instantiate(struct key *key, const void *data, size_t datalen)
 error:
        return ret;
+}
-} /* end user_instantiate() */
 EXPORT_SYMBOL_GPL(user_instantiate);
-/*****************************************************************************/
 /*
 * dispose of the old data from an updated user defined key
 */
@@ -81,10 +78,8 @@ static void user_update_rcu_disposal(struct rcu_head *rcu)
        upayload = container_of(rcu, struct user_key_payload, rcu);
        kfree(upayload);
+}
-} /* end user_update_rcu_disposal() */
-/*****************************************************************************/
 /*
 * update a user defined key
 * - the key's semaphore is write-locked
@@ -123,24 +118,20 @@ int user_update(struct key *key, const void *data, size_t datalen)
 error:
        return ret;
+}
-} /* end user_update() */
 EXPORT_SYMBOL_GPL(user_update);
-/*****************************************************************************/
 /*
 * match users on their name
 */
 int user_match(const struct key *key, const void *description)
 {
        return strcmp(key->description, description) == 0;
+}
-} /* end user_match() */
 EXPORT_SYMBOL_GPL(user_match);
-/*****************************************************************************/
 /*
 * dispose of the links from a revoked keyring
 * - called with the key sem write-locked
@@ -156,12 +147,10 @@ void user_revoke(struct key *key)
                rcu_assign_pointer(key->payload.data, NULL);
                call_rcu(&upayload->rcu, user_update_rcu_disposal);
        }
+}
-} /* end user_revoke() */
 EXPORT_SYMBOL(user_revoke);
-/*****************************************************************************/
 /*
 * dispose of the data dangling from the corpse of a user key
 */
@@ -170,12 +159,10 @@ void user_destroy(struct key *key)
        struct user_key_payload *upayload = key->payload.data;
        kfree(upayload);
+}
-} /* end user_destroy() */
 EXPORT_SYMBOL_GPL(user_destroy);
-/*****************************************************************************/
 /*
 * describe the user key
 */
@@ -184,12 +171,10 @@ void user_describe(const struct key *key, struct seq_file *m)
        seq_puts(m, key->description);
        seq_printf(m, ": %u", key->datalen);
+}
-} /* end user_describe() */
 EXPORT_SYMBOL_GPL(user_describe);
-/*****************************************************************************/
 /*
 * read the key data
 * - the key's semaphore is read-locked
@@ -199,8 +184,7 @@ long user_read(const struct key *key, char __user *buffer, size_t buflen)
        struct user_key_payload *upayload;
        long ret;
-        upayload = rcu_dereference_protected(
+        upayload = rcu_dereference_key(key);
-                key->payload.data, rwsem_is_locked(&((struct key *)key)->sem));
        ret = upayload->datalen;
        /* we can return the data as is */
@@ -213,7 +197,6 @@ long user_read(const struct key *key, char __user *buffer, size_t buflen)
        }
        return ret;
+}
-} /* end user_read() */
 EXPORT_SYMBOL_GPL(user_read);
diff --git a/security/security.c b/security/security.c
index b84a89dd59c6..47b8a447118f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -154,10 +154,9 @@ int security_capset(struct cred *new, const struct cred *old,
                                    effective, inheritable, permitted);
 }
-int security_capable(int cap)
+int security_capable(const struct cred *cred, int cap)
 {
-        return security_ops->capable(current, current_cred(), cap,
+        return security_ops->capable(current, cred, cap, SECURITY_CAP_AUDIT);
-                                     SECURITY_CAP_AUDIT);
 }
 int security_real_capable(struct task_struct *tsk, int cap)
@@ -182,11 +181,6 @@ int security_real_capable_noaudit(struct task_struct *tsk, int cap)
        return ret;
 }
-int security_sysctl(struct ctl_table *table, int op)
-{
-        return security_ops->sysctl(table, op);
-}
 int security_quotactl(int cmds, int type, int id, struct super_block *sb)
 {
        return security_ops->quotactl(cmds, type, id, sb);
@@ -272,6 +266,11 @@ int security_sb_copy_data(char *orig, char *copy)
 }
 EXPORT_SYMBOL(security_sb_copy_data);
+int security_sb_remount(struct super_block *sb, void *data)
+{
+        return security_ops->sb_remount(sb, data);
+}
 int security_sb_kern_mount(struct super_block *sb, int flags, void *data)
 {
        return security_ops->sb_kern_mount(sb, flags, data);
@@ -336,11 +335,13 @@ void security_inode_free(struct inode *inode)
 }
 int security_inode_init_security(struct inode *inode, struct inode *dir,
-                                  char **name, void **value, size_t *len)
+                                 const struct qstr *qstr, char **name,
+                                 void **value, size_t *len)
 {
        if (unlikely(IS_PRIVATE(inode)))
                return -EOPNOTSUPP;
-        return security_ops->inode_init_security(inode, dir, name, value, len);
+        return security_ops->inode_init_security(inode, dir, qstr, name, value,
+                                                 len);
 }
 EXPORT_SYMBOL(security_inode_init_security);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e276eb468536..d52a92507412 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -24,9 +24,11 @@
 */
 #include <linux/init.h>
+#include <linux/kd.h>
 #include <linux/kernel.h>
 #include <linux/tracehook.h>
 #include <linux/errno.h>
+#include <linux/ext2_fs.h>
 #include <linux/sched.h>
 #include <linux/security.h>
 #include <linux/xattr.h>
@@ -36,14 +38,15 @@
 #include <linux/mman.h>
 #include <linux/slab.h>
 #include <linux/pagemap.h>
+#include <linux/proc_fs.h>
 #include <linux/swap.h>
 #include <linux/spinlock.h>
