Merge branch 'next' into for-linus

9 files changed, 67 insertions, 25 deletions

diff --git a/include/linux/ext3_fs.h b/include/linux/ext3_fs.h
index 65990ef612f..6043c64c207 100644
--- a/include/linux/ext3_fs.h
+++ b/include/linux/ext3_fs.h
@@ -884,7 +884,8 @@ extern int ext3fs_dirhash(const char *name, int len, struct
                           dx_hash_info *hinfo);
 
 /* ialloc.c */
-extern struct inode * ext3_new_inode (handle_t *, struct inode *, int);
+extern struct inode * ext3_new_inode (handle_t *, struct inode *,
+                                      const struct qstr *, int);
 extern void ext3_free_inode (handle_t *, struct inode *);
 extern struct inode * ext3_orphan_get (struct super_block *, unsigned long);
 extern unsigned long ext3_count_free_inodes (struct super_block *);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index e38b50a4b9d..af5bd7a629e 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -798,8 +798,7 @@ struct inode {
 #endif
 
 #ifdef CONFIG_IMA
-        /* protected by i_lock */
-        unsigned int            i_readcount; /* struct files open RO */
+        atomic_t                i_readcount; /* struct files open RO */
 #endif
         atomic_t                i_writecount;
 #ifdef CONFIG_SECURITY
@@ -2200,6 +2199,26 @@ static inline void allow_write_access(struct file *file)
         if (file)
                 atomic_inc(&file->f_path.dentry->d_inode->i_writecount);
 }
+#ifdef CONFIG_IMA
+static inline void i_readcount_dec(struct inode *inode)
+{
+        BUG_ON(!atomic_read(&inode->i_readcount));
+        atomic_dec(&inode->i_readcount);
+}
+static inline void i_readcount_inc(struct inode *inode)
+{
+        atomic_inc(&inode->i_readcount);
+}
+#else
+static inline void i_readcount_dec(struct inode *inode)
+{
+        return;
+}
+static inline void i_readcount_inc(struct inode *inode)
+{
+        return;
+}
+#endif
 extern int do_pipe_flags(int *, int);
 extern struct file *create_read_pipe(struct file *f, int flags);
 extern struct file *create_write_pipe(int flags);
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 975837e7d6c..09e6e62f995 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -20,7 +20,6 @@ extern void ima_inode_free(struct inode *inode);
 extern int ima_file_check(struct file *file, int mask);
 extern void ima_file_free(struct file *file);
 extern int ima_file_mmap(struct file *file, unsigned long prot);
-extern void ima_counts_get(struct file *file);
 
 #else
 static inline int ima_bprm_check(struct linux_binprm *bprm)
@@ -53,10 +52,5 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot)
         return 0;
 }
 
-static inline void ima_counts_get(struct file *file)
-{
-        return;
-}
-
 #endif /* CONFIG_IMA_H */
 #endif /* _LINUX_IMA_H */
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 65833d4d599..9efd081bb31 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -41,6 +41,9 @@ struct key_type {
          */
         size_t def_datalen;
 
+        /* vet a description */
+        int (*vet_description)(const char *description);
+
         /* instantiate a key of this type
          * - this method should call key_payload_reserve() to determine if the
          *   user's quota will hold the payload
@@ -102,11 +105,20 @@ extern int key_instantiate_and_link(struct key *key,
                                     size_t datalen,
                                     struct key *keyring,
                                     struct key *instkey);
-extern int key_negate_and_link(struct key *key,
+extern int key_reject_and_link(struct key *key,
                                unsigned timeout,
+                               unsigned error,
                                struct key *keyring,
                                struct key *instkey);
 extern void complete_request_key(struct key_construction *cons, int error);
 
+static inline int key_negate_and_link(struct key *key,
+                                      unsigned timeout,
+                                      struct key *keyring,
+                                      struct key *instkey)
+{
+        return key_reject_and_link(key, timeout, ENOKEY, keyring, instkey);
+}
+
 #endif /* CONFIG_KEYS */
 #endif /* _LINUX_KEY_TYPE_H */
diff --git a/include/linux/key.h b/include/linux/key.h
index 3db0adce1fd..b2bb0171956 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -170,6 +170,7 @@ struct key {
                 struct list_head        link;
                 unsigned long           x[2];
                 void                    *p[2];
+                int                     reject_error;
         } type_data;
 
         /* key data
@@ -275,6 +276,10 @@ static inline key_serial_t key_serial(struct key *key)
         return key ? key->serial : 0;
 }
 
