15 files changed, 457 insertions, 219 deletions

diff --git a/kernel/acct.c b/kernel/acct.c
index 02e6167a53b..6cd7529c9e6 100644
--- a/kernel/acct.c
+++ b/kernel/acct.c
@@ -507,8 +507,8 @@ static void do_acct_process(struct bsd_acct_struct *acct,
         do_div(elapsed, AHZ);
         ac.ac_btime = get_seconds() - elapsed;
         /* we really need to bite the bullet and change layout */
-        ac.ac_uid = orig_cred->uid;
-        ac.ac_gid = orig_cred->gid;
+        ac.ac_uid = from_kuid_munged(file->f_cred->user_ns, orig_cred->uid);
+        ac.ac_gid = from_kgid_munged(file->f_cred->user_ns, orig_cred->gid);
 #if ACCT_VERSION==2
         ac.ac_ahz = AHZ;
 #endif
diff --git a/kernel/audit.c b/kernel/audit.c
index ea3b7b6191c..511488a7bc7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -61,6 +61,7 @@
 #include <linux/netlink.h>
 #include <linux/freezer.h>
 #include <linux/tty.h>
+#include <linux/pid_namespace.h>
 
 #include "audit.h"
 
@@ -104,7 +105,7 @@ static int	audit_backlog_wait_time = 60 * HZ;
 static int      audit_backlog_wait_overflow = 0;
 
 /* The identity of the user shutting down the audit system. */
-uid_t           audit_sig_uid = -1;
+kuid_t          audit_sig_uid = INVALID_UID;
 pid_t           audit_sig_pid = -1;
 u32             audit_sig_sid = 0;
 
@@ -264,7 +265,7 @@ void audit_log_lost(const char *message)
 }
 
 static int audit_log_config_change(char *function_name, int new, int old,
-                                   uid_t loginuid, u32 sessionid, u32 sid,
+                                   kuid_t loginuid, u32 sessionid, u32 sid,
                                    int allow_changes)
 {
         struct audit_buffer *ab;
@@ -272,7 +273,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
 
         ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
         audit_log_format(ab, "%s=%d old=%d auid=%u ses=%u", function_name, new,
-                         old, loginuid, sessionid);
+                         old, from_kuid(&init_user_ns, loginuid), sessionid);
         if (sid) {
                 char *ctx = NULL;
                 u32 len;
@@ -292,7 +293,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
 }
 
 static int audit_do_config_change(char *function_name, int *to_change,
-                                  int new, uid_t loginuid, u32 sessionid,
+                                  int new, kuid_t loginuid, u32 sessionid,
                                   u32 sid)
 {
         int allow_changes, rc = 0, old = *to_change;
@@ -319,21 +320,21 @@ static int audit_do_config_change(char *function_name, int *to_change,
         return rc;
 }
 
-static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sessionid,
+static int audit_set_rate_limit(int limit, kuid_t loginuid, u32 sessionid,
                                 u32 sid)
 {
         return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
                                       limit, loginuid, sessionid, sid);
 }
 
-static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sessionid,
+static int audit_set_backlog_limit(int limit, kuid_t loginuid, u32 sessionid,
                                    u32 sid)
 {
         return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
                                       limit, loginuid, sessionid, sid);
 }
 
-static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid)
+static int audit_set_enabled(int state, kuid_t loginuid, u32 sessionid, u32 sid)
 {
         int rc;
         if (state < AUDIT_OFF || state > AUDIT_LOCKED)
@@ -348,7 +349,7 @@ static int audit_set_enabled(int state, uid_t loginuid, u32 sessionid, u32 sid)
         return rc;
 }
 
-static int audit_set_failure(int state, uid_t loginuid, u32 sessionid, u32 sid)
+static int audit_set_failure(int state, kuid_t loginuid, u32 sessionid, u32 sid)
 {
         if (state != AUDIT_FAIL_SILENT
             && state != AUDIT_FAIL_PRINTK
@@ -467,24 +468,6 @@ static int kauditd_thread(void *dummy)
         return 0;
 }
 
