7 files changed, 24 insertions, 8 deletions
diff --git a/security/capability.c b/security/capability.c
index 579775088967..6783c3e6c88e 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -737,6 +737,11 @@ static int cap_tun_dev_open(void *security)
 {
        return 0;
 }
+static void cap_skb_owned_by(struct sk_buff *skb, struct sock *sk)
+{
+}
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1071,6 +1076,7 @@ void __init security_fixup_ops(struct security_operations *ops)
        set_to_cap_if_null(ops, tun_dev_open);
        set_to_cap_if_null(ops, tun_dev_attach_queue);
        set_to_cap_if_null(ops, tun_dev_attach);
+        set_to_cap_if_null(ops, skb_owned_by);
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
        set_to_cap_if_null(ops, xfrm_policy_alloc_security);
diff --git a/security/keys/compat.c b/security/keys/compat.c
index 1c261763f479..d65fa7fa29ba 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -40,12 +40,12 @@ static long compat_keyctl_instantiate_key_iov(
                                           ARRAY_SIZE(iovstack),
                                           iovstack, &iov);
        if (ret < 0)
-                return ret;
+                goto err;
        if (ret == 0)
                goto no_payload_free;
        ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
+err:
        if (iov != iovstack)
                kfree(iov);
        return ret;
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 58dfe0890947..42defae1e161 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -57,7 +57,7 @@ int install_user_keyrings(void)
        kenter("%p{%u}", user, uid);
-        if (user->uid_keyring) {
+        if (user->uid_keyring && user->session_keyring) {
                kleave(" = 0 [exist]");
                return 0;
        }
@@ -839,7 +839,7 @@ void key_change_session_keyring(struct callback_head *twork)
        new-> sgid      = old-> sgid;
        new->fsgid      = old->fsgid;
        new->user       = get_uid(old->user);
-        new->user_ns    = get_user_ns(new->user_ns);
+        new->user_ns    = get_user_ns(old->user_ns);
        new->group_info = get_group_info(old->group_info);
        new->securebits = old->securebits;
diff --git a/security/security.c b/security/security.c
index 7b88c6aeaed4..03f248b84e9f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1290,6 +1290,11 @@ int security_tun_dev_open(void *security)
 }
 EXPORT_SYMBOL(security_tun_dev_open);
+void security_skb_owned_by(struct sk_buff *skb, struct sock *sk)
+{
+        security_ops->skb_owned_by(skb, sk);
+}
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 2fa28c88900c..7171a957b933 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -51,6 +51,7 @@
 #include <linux/tty.h>
 #include <net/icmp.h>
 #include <net/ip.h>             /* for local_port_range[] */
+#include <net/sock.h>
 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
 #include <net/net_namespace.h>
 #include <net/netlabel.h>
@@ -4363,6 +4364,11 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
        selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
 }
+static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
+{
+        skb_set_owner_w(skb, sk);
+}
 static int selinux_secmark_relabel_packet(u32 sid)
 {
        const struct task_security_struct *__tsec;
@@ -5664,6 +5670,7 @@ static struct security_operations selinux_ops = {
        .tun_dev_attach_queue =         selinux_tun_dev_attach_queue,
        .tun_dev_attach =               selinux_tun_dev_attach,
        .tun_dev_open =                 selinux_tun_dev_open,
+        .skb_owned_by =                 selinux_skb_owned_by,
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
        .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 48665ecd1197..8ab295154517 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -310,7 +310,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
        if (old_ctx) {
                new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,
-                                  GFP_KERNEL);
+                                  GFP_ATOMIC);
                if (!new_ctx)
                        return -ENOMEM;
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 23414b93771f..13c88fbcf037 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -347,10 +347,8 @@ int yama_ptrace_traceme(struct task_struct *parent)
        /* Only disallow PTRACE_TRACEME on more aggressive settings. */
        switch (ptrace_scope) {
        case YAMA_SCOPE_CAPABILITY:
-                rcu_read_lock();
+                if (!has_ns_capability(parent, current_user_ns(), CAP_SYS_PTRACE))
-                if (!ns_capable(__task_cred(parent)->user_ns, CAP_SYS_PTRACE))
                        rc = -EPERM;
-                rcu_read_unlock();
                break;
        case YAMA_SCOPE_NO_ATTACH:
                rc = -EPERM;

diff --git a/security/capability.c b/security/capability.c index 579775088967..6783c3e6c88e 100644 --- a/security/capability.c +++ b/security/capability.c
@@ -737,6 +737,11 @@ static int cap_tun_dev_open(void *security)
737	{	737	{
738	return 0;	738	return 0;
739	}	739	}
		740
		741	static void cap_skb_owned_by(struct sk_buff skb, struct sock sk)
		742	{
		743	}
		744
740	#endif /* CONFIG_SECURITY_NETWORK */	745	#endif /* CONFIG_SECURITY_NETWORK */
741		746
742	#ifdef CONFIG_SECURITY_NETWORK_XFRM	747	#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1071,6 +1076,7 @@ void __init security_fixup_ops(struct security_operations *ops)
1071	set_to_cap_if_null(ops, tun_dev_open);	1076	set_to_cap_if_null(ops, tun_dev_open);
1072	set_to_cap_if_null(ops, tun_dev_attach_queue);	1077	set_to_cap_if_null(ops, tun_dev_attach_queue);
1073	set_to_cap_if_null(ops, tun_dev_attach);	1078	set_to_cap_if_null(ops, tun_dev_attach);
		1079	set_to_cap_if_null(ops, skb_owned_by);
1074	#endif /* CONFIG_SECURITY_NETWORK */	1080	#endif /* CONFIG_SECURITY_NETWORK */
1075	#ifdef CONFIG_SECURITY_NETWORK_XFRM	1081	#ifdef CONFIG_SECURITY_NETWORK_XFRM
1076	set_to_cap_if_null(ops, xfrm_policy_alloc_security);	1082	set_to_cap_if_null(ops, xfrm_policy_alloc_security);


diff --git a/security/keys/compat.c b/security/keys/compat.c index 1c261763f479..d65fa7fa29ba 100644 --- a/security/keys/compat.c +++ b/security/keys/compat.c
@@ -40,12 +40,12 @@ static long compat_keyctl_instantiate_key_iov(
40	ARRAY_SIZE(iovstack),	40	ARRAY_SIZE(iovstack),
41	iovstack, &iov);	41	iovstack, &iov);
42	if (ret < 0)	42	if (ret < 0)
43	return ret;	43	goto err;
44	if (ret == 0)	44	if (ret == 0)
45	goto no_payload_free;	45	goto no_payload_free;
46		46
47	ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);	47	ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
48		48	err:
49	if (iov != iovstack)	49	if (iov != iovstack)
50	kfree(iov);	50	kfree(iov);
51	return ret;	51	return ret;


diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index 58dfe0890947..42defae1e161 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c
@@ -57,7 +57,7 @@ int install_user_keyrings(void)
57		57
58	kenter("%p{%u}", user, uid);	58	kenter("%p{%u}", user, uid);
59		59
60	if (user->uid_keyring) {	60	if (user->uid_keyring && user->session_keyring) {
61	kleave(" = 0 [exist]");	61	kleave(" = 0 [exist]");
62	return 0;	62	return 0;
63	}	63	}
@@ -839,7 +839,7 @@ void key_change_session_keyring(struct callback_head *twork)
839	new-> sgid = old-> sgid;	839	new-> sgid = old-> sgid;
840	new->fsgid = old->fsgid;	840	new->fsgid = old->fsgid;
841	new->user = get_uid(old->user);	841	new->user = get_uid(old->user);
842	new->user_ns = get_user_ns(new->user_ns);	842	new->user_ns = get_user_ns(old->user_ns);
843	new->group_info = get_group_info(old->group_info);	843	new->group_info = get_group_info(old->group_info);
844		844
845	new->securebits = old->securebits;	845	new->securebits = old->securebits;


diff --git a/security/security.c b/security/security.c index 7b88c6aeaed4..03f248b84e9f 100644 --- a/security/security.c +++ b/security/security.c
@@ -1290,6 +1290,11 @@ int security_tun_dev_open(void *security)
1290	}	1290	}
1291	EXPORT_SYMBOL(security_tun_dev_open);	1291	EXPORT_SYMBOL(security_tun_dev_open);
1292		1292
		1293	void security_skb_owned_by(struct sk_buff skb, struct sock sk)
		1294	{
		1295	security_ops->skb_owned_by(skb, sk);
		1296	}
		1297
1293	#endif /* CONFIG_SECURITY_NETWORK */	1298	#endif /* CONFIG_SECURITY_NETWORK */
1294		1299
1295	#ifdef CONFIG_SECURITY_NETWORK_XFRM	1300	#ifdef CONFIG_SECURITY_NETWORK_XFRM


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 2fa28c88900c..7171a957b933 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -51,6 +51,7 @@
51	#include <linux/tty.h>	51	#include <linux/tty.h>
52	#include <net/icmp.h>	52	#include <net/icmp.h>
53	#include <net/ip.h> /* for local_port_range[] */	53	#include <net/ip.h> /* for local_port_range[] */
		54	#include <net/sock.h>
54	#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */	55	#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55	#include <net/net_namespace.h>	56	#include <net/net_namespace.h>
56	#include <net/netlabel.h>	57	#include <net/netlabel.h>
@@ -4363,6 +4364,11 @@ static void selinux_inet_conn_established(struct sock sk, struct sk_buff skb)
4363	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);	4364	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4364	}	4365	}
4365		4366
		4367	static void selinux_skb_owned_by(struct sk_buff skb, struct sock sk)
		4368	{
		4369	skb_set_owner_w(skb, sk);
		4370	}
		4371
4366	static int selinux_secmark_relabel_packet(u32 sid)	4372	static int selinux_secmark_relabel_packet(u32 sid)
4367	{	4373	{
4368	const struct task_security_struct *__tsec;	4374	const struct task_security_struct *__tsec;
@@ -5664,6 +5670,7 @@ static struct security_operations selinux_ops = {
5664	.tun_dev_attach_queue = selinux_tun_dev_attach_queue,	5670	.tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5665	.tun_dev_attach = selinux_tun_dev_attach,	5671	.tun_dev_attach = selinux_tun_dev_attach,
5666	.tun_dev_open = selinux_tun_dev_open,	5672	.tun_dev_open = selinux_tun_dev_open,
		5673	.skb_owned_by = selinux_skb_owned_by,
5667		5674
5668	#ifdef CONFIG_SECURITY_NETWORK_XFRM	5675	#ifdef CONFIG_SECURITY_NETWORK_XFRM
5669	.xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,	5676	.xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,


diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 48665ecd1197..8ab295154517 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c
@@ -310,7 +310,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
310		310
311	if (old_ctx) {	311	if (old_ctx) {
312	new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,	312	new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,
313	GFP_KERNEL);	313	GFP_ATOMIC);
314	if (!new_ctx)	314	if (!new_ctx)
315	return -ENOMEM;	315	return -ENOMEM;
316		316


diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 23414b93771f..13c88fbcf037 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c
@@ -347,10 +347,8 @@ int yama_ptrace_traceme(struct task_struct *parent)
347	/* Only disallow PTRACE_TRACEME on more aggressive settings. */	347	/* Only disallow PTRACE_TRACEME on more aggressive settings. */
348	switch (ptrace_scope) {	348	switch (ptrace_scope) {
349	case YAMA_SCOPE_CAPABILITY:	349	case YAMA_SCOPE_CAPABILITY:
350	rcu_read_lock();	350	if (!has_ns_capability(parent, current_user_ns(), CAP_SYS_PTRACE))
351	if (!ns_capable(__task_cred(parent)->user_ns, CAP_SYS_PTRACE))
352	rc = -EPERM;	351	rc = -EPERM;
353	rcu_read_unlock();
354	break;	352	break;
355	case YAMA_SCOPE_NO_ATTACH:	353	case YAMA_SCOPE_NO_ATTACH:
356	rc = -EPERM;	354	rc = -EPERM;