+#define rcu_dereference_key(KEY)                                        \
+        (rcu_dereference_protected((KEY)->payload.rcudata,              \
+                                   rwsem_is_locked(&((struct key *)(KEY))->sem)))
+
 #ifdef CONFIG_SYSCTL
 extern ctl_table key_sysctls[];
 #endif
diff --git a/include/linux/keyctl.h b/include/linux/keyctl.h
index bd383f1944f..9b0b865ce62 100644
--- a/include/linux/keyctl.h
+++ b/include/linux/keyctl.h
@@ -53,5 +53,7 @@
 #define KEYCTL_ASSUME_AUTHORITY         16      /* assume request_key() authorisation */
 #define KEYCTL_GET_SECURITY             17      /* get key security label */
 #define KEYCTL_SESSION_TO_PARENT        18      /* apply session keyring to parent process */
+#define KEYCTL_REJECT                   19      /* reject a partially constructed key */
+#define KEYCTL_INSTANTIATE_IOV          20      /* instantiate a partially constructed key */
 
 #endif /*  _LINUX_KEYCTL_H */
diff --git a/include/linux/reiserfs_xattr.h b/include/linux/reiserfs_xattr.h
index 3b94c91f20a..6deef5dc95f 100644
--- a/include/linux/reiserfs_xattr.h
+++ b/include/linux/reiserfs_xattr.h
@@ -63,6 +63,7 @@ extern const struct xattr_handler reiserfs_xattr_trusted_handler;
 extern const struct xattr_handler reiserfs_xattr_security_handler;
 #ifdef CONFIG_REISERFS_FS_SECURITY
 int reiserfs_security_init(struct inode *dir, struct inode *inode,
+                           const struct qstr *qstr,
                            struct reiserfs_security_handle *sec);
 int reiserfs_security_write(struct reiserfs_transaction_handle *th,
                             struct inode *inode,
@@ -130,6 +131,7 @@ static inline void reiserfs_init_xattr_rwsem(struct inode *inode)
 #ifndef CONFIG_REISERFS_FS_SECURITY
 static inline int reiserfs_security_init(struct inode *dir,
                                          struct inode *inode,
+                                         const struct qstr *qstr,
                                          struct reiserfs_security_handle *sec)
 {
         return 0;
diff --git a/include/linux/security.h b/include/linux/security.h
index b2b7f9749f5..84a202ac3de 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -25,6 +25,7 @@
 #include <linux/fs.h>
 #include <linux/fsnotify.h>
 #include <linux/binfmts.h>
+#include <linux/dcache.h>
 #include <linux/signal.h>
 #include <linux/resource.h>
 #include <linux/sem.h>
@@ -267,6 +268,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *      @orig the original mount data copied from userspace.
  *      @copy copied data which will be passed to the security module.
  *      Returns 0 if the copy was successful.
+ * @sb_remount:
+ *      Extracts security system specifc mount options and verifys no changes
+ *      are being made to those options.
+ *      @sb superblock being remounted
+ *      @data contains the filesystem-specific data.
+ *      Return 0 if permission is granted.
  * @sb_umount:
  *      Check permission before the @mnt file system is unmounted.
  *      @mnt contains the mounted file system.
@@ -315,6 +322,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *      then it should return -EOPNOTSUPP to skip this processing.
  *      @inode contains the inode structure of the newly created inode.
  *      @dir contains the inode structure of the parent directory.
+ *      @qstr contains the last path component of the new object
  *      @name will be set to the allocated name suffix (e.g. selinux).
  *      @value will be set to the allocated attribute value.
  *      @len will be set to the length of the value.
@@ -1257,12 +1265,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *      @cap contains the capability <include/linux/capability.h>.
  *      @audit: Whether to write an audit message or not
  *      Return 0 if the capability is granted for @tsk.
- * @sysctl:
- *      Check permission before accessing the @table sysctl variable in the
- *      manner specified by @op.
- *      @table contains the ctl_table structure for the sysctl variable.
- *      @op contains the operation (001 = search, 002 = write, 004 = read).
- *      Return 0 if permission is granted.
  * @syslog:
  *      Check permission before accessing the kernel message ring or changing
  *      logging to the console.
@@ -1383,7 +1385,6 @@ struct security_operations {
                        const kernel_cap_t *permitted);
         int (*capable) (struct task_struct *tsk, const struct cred *cred,
                         int cap, int audit);
-        int (*sysctl) (struct ctl_table *table, int op);
         int (*quotactl) (int cmds, int type, int id, struct super_block *sb);
         int (*quota_on) (struct dentry *dentry);
         int (*syslog) (int type);
@@ -1399,6 +1400,7 @@ struct security_operations {
         int (*sb_alloc_security) (struct super_block *sb);
         void (*sb_free_security) (struct super_block *sb);
         int (*sb_copy_data) (char *orig, char *copy);
+        int (*sb_remount) (struct super_block *sb, void *data);
         int (*sb_kern_mount) (struct super_block *sb, int flags, void *data);
         int (*sb_show_options) (struct seq_file *m, struct super_block *sb);
         int (*sb_statfs) (struct dentry *dentry);
@@ -1435,7 +1437,8 @@ struct security_operations {
         int (*inode_alloc_security) (struct inode *inode);
         void (*inode_free_security) (struct inode *inode);
         int (*inode_init_security) (struct inode *inode, struct inode *dir,
-                                    char **name, void **value, size_t *len);
+                                    const struct qstr *qstr, char **name,
+                                    void **value, size_t *len);
         int (*inode_create) (struct inode *dir,
                              struct dentry *dentry, int mode);
         int (*inode_link) (struct dentry *old_dentry,
@@ -1665,7 +1668,6 @@ int security_capset(struct cred *new, const struct cred *old,
 int security_capable(const struct cred *cred, int cap);
 int security_real_capable(struct task_struct *tsk, int cap);
 int security_real_capable_noaudit(struct task_struct *tsk, int cap);
-int security_sysctl(struct ctl_table *table, int op);
 int security_quotactl(int cmds, int type, int id, struct super_block *sb);
 int security_quota_on(struct dentry *dentry);
 int security_syslog(int type);
@@ -1681,6 +1683,7 @@ int security_bprm_secureexec(struct linux_binprm *bprm);
 int security_sb_alloc(struct super_block *sb);
 void security_sb_free(struct super_block *sb);
 int security_sb_copy_data(char *orig, char *copy);
+int security_sb_remount(struct super_block *sb, void *data);
 int security_sb_kern_mount(struct super_block *sb, int flags, void *data);
 int security_sb_show_options(struct seq_file *m, struct super_block *sb);
 int security_sb_statfs(struct dentry *dentry);
@@ -1696,7 +1699,8 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
 int security_inode_alloc(struct inode *inode);
 void security_inode_free(struct inode *inode);
 int security_inode_init_security(struct inode *inode, struct inode *dir,
-                                  char **name, void **value, size_t *len);
+                                 const struct qstr *qstr, char **name,
+                                 void **value, size_t *len);
 int security_inode_create(struct inode *dir, struct dentry *dentry, int mode);
 int security_inode_link(struct dentry *old_dentry, struct inode *dir,
                          struct dentry *new_dentry);
@@ -1883,11 +1887,6 @@ int security_real_capable_noaudit(struct task_struct *tsk, int cap)
         return ret;
 }
 