-static int audit_prepare_user_tty(pid_t pid, uid_t loginuid, u32 sessionid)
-{
-        struct task_struct *tsk;
-        int err;
-
-        rcu_read_lock();
-        tsk = find_task_by_vpid(pid);
-        if (!tsk) {
-                rcu_read_unlock();
-                return -ESRCH;
-        }
-        get_task_struct(tsk);
-        rcu_read_unlock();
-        err = tty_audit_push_task(tsk, loginuid, sessionid);
-        put_task_struct(tsk);
-        return err;
-}
-
 int audit_send_list(void *_dest)
 {
         struct audit_netlink_list *dest = _dest;
@@ -588,6 +571,11 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 {
         int err = 0;
 
+        /* Only support the initial namespaces for now. */
+        if ((current_user_ns() != &init_user_ns) ||
+            (task_active_pid_ns(current) != &init_pid_ns))
+                return -EPERM;
+
         switch (msg_type) {
         case AUDIT_GET:
         case AUDIT_LIST:
@@ -619,8 +607,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
 }
 
 static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
-                                     u32 pid, u32 uid, uid_t auid, u32 ses,
-                                     u32 sid)
+                                     kuid_t auid, u32 ses, u32 sid)
 {
         int rc = 0;
         char *ctx = NULL;
@@ -633,7 +620,9 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
 
         *ab = audit_log_start(NULL, GFP_KERNEL, msg_type);
         audit_log_format(*ab, "pid=%d uid=%u auid=%u ses=%u",
-                         pid, uid, auid, ses);
+                         task_tgid_vnr(current),
+                         from_kuid(&init_user_ns, current_uid()),
+                         from_kuid(&init_user_ns, auid), ses);
         if (sid) {
                 rc = security_secid_to_secctx(sid, &ctx, &len);
                 if (rc)
@@ -649,13 +638,13 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
 
 static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 {
-        u32                     uid, pid, seq, sid;
+        u32                     seq, sid;
         void                    *data;
         struct audit_status     *status_get, status_set;
         int                     err;
         struct audit_buffer     *ab;
         u16                     msg_type = nlh->nlmsg_type;
-        uid_t                   loginuid; /* loginuid of sender */
+        kuid_t                  loginuid; /* loginuid of sender */
         u32                     sessionid;
         struct audit_sig_info   *sig_data;
         char                    *ctx = NULL;
@@ -675,8 +664,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                 return err;
         }
 
-        pid  = NETLINK_CREDS(skb)->pid;
-        uid  = NETLINK_CREDS(skb)->uid;
         loginuid = audit_get_loginuid(current);
         sessionid = audit_get_sessionid(current);
         security_task_getsecid(current, &sid);
@@ -738,16 +725,16 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                 if (!audit_enabled && msg_type != AUDIT_USER_AVC)
                         return 0;
 
-                err = audit_filter_user(&NETLINK_CB(skb));
+                err = audit_filter_user();
                 if (err == 1) {
                         err = 0;
                         if (msg_type == AUDIT_USER_TTY) {
-                                err = audit_prepare_user_tty(pid, loginuid,
+                                err = tty_audit_push_task(current, loginuid,
                                                              sessionid);
                                 if (err)
                                         break;
                         }
-                        audit_log_common_recv_msg(&ab, msg_type, pid, uid,
+                        audit_log_common_recv_msg(&ab, msg_type,
                                                   loginuid, sessionid, sid);
 
                         if (msg_type != AUDIT_USER_TTY)
@@ -763,7 +750,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                                         size--;
                                 audit_log_n_untrustedstring(ab, data, size);
                         }
-                        audit_set_pid(ab, pid);
+                        audit_set_pid(ab, NETLINK_CB(skb).pid);
                         audit_log_end(ab);
                 }
                 break;
@@ -772,8 +759,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                 if (nlmsg_len(nlh) < sizeof(struct audit_rule))
                         return -EINVAL;
                 if (audit_enabled == AUDIT_LOCKED) {
-                        audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
-                                                  uid, loginuid, sessionid, sid);
+                        audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE,
+                                                  loginuid, sessionid, sid);
 
                         audit_log_format(ab, " audit_enabled=%d res=0",
                                          audit_enabled);
@@ -783,7 +770,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                 /* fallthrough */
         case AUDIT_LIST:
                 err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid,
-                                           uid, seq, data, nlmsg_len(nlh),
+                                           seq, data, nlmsg_len(nlh),
                                            loginuid, sessionid, sid);
                 break;
         case AUDIT_ADD_RULE:
@@ -791,8 +778,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                 if (nlmsg_len(nlh) < sizeof(struct audit_rule_data))
                         return -EINVAL;
                 if (audit_enabled == AUDIT_LOCKED) {
-                        audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
-                                                  uid, loginuid, sessionid, sid);
+                        audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE,
+                                                  loginuid, sessionid, sid);
 
                         audit_log_format(ab, " audit_enabled=%d res=0",
                                          audit_enabled);
@@ -802,14 +789,14 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                 /* fallthrough */
         case AUDIT_LIST_RULES:
                 err = audit_receive_filter(msg_type, NETLINK_CB(skb).pid,
-                                           uid, seq, data, nlmsg_len(nlh),
+                                           seq, data, nlmsg_len(nlh),
                                            loginuid, sessionid, sid);
                 break;
         case AUDIT_TRIM:
                 audit_trim_trees();
 
-                audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
-                                          uid, loginuid, sessionid, sid);
+                audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE,
+                                          loginuid, sessionid, sid);
 
                 audit_log_format(ab, " op=trim res=1");
                 audit_log_end(ab);
@@ -840,8 +827,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                 /* OK, here comes... */
                 err = audit_tag_tree(old, new);
 
-                audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE, pid,
-                                          uid, loginuid, sessionid, sid);
+                audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE,
+                                          loginuid, sessionid, sid);
 
                 audit_log_format(ab, " op=make_equiv old=");
                 audit_log_untrustedstring(ab, old);
@@ -866,7 +853,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                                 security_release_secctx(ctx, len);
                         return -ENOMEM;
                 }
-                sig_data->uid = audit_sig_uid;
+                sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
                 sig_data->pid = audit_sig_pid;
                 if (audit_sig_sid) {
                         memcpy(sig_data->ctx, ctx, len);
@@ -878,41 +865,29 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                 break;
         case AUDIT_TTY_GET: {
                 struct audit_tty_status s;
-                struct task_struct *tsk;
-                unsigned long flags;
-
-                rcu_read_lock();
-                tsk = find_task_by_vpid(pid);
-                if (tsk && lock_task_sighand(tsk, &flags)) {
-                        s.enabled = tsk->signal->audit_tty != 0;
-                        unlock_task_sighand(tsk, &flags);
-                } else
-                        err = -ESRCH;
-                rcu_read_unlock();
-
-                if (!err)
-                        audit_send_reply(NETLINK_CB(skb).pid, seq,
-                                         AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
+                struct task_struct *tsk = current;
+
+                spin_lock_irq(&tsk->sighand->siglock);
+                s.enabled = tsk->signal->audit_tty != 0;
+                spin_unlock_irq(&tsk->sighand->siglock);
+
+                audit_send_reply(NETLINK_CB(skb).pid, seq,
+                                 AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
                 break;
         }
         case AUDIT_TTY_SET: {
                 struct audit_tty_status *s;
-                struct task_struct *tsk;
-                unsigned long flags;
+                struct task_struct *tsk = current;
 
                 if (nlh->nlmsg_len < sizeof(struct audit_tty_status))
                         return -EINVAL;
                 s = data;
                 if (s->enabled != 0 && s->enabled != 1)
                         return -EINVAL;
-                rcu_read_lock();
-                tsk = find_task_by_vpid(pid);
-                if (tsk && lock_task_sighand(tsk, &flags)) {
-                        tsk->signal->audit_tty = s->enabled != 0;
-                        unlock_task_sighand(tsk, &flags);
-                } else
-                        err = -ESRCH;
-                rcu_read_unlock();
+
+                spin_lock_irq(&tsk->sighand->siglock);
+                tsk->signal->audit_tty = s->enabled != 0;
+                spin_unlock_irq(&tsk->sighand->siglock);
                 break;
         }
         default:
diff --git a/kernel/audit.h b/kernel/audit.h
index 81676680337..9eb3d79482b 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -76,6 +76,8 @@ static inline int audit_hash_ino(u32 ino)
 
 extern int audit_match_class(int class, unsigned syscall);
 extern int audit_comparator(const u32 left, const u32 op, const u32 right);
+extern int audit_uid_comparator(kuid_t left, u32 op, kuid_t right);
+extern int audit_gid_comparator(kgid_t left, u32 op, kgid_t right);
 extern int audit_compare_dname_path(const char *dname, const char *path,
                                     int *dirlen);
 extern struct sk_buff *     audit_make_reply(int pid, int seq, int type,
@@ -144,7 +146,7 @@ extern void audit_kill_trees(struct list_head *);
 extern char *audit_unpack_string(void **, size_t *, size_t);
 
 extern pid_t audit_sig_pid;
-extern uid_t audit_sig_uid;
+extern kuid_t audit_sig_uid;
 extern u32 audit_sig_sid;
 
 #ifdef CONFIG_AUDITSYSCALL
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 3823281401b..1c22ec3d87b 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -241,7 +241,7 @@ static void audit_watch_log_rule_change(struct audit_krule *r, struct audit_watc
                 struct audit_buffer *ab;
                 ab = audit_log_start(NULL, GFP_NOFS, AUDIT_CONFIG_CHANGE);
                 audit_log_format(ab, "auid=%u ses=%u op=",
-                                 audit_get_loginuid(current),
+                                 from_kuid(&init_user_ns, audit_get_loginuid(current)),
                                  audit_get_sessionid(current));
                 audit_log_string(ab, op);
                 audit_log_format(ab, " path=");
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index a6c3f1abd20..c4bcdbaf4d4 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -342,6 +342,8 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
 
                 f->type = rule->fields[i] & ~(AUDIT_NEGATE|AUDIT_OPERATORS);
                 f->val = rule->values[i];
+                f->uid = INVALID_UID;
+                f->gid = INVALID_GID;
 
                 err = -EINVAL;
                 if (f->op == Audit_bad)
@@ -350,16 +352,32 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
                 switch(f->type) {
                 default:
                         goto exit_free;
-                case AUDIT_PID:
                 case AUDIT_UID:
                 case AUDIT_EUID:
                 case AUDIT_SUID:
                 case AUDIT_FSUID:
+                case AUDIT_LOGINUID:
+                        /* bit ops not implemented for uid comparisons */
+                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
+                                goto exit_free;
+
+                        f->uid = make_kuid(current_user_ns(), f->val);
+                        if (!uid_valid(f->uid))
+                                goto exit_free;
+                        break;
                 case AUDIT_GID:
                 case AUDIT_EGID:
                 case AUDIT_SGID:
                 case AUDIT_FSGID:
-                case AUDIT_LOGINUID:
+                        /* bit ops not implemented for gid comparisons */
+                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
+                                goto exit_free;
+
+                        f->gid = make_kgid(current_user_ns(), f->val);
+                        if (!gid_valid(f->gid))
+                                goto exit_free;
+                        break;
+                case AUDIT_PID:
                 case AUDIT_PERS:
                 case AUDIT_MSGTYPE:
                 case AUDIT_PPID:
@@ -437,19 +455,39 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
 
                 f->type = data->fields[i];
                 f->val = data->values[i];
+                f->uid = INVALID_UID;
+                f->gid = INVALID_GID;
                 f->lsm_str = NULL;
                 f->lsm_rule = NULL;
                 switch(f->type) {
-                case AUDIT_PID:
                 case AUDIT_UID:
                 case AUDIT_EUID:
                 case AUDIT_SUID:
                 case AUDIT_FSUID:
+                case AUDIT_LOGINUID:
+                case AUDIT_OBJ_UID:
+                        /* bit ops not implemented for uid comparisons */
+                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
+                                goto exit_free;
+
+                        f->uid = make_kuid(current_user_ns(), f->val);
+                        if (!uid_valid(f->uid))
+                                goto exit_free;
+                        break;
                 case AUDIT_GID:
                 case AUDIT_EGID:
                 case AUDIT_SGID:
                 case AUDIT_FSGID:
-                case AUDIT_LOGINUID:
+                case AUDIT_OBJ_GID:
+                        /* bit ops not implemented for gid comparisons */
+                        if (f->op == Audit_bitmask || f->op == Audit_bittest)
+                                goto exit_free;
+
+                        f->gid = make_kgid(current_user_ns(), f->val);
+                        if (!gid_valid(f->gid))
+                                goto exit_free;
+                        break;
+                case AUDIT_PID:
                 case AUDIT_PERS:
                 case AUDIT_MSGTYPE:
                 case AUDIT_PPID:
@@ -461,8 +499,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
                 case AUDIT_ARG1:
                 case AUDIT_ARG2:
                 case AUDIT_ARG3:
-                case AUDIT_OBJ_UID:
-                case AUDIT_OBJ_GID:
                         break;
                 case AUDIT_ARCH:
                         entry->rule.arch_f = f;
@@ -707,6 +743,23 @@ static int audit_compare_rule(struct audit_krule *a, struct audit_krule *b)
                         if (strcmp(a->filterkey, b->filterkey))
                                 return 1;
                         break;
+                case AUDIT_UID:
+                case AUDIT_EUID:
+                case AUDIT_SUID:
+                case AUDIT_FSUID:
+                case AUDIT_LOGINUID:
+                case AUDIT_OBJ_UID:
+                        if (!uid_eq(a->fields[i].uid, b->fields[i].uid))
+                                return 1;
+                        break;
+                case AUDIT_GID:
+                case AUDIT_EGID:
+                case AUDIT_SGID:
+                case AUDIT_FSGID:
+                case AUDIT_OBJ_GID:
+                        if (!gid_eq(a->fields[i].gid, b->fields[i].gid))
+                                return 1;
+                        break;
                 default:
                         if (a->fields[i].val != b->fields[i].val)
                                 return 1;
@@ -1056,7 +1109,7 @@ static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
 }
 