 #include <linux/syscalls.h>
+#include <linux/dcache.h>
 #include <linux/file.h>
 #include <linux/fdtable.h>
 #include <linux/namei.h>
 #include <linux/mount.h>
-#include <linux/proc_fs.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter_ipv6.h>
 #include <linux/tty.h>
@@ -70,7 +73,6 @@
 #include <net/ipv6.h>
 #include <linux/hugetlb.h>
 #include <linux/personality.h>
-#include <linux/sysctl.h>
 #include <linux/audit.h>
 #include <linux/string.h>
 #include <linux/selinux.h>
@@ -1120,39 +1122,35 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
 }
 #ifdef CONFIG_PROC_FS
-static int selinux_proc_get_sid(struct proc_dir_entry *de,
+static int selinux_proc_get_sid(struct dentry *dentry,
                                u16 tclass,
                                u32 *sid)
 {
-        int buflen, rc;
+        int rc;
-        char *buffer, *path, *end;
+        char *buffer, *path;
        buffer = (char *)__get_free_page(GFP_KERNEL);
        if (!buffer)
                return -ENOMEM;
-        buflen = PAGE_SIZE;
+        path = dentry_path_raw(dentry, buffer, PAGE_SIZE);
-        end = buffer+buflen;
+        if (IS_ERR(path))
-        *--end = '\0';
+                rc = PTR_ERR(path);
-        buflen--;
+        else {
-        path = end-1;
+                /* each process gets a /proc/PID/ entry. Strip off the
-        *path = '/';
+                 * PID part to get a valid selinux labeling.
-        while (de && de != de->parent) {
+                 * e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
-                buflen -= de->namelen + 1;
+                while (path[1] >= '0' && path[1] <= '9') {
-                if (buflen < 0)
+                        path[1] = '/';
-                        break;
+                        path++;
-                end -= de->namelen;
+                }
-                memcpy(end, de->name, de->namelen);
+                rc = security_genfs_sid("proc", path, tclass, sid);
-                *--end = '/';
-                path = end;
-                de = de->parent;
        }
-        rc = security_genfs_sid("proc", path, tclass, sid);
        free_page((unsigned long)buffer);
        return rc;
 }
 #else
-static int selinux_proc_get_sid(struct proc_dir_entry *de,
+static int selinux_proc_get_sid(struct dentry *dentry,
                                u16 tclass,
                                u32 *sid)
 {
@@ -1300,10 +1298,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                /* Try to obtain a transition SID. */
                isec->sclass = inode_mode_to_security_class(inode->i_mode);
-                rc = security_transition_sid(isec->task_sid,
+                rc = security_transition_sid(isec->task_sid, sbsec->sid,
-                                             sbsec->sid,
+                                             isec->sclass, NULL, &sid);
-                                             isec->sclass,
-                                             &sid);
                if (rc)
                        goto out_unlock;
                isec->sid = sid;
@@ -1316,10 +1312,9 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                isec->sid = sbsec->sid;
                if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
-                        struct proc_inode *proci = PROC_I(inode);
+                        if (opt_dentry) {
-                        if (proci->pde) {
                                isec->sclass = inode_mode_to_security_class(inode->i_mode);
-                                rc = selinux_proc_get_sid(proci->pde,
+                                rc = selinux_proc_get_sid(opt_dentry,
                                                          isec->sclass,
                                                          &sid);
                                if (rc)
@@ -1578,7 +1573,7 @@ static int may_create(struct inode *dir,
                return rc;
        if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
-                rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
+                rc = security_transition_sid(sid, dsec->sid, tclass, NULL, &newsid);
                if (rc)
                        return rc;
        }
@@ -1862,82 +1857,6 @@ static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
        return task_has_capability(tsk, cred, cap, audit);
 }
-static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
-{
-        int buflen, rc;
-        char *buffer, *path, *end;
-        rc = -ENOMEM;
-        buffer = (char *)__get_free_page(GFP_KERNEL);
-        if (!buffer)
-                goto out;
-        buflen = PAGE_SIZE;
-        end = buffer+buflen;
-        *--end = '\0';
-        buflen--;
-        path = end-1;
-        *path = '/';
-        while (table) {
-                const char *name = table->procname;
-                size_t namelen = strlen(name);
-                buflen -= namelen + 1;
-                if (buflen < 0)
-                        goto out_free;
-                end -= namelen;
-                memcpy(end, name, namelen);
-                *--end = '/';
-                path = end;
-                table = table->parent;
-        }
-        buflen -= 4;
-        if (buflen < 0)
-                goto out_free;
-        end -= 4;
-        memcpy(end, "/sys", 4);
-        path = end;
-        rc = security_genfs_sid("proc", path, tclass, sid);
-out_free:
-        free_page((unsigned long)buffer);
-out:
-        return rc;
-}
-static int selinux_sysctl(ctl_table *table, int op)
-{
-        int error = 0;
-        u32 av;
-        u32 tsid, sid;
-        int rc;
-        sid = current_sid();
-        rc = selinux_sysctl_get_sid(table, (op == 0001) ?