-static inline int security_sysctl(struct ctl_table *table, int op)
-{
-        return 0;
-}
-
 static inline int security_quotactl(int cmds, int type, int id,
                                      struct super_block *sb)
 {
@@ -1964,6 +1963,11 @@ static inline int security_sb_copy_data(char *orig, char *copy)
         return 0;
 }
 
+static inline int security_sb_remount(struct super_block *sb, void *data)
+{
+        return 0;
+}
+
 static inline int security_sb_kern_mount(struct super_block *sb, int flags, void *data)
 {
         return 0;
@@ -2023,6 +2027,7 @@ static inline void security_inode_free(struct inode *inode)
 
 static inline int security_inode_init_security(struct inode *inode,
                                                 struct inode *dir,
+                                                const struct qstr *qstr,
                                                 char **name,
                                                 void **value,
                                                 size_t *len)
diff --git a/include/linux/xattr.h b/include/linux/xattr.h
index e6131ef98d8..6050783005b 100644
--- a/include/linux/xattr.h
+++ b/include/linux/xattr.h
@@ -42,11 +42,13 @@
 #define XATTR_SMACK_IPOUT "SMACK64IPOUT"
 #define XATTR_SMACK_EXEC "SMACK64EXEC"
 #define XATTR_SMACK_TRANSMUTE "SMACK64TRANSMUTE"
+#define XATTR_SMACK_MMAP "SMACK64MMAP"
 #define XATTR_NAME_SMACK XATTR_SECURITY_PREFIX XATTR_SMACK_SUFFIX
 #define XATTR_NAME_SMACKIPIN    XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN
 #define XATTR_NAME_SMACKIPOUT   XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT
 #define XATTR_NAME_SMACKEXEC    XATTR_SECURITY_PREFIX XATTR_SMACK_EXEC
 #define XATTR_NAME_SMACKTRANSMUTE XATTR_SECURITY_PREFIX XATTR_SMACK_TRANSMUTE
+#define XATTR_NAME_SMACKMMAP XATTR_SECURITY_PREFIX XATTR_SMACK_MMAP
 
 #define XATTR_CAPS_SUFFIX "capability"
 #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX