Merge branch 'master' into for-next

Fast-forwarded to current state of Linus' tree as there are patches to be
applied for files that didn't exist on the old branch.

5 files changed, 69 insertions, 32 deletions

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 9da6420e205..1d027e29ce8 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -471,6 +471,7 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
  * @avd: access vector decisions
  * @result: result from avc_has_perm_noaudit
  * @a:  auxiliary audit data
+ * @flags: VFS walk flags
  *
  * Audit the granting or denial of permissions in accordance
  * with the policy.  This function is typically called by
@@ -481,9 +482,10 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
  * be performed under a lock, to allow the lock to be released
  * before calling the auditing code.
  */
-void avc_audit(u32 ssid, u32 tsid,
+int avc_audit(u32 ssid, u32 tsid,
                u16 tclass, u32 requested,
-               struct av_decision *avd, int result, struct common_audit_data *a)
+               struct av_decision *avd, int result, struct common_audit_data *a,
+               unsigned flags)
 {
         struct common_audit_data stack_data;
         u32 denied, audited;
@@ -515,11 +517,24 @@ void avc_audit(u32 ssid, u32 tsid,
         else
                 audited = requested & avd->auditallow;
         if (!audited)
-                return;
+                return 0;
+
         if (!a) {
                 a = &stack_data;
                 COMMON_AUDIT_DATA_INIT(a, NONE);
         }
+
+        /*
+         * When in a RCU walk do the audit on the RCU retry.  This is because
+         * the collection of the dname in an inode audit message is not RCU
+         * safe.  Note this may drop some audits when the situation changes
+         * during retry. However this is logically just as if the operation
+         * happened a little later.
+         */
+        if ((a->type == LSM_AUDIT_DATA_FS) &&
+            (flags & IPERM_FLAG_RCU))
+                return -ECHILD;
+
         a->selinux_audit_data.tclass = tclass;
         a->selinux_audit_data.requested = requested;
         a->selinux_audit_data.ssid = ssid;
@@ -529,6 +544,7 @@ void avc_audit(u32 ssid, u32 tsid,
         a->lsm_pre_audit = avc_audit_pre_callback;
         a->lsm_post_audit = avc_audit_post_callback;
         common_lsm_audit(a);
+        return 0;
 }
 
 /**
@@ -793,6 +809,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
  * @tclass: target security class
  * @requested: requested permissions, interpreted based on @tclass
  * @auditdata: auxiliary audit data
+ * @flags: VFS walk flags
  *
  * Check the AVC to determine whether the @requested permissions are granted
  * for the SID pair (@ssid, @tsid), interpreting the permissions
@@ -802,14 +819,19 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
  * permissions are granted, -%EACCES if any permissions are denied, or
  * another -errno upon other errors.
  */
-int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
-                 u32 requested, struct common_audit_data *auditdata)
+int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass,
+                       u32 requested, struct common_audit_data *auditdata,
+                       unsigned flags)
 {
         struct av_decision avd;
-        int rc;
+        int rc, rc2;
 
         rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);
-        avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);
+
+        rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata,
+                        flags);
+        if (rc2)
+                return rc2;
         return rc;
 }
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6475e1f0223..f7cf0ea6fae 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -79,6 +79,7 @@
 #include <linux/mutex.h>
 #include <linux/posix-timers.h>
 #include <linux/syslog.h>
+#include <linux/user_namespace.h>
 
 #include "avc.h"
 #include "objsec.h"
@@ -1445,8 +1446,11 @@ static int task_has_capability(struct task_struct *tsk,
         }
 
         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
-        if (audit == SECURITY_CAP_AUDIT)
-                avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
+        if (audit == SECURITY_CAP_AUDIT) {
+                int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
+                if (rc2)
+                        return rc2;
+        }
         return rc;
 }
 
@@ -1466,7 +1470,8 @@ static int task_has_system(struct task_struct *tsk,
 static int inode_has_perm(const struct cred *cred,
                           struct inode *inode,
                           u32 perms,
-                          struct common_audit_data *adp)
+                          struct common_audit_data *adp,
+                          unsigned flags)
 {
         struct inode_security_struct *isec;
         struct common_audit_data ad;
@@ -1486,7 +1491,7 @@ static int inode_has_perm(const struct cred *cred,
                 ad.u.fs.inode = inode;
         }
 
-        return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
+        return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
 }
 
 /* Same as inode_has_perm, but pass explicit audit data containing
@@ -1503,7 +1508,7 @@ static inline int dentry_has_perm(const struct cred *cred,
         COMMON_AUDIT_DATA_INIT(&ad, FS);
         ad.u.fs.path.mnt = mnt;
         ad.u.fs.path.dentry = dentry;
-        return inode_has_perm(cred, inode, av, &ad);
+        return inode_has_perm(cred, inode, av, &ad, 0);
 }
 
 /* Check whether a task can use an open file descriptor to
@@ -1539,7 +1544,7 @@ static int file_has_perm(const struct cred *cred,
         /* av is zero if only checking access to the descriptor. */
         rc = 0;
         if (av)
-                rc = inode_has_perm(cred, inode, av, &ad);
+                rc = inode_has_perm(cred, inode, av, &ad, 0);
 
 out:
         return rc;
@@ -1846,11 +1851,11 @@ static int selinux_capset(struct cred *new, const struct cred *old,
  */
 
 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
-                           int cap, int audit)
+                           struct user_namespace *ns, int cap, int audit)
 {
         int rc;
 
-        rc = cap_capable(tsk, cred, cap, audit);
+        rc = cap_capable(tsk, cred, ns, cap, audit);
         if (rc)
                 return rc;
 
@@ -1931,7 +1936,8 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
 {
         int rc, cap_sys_admin = 0;
 
-        rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
+        rc = selinux_capable(current, current_cred(),
+                             &init_user_ns, CAP_SYS_ADMIN,
                              SECURITY_CAP_NOAUDIT);
         if (rc == 0)
                 cap_sys_admin = 1;
@@ -2101,7 +2107,7 @@ static inline void flush_unauthorized_files(const struct cred *cred,
                         file = file_priv->file;
                         inode = file->f_path.dentry->d_inode;
                         if (inode_has_perm(cred, inode,
-                                           FILE__READ | FILE__WRITE, NULL)) {
+                                           FILE__READ | FILE__WRITE, NULL, 0)) {
                                 drop_tty = 1;
                         }
                 }
@@ -2633,7 +2639,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
 }
 
-static int selinux_inode_permission(struct inode *inode, int mask)
+static int selinux_inode_permission(struct inode *inode, int mask, unsigned flags)
 {
         const struct cred *cred = current_cred();
         struct common_audit_data ad;
@@ -2655,7 +2661,7 @@ static int selinux_inode_permission(struct inode *inode, int mask)
 
         perms = file_mask_to_av(inode->i_mode, mask);
 
-        return inode_has_perm(cred, inode, perms, &ad);
+        return inode_has_perm(cred, inode, perms, &ad, flags);
 }
 
 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
@@ -2723,7 +2729,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
         if (!(sbsec->flags & SE_SBLABELSUPP))
                 return -EOPNOTSUPP;
 
-        if (!is_owner_or_cap(inode))
+        if (!inode_owner_or_capable(inode))
                 return -EPERM;
 
         COMMON_AUDIT_DATA_INIT(&ad, FS);
@@ -2834,7 +2840,8 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
          * and lack of permission just means that we fall back to the
          * in-core context value, not a denial.
          */
-        error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
+        error = selinux_capable(current, current_cred(),
+                                &init_user_ns, CAP_MAC_ADMIN,
                                 SECURITY_CAP_NOAUDIT);
         if (!error)
                 error = security_sid_to_context_force(isec->sid, &context,
@@ -2968,7 +2975,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
         case KDSKBENT:
         case KDSKBSENT:
                 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
-                                            SECURITY_CAP_AUDIT);
+                                        SECURITY_CAP_AUDIT);
                 break;
 
         /* default case assumes that the command will go
@@ -3202,7 +3209,7 @@ static int selinux_dentry_open(struct file *file, const struct cred *cred)
          * new inode label or new policy.
          * This check is not redundant - do not remove.
          */
-        return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
+        return inode_has_perm(cred, inode, open_file_to_av(file), NULL, 0);
 }
 
 /* task security operations */
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 5615081b73e..e77b2ac2908 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -54,11 +54,11 @@ struct avc_cache_stats {
 
 void __init avc_init(void);
 
-void avc_audit(u32 ssid, u32 tsid,
+int avc_audit(u32 ssid, u32 tsid,
                u16 tclass, u32 requested,
                struct av_decision *avd,
                int result,
-               struct common_audit_data *a);
+              struct common_audit_data *a, unsigned flags);
 
 #define AVC_STRICT 1 /* Ignore permissive mode. */
 int avc_has_perm_noaudit(u32 ssid, u32 tsid,
@@ -66,9 +66,17 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
                          unsigned flags,
                          struct av_decision *avd);
 
-int avc_has_perm(u32 ssid, u32 tsid,
-                 u16 tclass, u32 requested,
-                 struct common_audit_data *auditdata);
+int avc_has_perm_flags(u32 ssid, u32 tsid,
+                       u16 tclass, u32 requested,
+                       struct common_audit_data *auditdata,
+                       unsigned);
+
+static inline int avc_has_perm(u32 ssid, u32 tsid,
+                               u16 tclass, u32 requested,
+                               struct common_audit_data *auditdata)
+{
+        return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0);
+}
 
 u32 avc_policy_seqno(void);
 
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 1c2fc46544b..c3bf3ed07b0 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -151,7 +151,7 @@ void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec)
  *
  * Description:
  * Called when the NetLabel state of a sk_security_struct needs to be reset.
- * The caller is responsibile for all the NetLabel sk_security_struct locking.
+ * The caller is responsible for all the NetLabel sk_security_struct locking.
  *
  */
 void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 3e7544d2a07..6ef4af47dac 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -213,7 +213,7 @@ static u16 map_class(u16 pol_value)
                         return i;
         }
 
-        return pol_value;
+        return SECCLASS_NULL;
 }
 
 static void map_decision(u16 tclass, struct av_decision *avd,
@@ -2806,7 +2806,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
         case AUDIT_SUBJ_CLR:
         case AUDIT_OBJ_LEV_LOW:
         case AUDIT_OBJ_LEV_HIGH:
-                /* we do not allow a range, indicated by the presense of '-' */
+                /* we do not allow a range, indicated by the presence of '-' */
                 if (strchr(rulestr, '-'))
                         return -EINVAL;
                 break;
@@ -3075,7 +3075,7 @@ static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
  * Description:
  * Convert the given NetLabel security attributes in @secattr into a
  * SELinux SID.  If the @secattr field does not contain a full SELinux
- * SID/context then use SECINITSID_NETMSG as the foundation.  If possibile the
+ * SID/context then use SECINITSID_NETMSG as the foundation.  If possible the
  * 'cache' field of @secattr is set and the CACHE flag is set; this is to
  * allow the @secattr to be used by NetLabel to cache the secattr to SID
  * conversion for future lookups.  Returns zero on success, negative values on