-                                    SECCLASS_DIR : SECCLASS_FILE, &tsid);
-        if (rc) {
-                /* Default to the well-defined sysctl SID. */
-                tsid = SECINITSID_SYSCTL;
-        }
-        /* The op values are "defined" in sysctl.c, thereby creating
-         * a bad coupling between this module and sysctl.c */
-        if (op == 001) {
-                error = avc_has_perm(sid, tsid,
-                                     SECCLASS_DIR, DIR__SEARCH, NULL);
-        } else {
-                av = 0;
-                if (op & 004)
-                        av |= FILE__READ;
-                if (op & 002)
-                        av |= FILE__WRITE;
-                if (av)
-                        error = avc_has_perm(sid, tsid,
-                                             SECCLASS_FILE, av, NULL);
-        }
-        return error;
-}
 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
 {
        const struct cred *cred = current_cred();
@@ -2060,7 +1979,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
        } else {
                /* Check for a default transition on this program. */
                rc = security_transition_sid(old_tsec->sid, isec->sid,
-                                             SECCLASS_PROCESS, &new_tsec->sid);
+                                             SECCLASS_PROCESS, NULL,
+                                             &new_tsec->sid);
                if (rc)
                        return rc;
        }
@@ -2443,6 +2363,91 @@ out:
        return rc;
 }
+static int selinux_sb_remount(struct super_block *sb, void *data)
+{
+        int rc, i, *flags;
+        struct security_mnt_opts opts;
+        char *secdata, **mount_options;
+        struct superblock_security_struct *sbsec = sb->s_security;
+        if (!(sbsec->flags & SE_SBINITIALIZED))
+                return 0;
+        if (!data)
+                return 0;
+        if (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
+                return 0;
+        security_init_mnt_opts(&opts);
+        secdata = alloc_secdata();
+        if (!secdata)
+                return -ENOMEM;
+        rc = selinux_sb_copy_data(data, secdata);
+        if (rc)
+                goto out_free_secdata;
+        rc = selinux_parse_opts_str(secdata, &opts);
+        if (rc)
+                goto out_free_secdata;
+        mount_options = opts.mnt_opts;
+        flags = opts.mnt_opts_flags;
+        for (i = 0; i < opts.num_mnt_opts; i++) {
+                u32 sid;
+                size_t len;
+                if (flags[i] == SE_SBLABELSUPP)
+                        continue;
+                len = strlen(mount_options[i]);
+                rc = security_context_to_sid(mount_options[i], len, &sid);
+                if (rc) {
+                        printk(KERN_WARNING "SELinux: security_context_to_sid"
+                               "(%s) failed for (dev %s, type %s) errno=%d\n",
+                               mount_options[i], sb->s_id, sb->s_type->name, rc);
+                        goto out_free_opts;
+                }
+                rc = -EINVAL;
+                switch (flags[i]) {
+                case FSCONTEXT_MNT:
+                        if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
+                                goto out_bad_option;
+                        break;
+                case CONTEXT_MNT:
+                        if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
+                                goto out_bad_option;
+                        break;
+                case ROOTCONTEXT_MNT: {
+                        struct inode_security_struct *root_isec;
+                        root_isec = sb->s_root->d_inode->i_security;
+                        if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
+                                goto out_bad_option;
+                        break;
+                }
+                case DEFCONTEXT_MNT:
+                        if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
+                                goto out_bad_option;
+                        break;
+                default:
+                        goto out_free_opts;
+                }
+        }
+        rc = 0;
+out_free_opts:
+        security_free_mnt_opts(&opts);
+out_free_secdata:
+        free_secdata(secdata);
+        return rc;
+out_bad_option:
+        printk(KERN_WARNING "SELinux: unable to change security options "
+               "during remount (dev %s, type=%s)\n", sb->s_id,
+               sb->s_type->name);
+        goto out_free_opts;
+}
 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
 {
        const struct cred *cred = current_cred();
@@ -2509,8 +2514,8 @@ static void selinux_inode_free_security(struct inode *inode)
 }
 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
-                                       char **name, void **value,
+                                       const struct qstr *qstr, char **name,
-                                       size_t *len)
+                                       void **value, size_t *len)
 {
        const struct task_security_struct *tsec = current_security();
        struct inode_security_struct *dsec;
@@ -2531,7 +2536,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
        else if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) {
                rc = security_transition_sid(sid, dsec->sid,
                                             inode_mode_to_security_class(inode->i_mode),
-                                             &newsid);
+                                             qstr, &newsid);
                if (rc) {
                        printk(KERN_WARNING "%s:  "
                               "security_transition_sid failed, rc=%d (dev=%s "
@@ -2932,16 +2937,47 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
                              unsigned long arg)
 {
        const struct cred *cred = current_cred();
-        u32 av = 0;
+        int error = 0;
-        if (_IOC_DIR(cmd) & _IOC_WRITE)
+        switch (cmd) {
-                av |= FILE__WRITE;
+        case FIONREAD:
-        if (_IOC_DIR(cmd) & _IOC_READ)
+        /* fall through */
-                av |= FILE__READ;
+        case FIBMAP:
-        if (!av)
+        /* fall through */
-                av = FILE__IOCTL;
+        case FIGETBSZ:
+        /* fall through */
+        case EXT2_IOC_GETFLAGS:
+        /* fall through */
+        case EXT2_IOC_GETVERSION:
+                error = file_has_perm(cred, file, FILE__GETATTR);
+                break;
+        case EXT2_IOC_SETFLAGS:
+        /* fall through */
+        case EXT2_IOC_SETVERSION:
+                error = file_has_perm(cred, file, FILE__SETATTR);
+                break;
+        /* sys_ioctl() checks */
+        case FIONBIO:
+        /* fall through */
+        case FIOASYNC:
+                error = file_has_perm(cred, file, 0);
+                break;
+        case KDSKBENT:
+        case KDSKBSENT:
+                error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
+                                            SECURITY_CAP_AUDIT);
+                break;
-        return file_has_perm(cred, file, av);
+        /* default case assumes that the command will go
+         * to the file's ioctl() function.
+         */
+        default:
+                error = file_has_perm(cred, file, FILE__IOCTL);
+        }
+        return error;
 }
 static int default_noexec;
@@ -3198,7 +3234,11 @@ static void selinux_cred_free(struct cred *cred)
 {
        struct task_security_struct *tsec = cred->security;
-        BUG_ON((unsigned long) cred->security < PAGE_SIZE);
+        /*
+         * cred->security == NULL if security_cred_alloc_blank() or
+         * security_prepare_creds() returned an error.
+         */
+        BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
        cred->security = (void *) 0x7UL;
        kfree(tsec);
 }
@@ -3640,9 +3680,16 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
 /* socket security operations */
-static u32 socket_sockcreate_sid(const struct task_security_struct *tsec)
+static int socket_sockcreate_sid(const struct task_security_struct *tsec,
+                                 u16 secclass, u32 *socksid)
 {
-        return tsec->sockcreate_sid ? : tsec->sid;
+        if (tsec->sockcreate_sid > SECSID_NULL) {
+                *socksid = tsec->sockcreate_sid;
+                return 0;
+        }
+        return security_transition_sid(tsec->sid, tsec->sid, secclass, NULL,
+                                       socksid);
 }
 static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
@@ -3666,12 +3713,16 @@ static int selinux_socket_create(int family, int type,
        const struct task_security_struct *tsec = current_security();
        u32 newsid;
        u16 secclass;
+        int rc;
        if (kern)
                return 0;
-        newsid = socket_sockcreate_sid(tsec);
        secclass = socket_type_to_security_class(family, type, protocol);
+        rc = socket_sockcreate_sid(tsec, secclass, &newsid);
+        if (rc)
+                return rc;
        return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
 }
@@ -3683,12 +3734,16 @@ static int selinux_socket_post_create(struct socket *sock, int family,
        struct sk_security_struct *sksec;
        int err = 0;
+        isec->sclass = socket_type_to_security_class(family, type, protocol);
        if (kern)
                isec->sid = SECINITSID_KERNEL;
-        else
+        else {
-                isec->sid = socket_sockcreate_sid(tsec);
+                err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid));
+                if (err)
+                        return err;
+        }
-        isec->sclass = socket_type_to_security_class(family, type, protocol);
        isec->initialized = 1;
        if (sock->sk) {
@@ -3998,7 +4053,6 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
 {
        int err = 0;
        struct sk_security_struct *sksec = sk->sk_security;
-        u32 peer_sid;
        u32 sk_sid = sksec->sid;
        struct common_audit_data ad;
        char *addrp;
@@ -4017,20 +4071,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
                        return err;
        }
-        if (selinux_policycap_netpeer) {
+        err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
-                err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
+        if (err)
-                if (err)
+                return err;
-                        return err;
+        err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
-                err = avc_has_perm(sk_sid, peer_sid,
-                                   SECCLASS_PEER, PEER__RECV, &ad);
-                if (err)
-                        selinux_netlbl_err(skb, err, 0);
-        } else {
-                err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
-                if (err)
-                        return err;
-                err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
-        }
        return err;
 }
@@ -4525,9 +4569,8 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
                                 SECCLASS_PACKET, PACKET__SEND, &ad))
                        return NF_DROP_ERR(-ECONNREFUSED);
-        if (selinux_policycap_netpeer)
+        if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
-                if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
+                return NF_DROP_ERR(-ECONNREFUSED);
-                        return NF_DROP_ERR(-ECONNREFUSED);
        return NF_ACCEPT;
 }
@@ -4570,27 +4613,14 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
         * from the sending socket, otherwise use the kernel's sid */
        sk = skb->sk;
        if (sk == NULL) {
-                switch (family) {
+                if (skb->skb_iif) {
-                case PF_INET:
+                        secmark_perm = PACKET__FORWARD_OUT;
-                        if (IPCB(skb)->flags & IPSKB_FORWARDED)
-                                secmark_perm = PACKET__FORWARD_OUT;
-                        else
-                                secmark_perm = PACKET__SEND;
-                        break;
-                case PF_INET6:
-                        if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
-                                secmark_perm = PACKET__FORWARD_OUT;
-                        else
-                                secmark_perm = PACKET__SEND;
-                        break;
-                default:
-                        return NF_DROP_ERR(-ECONNREFUSED);
-                }
-                if (secmark_perm == PACKET__FORWARD_OUT) {
                        if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
                                return NF_DROP;
-                } else
+                } else {
+                        secmark_perm = PACKET__SEND;
                        peer_sid = SECINITSID_KERNEL;
+                }
        } else {
                struct sk_security_struct *sksec = sk->sk_security;
                peer_sid = sksec->sid;
@@ -4844,7 +4874,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
                 * message queue this message will be stored in
                 */
                rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
-                                             &msec->sid);
+                                             NULL, &msec->sid);
                if (rc)
                        return rc;
        }
@@ -5398,7 +5428,6 @@ static struct security_operations selinux_ops = {
        .ptrace_traceme =               selinux_ptrace_traceme,
        .capget =                       selinux_capget,
        .capset =                       selinux_capset,
-        .sysctl =                       selinux_sysctl,
        .capable =                      selinux_capable,
        .quotactl =                     selinux_quotactl,
        .quota_on =                     selinux_quota_on,
@@ -5416,6 +5445,7 @@ static struct security_operations selinux_ops = {
        .sb_alloc_security =            selinux_sb_alloc_security,
        .sb_free_security =             selinux_sb_free_security,
        .sb_copy_data =                 selinux_sb_copy_data,
+        .sb_remount =                   selinux_sb_remount,
        .sb_kern_mount =                selinux_sb_kern_mount,
        .sb_show_options =              selinux_sb_show_options,
        .sb_statfs =                    selinux_sb_statfs,
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index e94e82f73818..5615081b73ec 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -15,7 +15,6 @@
 #include <linux/audit.h>
 #include <linux/lsm_audit.h>
 #include <linux/in6.h>
-#include <linux/path.h>
 #include <asm/system.h>
 #include "flask.h"
 #include "av_permissions.h"
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7ed3663332ec..b8c53723e09b 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -12,6 +12,10 @@
 #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
            "write", "associate", "unix_read", "unix_write"
+/*
+ * Note: The name for any socket class should be suffixed by "socket",
+ *       and doesn't contain more than one substr of "socket".
+ */
 struct security_class_mapping secclass_map[] = {
        { "security",
          { "compute_av", "compute_create", "compute_member",
@@ -132,8 +136,7 @@ struct security_class_mapping secclass_map[] = {
        { "appletalk_socket",
          { COMMON_SOCK_PERMS, NULL } },
        { "packet",
-          { "send", "recv", "relabelto", "flow_in", "flow_out",
+          { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
-            "forward_in", "forward_out", NULL } },
        { "key",
          { "view", "read", "write", "search", "link", "setattr", "create",
            NULL } },
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 671273eb1115..348eb00cb668 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -8,6 +8,7 @@
 #ifndef _SELINUX_SECURITY_H_
 #define _SELINUX_SECURITY_H_
+#include <linux/dcache.h>
 #include <linux/magic.h>
 #include <linux/types.h>
 #include "flask.h"
@@ -28,13 +29,14 @@
 #define POLICYDB_VERSION_POLCAP         22
 #define POLICYDB_VERSION_PERMISSIVE     23
 #define POLICYDB_VERSION_BOUNDARY       24
+#define POLICYDB_VERSION_FILENAME_TRANS 25
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
 #define POLICYDB_VERSION_MAX    CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 #else
-#define POLICYDB_VERSION_MAX    POLICYDB_VERSION_BOUNDARY
+#define POLICYDB_VERSION_MAX    POLICYDB_VERSION_FILENAME_TRANS
 #endif
 /* Mask for just the mount related flags */
@@ -106,8 +108,8 @@ void security_compute_av(u32 ssid, u32 tsid,
 void security_compute_av_user(u32 ssid, u32 tsid,
                             u16 tclass, struct av_decision *avd);
-int security_transition_sid(u32 ssid, u32 tsid,
+int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
-                            u16 tclass, u32 *out_sid);
+                            const struct qstr *qstr, u32 *out_sid);
 int security_transition_sid_user(u32 ssid, u32 tsid,
                                 u16 tclass, u32 *out_sid);
diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h
index 3417f9cc1cbd..63ce2f9e441d 100644
--- a/security/selinux/ss/avtab.h
+++ b/security/selinux/ss/avtab.h
@@ -14,7 +14,7 @@
 *
 * Copyright (C) 2003 Tresys Technology, LLC
 *      This program is free software; you can redistribute it and/or modify
- *      it under the terms of the GNU General Public License as published by
+ *      it under the terms of the GNU General Public License as published by
 *      the Free Software Foundation, version 2.
 *
 * Updated: Yuichi Nakamura <ynakam@hitachisoft.jp>
@@ -27,16 +27,16 @@ struct avtab_key {
        u16 source_type;        /* source type */
        u16 target_type;        /* target type */
        u16 target_class;       /* target object class */
-#define AVTAB_ALLOWED     1
+#define AVTAB_ALLOWED           0x0001
-#define AVTAB_AUDITALLOW  2
+#define AVTAB_AUDITALLOW        0x0002
-#define AVTAB_AUDITDENY   4
+#define AVTAB_AUDITDENY         0x0004
-#define AVTAB_AV         (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY)
+#define AVTAB_AV                (AVTAB_ALLOWED | AVTAB_AUDITALLOW | AVTAB_AUDITDENY)
-#define AVTAB_TRANSITION 16
+#define AVTAB_TRANSITION        0x0010
-#define AVTAB_MEMBER     32
+#define AVTAB_MEMBER            0x0020
-#define AVTAB_CHANGE     64
+#define AVTAB_CHANGE            0x0040
-#define AVTAB_TYPE       (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
+#define AVTAB_TYPE              (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
-#define AVTAB_ENABLED_OLD    0x80000000 /* reserved for used in cond_avtab */
+#define AVTAB_ENABLED_OLD   0x80000000 /* reserved for used in cond_avtab */
-#define AVTAB_ENABLED    0x8000 /* reserved for used in cond_avtab */
+#define AVTAB_ENABLED           0x8000 /* reserved for used in cond_avtab */
        u16 specified;  /* what field is specified */
 };
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index c3f845cbcd48..a53373207fb4 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -178,7 +178,7 @@ int cond_init_bool_indexes(struct policydb *p)
        p->bool_val_to_struct = (struct cond_bool_datum **)
                kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL);
        if (!p->bool_val_to_struct)
-                return -1;
+                return -ENOMEM;
        return 0;
 }
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 1ef8e4e89880..e96174216bc9 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -512,7 +512,8 @@ int mls_compute_sid(struct context *scontext,
                    struct context *tcontext,
                    u16 tclass,
                    u32 specified,
-                    struct context *newcontext)
+                    struct context *newcontext,
+                    bool sock)
 {
        struct range_trans rtr;
        struct mls_range *r;
@@ -531,7 +532,7 @@ int mls_compute_sid(struct context *scontext,
                        return mls_range_set(newcontext, r);
                /* Fallthrough */
        case AVTAB_CHANGE:
-                if (tclass == policydb.process_class)
+                if ((tclass == policydb.process_class) || (sock == true))
                        /* Use the process MLS attributes. */
                        return mls_context_cpy(newcontext, scontext);
                else
diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h
index cd9152632e54..037bf9d82d41 100644
--- a/security/selinux/ss/mls.h
+++ b/security/selinux/ss/mls.h
@@ -49,7 +49,8 @@ int mls_compute_sid(struct context *scontext,
                    struct context *tcontext,
                    u16 tclass,
                    u32 specified,
-                    struct context *newcontext);
+                    struct context *newcontext,
+                    bool sock);
 int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
                         struct context *usercon);
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index be9de3872837..e7b850ad57ee 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -123,6 +123,11 @@ static struct policydb_compat_info policydb_compat[] = {
                .sym_num        = SYM_NUM,
                .ocon_num       = OCON_NUM,
        },
+        {
+                .version        = POLICYDB_VERSION_FILENAME_TRANS,
+                .sym_num        = SYM_NUM,
+                .ocon_num       = OCON_NUM,
+        },
 };
 static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -501,8 +506,8 @@ static int policydb_index(struct policydb *p)
        if (rc)
                goto out;
-        rc = -ENOMEM;
+        rc = cond_init_bool_indexes(p);
-        if (cond_init_bool_indexes(p))
+        if (rc)
                goto out;
        for (i = 0; i < SYM_NUM; i++) {
@@ -704,6 +709,7 @@ void policydb_destroy(struct policydb *p)
        int i;
        struct role_allow *ra, *lra = NULL;
        struct role_trans *tr, *ltr = NULL;
+        struct filename_trans *ft, *nft;
        for (i = 0; i < SYM_NUM; i++) {
                cond_resched();
@@ -781,6 +787,15 @@ void policydb_destroy(struct policydb *p)
                }
                flex_array_free(p->type_attr_map_array);
        }
+        ft = p->filename_trans;
+        while (ft) {
+                nft = ft->next;
+                kfree(ft->name);
+                kfree(ft);
+                ft = nft;
+        }
        ebitmap_destroy(&p->policycaps);
        ebitmap_destroy(&p->permissive_map);
@@ -1788,6 +1803,76 @@ out:
        return rc;
 }
+static int filename_trans_read(struct policydb *p, void *fp)
+{
+        struct filename_trans *ft, *last;
+        u32 nel, len;
+        char *name;
+        __le32 buf[4];
+        int rc, i;
+        if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS)
+                return 0;
+        rc = next_entry(buf, fp, sizeof(u32));
+        if (rc)
+                goto out;
+        nel = le32_to_cpu(buf[0]);
+        printk(KERN_ERR "%s: nel=%d\n", __func__, nel);
+        last = p->filename_trans;
+        while (last && last->next)
+                last = last->next;
+        for (i = 0; i < nel; i++) {
+                rc = -ENOMEM;
+                ft = kzalloc(sizeof(*ft), GFP_KERNEL);
+                if (!ft)
+                        goto out;
+                /* add it to the tail of the list */
+                if (!last)
+                        p->filename_trans = ft;
+                else
+                        last->next = ft;
+                last = ft;
+                /* length of the path component string */
+                rc = next_entry(buf, fp, sizeof(u32));
+                if (rc)
+                        goto out;
+                len = le32_to_cpu(buf[0]);
+                rc = -ENOMEM;
+                name = kmalloc(len + 1, GFP_KERNEL);
+                if (!name)
+                        goto out;
+                ft->name = name;
+                /* path component string */
+                rc = next_entry(name, fp, len);
+                if (rc)
+                        goto out;
+                name[len] = 0;
+                printk(KERN_ERR "%s: ft=%p ft->name=%p ft->name=%s\n", __func__, ft, ft->name, ft->name);
+                rc = next_entry(buf, fp, sizeof(u32) * 4);
+                if (rc)
+                        goto out;
+                ft->stype = le32_to_cpu(buf[0]);
+                ft->ttype = le32_to_cpu(buf[1]);
+                ft->tclass = le32_to_cpu(buf[2]);
+                ft->otype = le32_to_cpu(buf[3]);
+        }
+        rc = 0;
+out:
+        return rc;
+}
 static int genfs_read(struct policydb *p, void *fp)
 {
        int i, j, rc;
@@ -2251,6 +2336,10 @@ int policydb_read(struct policydb *p, void *fp)
                lra = ra;
        }
+        rc = filename_trans_read(p, fp);
+        if (rc)
+                goto bad;
        rc = policydb_index(p);
        if (rc)
                goto bad;
@@ -3025,6 +3114,43 @@ static int range_write(struct policydb *p, void *fp)
        return 0;
 }
+static int filename_trans_write(struct policydb *p, void *fp)
+{
+        struct filename_trans *ft;
+        u32 len, nel = 0;
+        __le32 buf[4];
+        int rc;
+        for (ft = p->filename_trans; ft; ft = ft->next)
+                nel++;
+        buf[0] = cpu_to_le32(nel);
+        rc = put_entry(buf, sizeof(u32), 1, fp);
+        if (rc)
+                return rc;
+        for (ft = p->filename_trans; ft; ft = ft->next) {
+                len = strlen(ft->name);
+                buf[0] = cpu_to_le32(len);
+                rc = put_entry(buf, sizeof(u32), 1, fp);
+                if (rc)
+                        return rc;
+                rc = put_entry(ft->name, sizeof(char), len, fp);
+                if (rc)
+                        return rc;
+                buf[0] = ft->stype;
+                buf[1] = ft->ttype;
+                buf[2] = ft->tclass;
+                buf[3] = ft->otype;
+                rc = put_entry(buf, sizeof(u32), 4, fp);
+                if (rc)
+                        return rc;
+        }
+        return 0;
+}
 /*
 * Write the configuration data in a policy database
 * structure to a policy database binary representation
@@ -3135,6 +3261,10 @@ int policydb_write(struct policydb *p, void *fp)
        if (rc)
                return rc;
+        rc = filename_trans_write(p, fp);
+        if (rc)
+                return rc;
        rc = ocontext_write(p, info, fp);
        if (rc)
                return rc;
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 4e3ab9d0b315..732ea4a68682 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -77,6 +77,15 @@ struct role_trans {
        struct role_trans *next;
 };
+struct filename_trans {
+        struct filename_trans *next;
+        u32 stype;              /* current process */
+        u32 ttype;              /* parent dir context */
+        u16 tclass;             /* class of new object */
+        const char *name;       /* last path component */
+        u32 otype;              /* expected of new object */
+};
 struct role_allow {
        u32 role;               /* current role */
        u32 new_role;           /* new role */
@@ -217,6 +226,9 @@ struct policydb {
        /* role transitions */
        struct role_trans *role_tr;
+        /* file transitions with the last path component */
+        struct filename_trans *filename_trans;
        /* bools indexed by (value - 1) */
        struct cond_bool_datum **bool_val_to_struct;
        /* type enforcement conditional access vectors and transitions */
@@ -302,7 +314,7 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
        return 0;
 }
-static inline int put_entry(void *buf, size_t bytes, int num, struct policy_file *fp)
+static inline int put_entry(const void *buf, size_t bytes, int num, struct policy_file *fp)
 {
        size_t len = bytes * num;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index a03cfaf0ee07..3e7544d2a07b 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -201,6 +201,21 @@ static u16 unmap_class(u16 tclass)
        return tclass;
 }
+/*
+ * Get kernel value for class from its policy value
+ */
+static u16 map_class(u16 pol_value)
+{
+        u16 i;
+        for (i = 1; i < current_mapping_size; i++) {
+                if (current_mapping[i].value == pol_value)
+                        return i;
+        }
+        return pol_value;
+}
 static void map_decision(u16 tclass, struct av_decision *avd,
                         int allow_unknown)
 {
@@ -1343,10 +1358,27 @@ out:
        return -EACCES;
 }
+static void filename_compute_type(struct policydb *p, struct context *newcontext,
+                                  u32 scon, u32 tcon, u16 tclass,
+                                  const struct qstr *qstr)
+{
+        struct filename_trans *ft;
+        for (ft = p->filename_trans; ft; ft = ft->next) {
+                if (ft->stype == scon &&
+                    ft->ttype == tcon &&
+                    ft->tclass == tclass &&
+                    !strcmp(ft->name, qstr->name)) {
+                        newcontext->type = ft->otype;
+                        return;
+                }
+        }
+}
 static int security_compute_sid(u32 ssid,
                                u32 tsid,
                                u16 orig_tclass,
                                u32 specified,
+                                const struct qstr *qstr,
                                u32 *out_sid,
                                bool kern)
 {
@@ -1357,6 +1389,7 @@ static int security_compute_sid(u32 ssid,
        struct avtab_node *node;
        u16 tclass;
        int rc = 0;
+        bool sock;
        if (!ss_initialized) {
                switch (orig_tclass) {
@@ -1374,10 +1407,13 @@ static int security_compute_sid(u32 ssid,
        read_lock(&policy_rwlock);
-        if (kern)
+        if (kern) {
                tclass = unmap_class(orig_tclass);
-        else
+                sock = security_is_socket_class(orig_tclass);
+        } else {
                tclass = orig_tclass;
+                sock = security_is_socket_class(map_class(tclass));
+        }
        scontext = sidtab_search(&sidtab, ssid);
        if (!scontext) {
@@ -1408,7 +1444,7 @@ static int security_compute_sid(u32 ssid,
        }
        /* Set the role and type to default values. */
-        if (tclass == policydb.process_class) {
+        if ((tclass == policydb.process_class) || (sock == true)) {
                /* Use the current role and type of process. */
                newcontext.role = scontext->role;
                newcontext.type = scontext->type;
@@ -1442,6 +1478,11 @@ static int security_compute_sid(u32 ssid,
                newcontext.type = avdatum->data;
        }
+        /* if we have a qstr this is a file trans check so check those rules */
+        if (qstr)
+                filename_compute_type(&policydb, &newcontext, scontext->type,
+                                      tcontext->type, tclass, qstr);
        /* Check for class-specific changes. */
        if  (tclass == policydb.process_class) {
                if (specified & AVTAB_TRANSITION) {
@@ -1460,7 +1501,8 @@ static int security_compute_sid(u32 ssid,
        /* Set the MLS attributes.
           This is done last because it may allocate memory. */
-        rc = mls_compute_sid(scontext, tcontext, tclass, specified, &newcontext);
+        rc = mls_compute_sid(scontext, tcontext, tclass, specified,
+                             &newcontext, sock);
        if (rc)
                goto out_unlock;
@@ -1495,22 +1537,17 @@ out:
 * if insufficient memory is available, or %0 if the new SID was
 * computed successfully.
 */
-int security_transition_sid(u32 ssid,
+int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
-                            u32 tsid,
+                            const struct qstr *qstr, u32 *out_sid)
-                            u16 tclass,
-                            u32 *out_sid)
 {
        return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
-                                    out_sid, true);
+                                    qstr, out_sid, true);
 }
-int security_transition_sid_user(u32 ssid,
+int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass, u32 *out_sid)
-                                 u32 tsid,
-                                 u16 tclass,
-                                 u32 *out_sid)
 {
        return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
-                                    out_sid, false);
+                                    NULL, out_sid, false);
 }
 /**
@@ -1531,8 +1568,8 @@ int security_member_sid(u32 ssid,
                        u16 tclass,
                        u32 *out_sid)
 {
-        return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
+        return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, NULL,
-                                    false);
+                                    out_sid, false);
 }
 /**
@@ -1553,8 +1590,8 @@ int security_change_sid(u32 ssid,
                        u16 tclass,
                        u32 *out_sid)
 {
-        return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
+        return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, NULL,
-                                    false);
+                                    out_sid, false);
 }
 /* Clone the SID into the new SID table. */
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index fff78d3b51a2..728c57e3d65d 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -208,7 +208,7 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
        if (!uctx)
                goto not_from_user;
-        if (uctx->ctx_doi != XFRM_SC_ALG_SELINUX)
+        if (uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
                return -EINVAL;
        str_len = uctx->ctx_len;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 5ab3f39442f2..23c7a6d0c80c 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -33,6 +33,7 @@
 #include <net/cipso_ipv4.h>
 #include <linux/audit.h>
 #include <linux/magic.h>
+#include <linux/dcache.h>
 #include "smack.h"
 #define task_security(task)     (task_cred_xxx((task), security))
@@ -501,6 +502,7 @@ static void smack_inode_free_security(struct inode *inode)
 * smack_inode_init_security - copy out the smack from an inode
 * @inode: the inode
 * @dir: unused
+ * @qstr: unused
 * @name: where to put the attribute name
 * @value: where to put the attribute value
 * @len: where to put the length of the attribute
@@ -508,7 +510,8 @@ static void smack_inode_free_security(struct inode *inode)
 * Returns 0 if it all works out, -ENOMEM if there's no memory
 */
 static int smack_inode_init_security(struct inode *inode, struct inode *dir,
-                                     char **name, void **value, size_t *len)
+                                     const struct qstr *qstr, char **name,
+                                     void **value, size_t *len)
 {
        char *isp = smk_of_inode(inode);
        char *dsp = smk_of_inode(dir);