 /* Log rule additions and removals */
-static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
+static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid,
                                   char *action, struct audit_krule *rule,
                                   int res)
 {
@@ -1068,7 +1121,8 @@ static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
         ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
         if (!ab)
                 return;
-        audit_log_format(ab, "auid=%u ses=%u", loginuid, sessionid);
+        audit_log_format(ab, "auid=%u ses=%u",
+                         from_kuid(&init_user_ns, loginuid), sessionid);
         if (sid) {
                 char *ctx = NULL;
                 u32 len;
@@ -1098,8 +1152,8 @@ static void audit_log_rule_change(uid_t loginuid, u32 sessionid, u32 sid,
  * @sessionid: sessionid for netlink audit message
  * @sid: SE Linux Security ID of sender
  */
-int audit_receive_filter(int type, int pid, int uid, int seq, void *data,
-                         size_t datasz, uid_t loginuid, u32 sessionid, u32 sid)
+int audit_receive_filter(int type, int pid, int seq, void *data,
+                         size_t datasz, kuid_t loginuid, u32 sessionid, u32 sid)
 {
         struct task_struct *tsk;
         struct audit_netlink_list *dest;
@@ -1198,6 +1252,52 @@ int audit_comparator(u32 left, u32 op, u32 right)
         }
 }
 
+int audit_uid_comparator(kuid_t left, u32 op, kuid_t right)
+{
+        switch (op) {
+        case Audit_equal:
+                return uid_eq(left, right);
+        case Audit_not_equal:
+                return !uid_eq(left, right);
+        case Audit_lt:
+                return uid_lt(left, right);
+        case Audit_le:
+                return uid_lte(left, right);
+        case Audit_gt:
+                return uid_gt(left, right);
+        case Audit_ge:
+                return uid_gte(left, right);
+        case Audit_bitmask:
+        case Audit_bittest:
+        default:
+                BUG();
+                return 0;
+        }
+}
+
+int audit_gid_comparator(kgid_t left, u32 op, kgid_t right)
+{
+        switch (op) {
+        case Audit_equal:
+                return gid_eq(left, right);
+        case Audit_not_equal:
+                return !gid_eq(left, right);
+        case Audit_lt:
+                return gid_lt(left, right);
+        case Audit_le:
+                return gid_lte(left, right);
+        case Audit_gt:
+                return gid_gt(left, right);
+        case Audit_ge:
+                return gid_gte(left, right);
+        case Audit_bitmask:
+        case Audit_bittest:
+        default:
+                BUG();
+                return 0;
+        }
+}
+
 /* Compare given dentry name with last component in given path,
  * return of 0 indicates a match. */
 int audit_compare_dname_path(const char *dname, const char *path,
@@ -1236,8 +1336,7 @@ int audit_compare_dname_path(const char *dname, const char *path,
         return strncmp(p, dname, dlen);
 }
 
-static int audit_filter_user_rules(struct netlink_skb_parms *cb,
-                                   struct audit_krule *rule,
+static int audit_filter_user_rules(struct audit_krule *rule,
                                    enum audit_state *state)
 {
         int i;
@@ -1249,17 +1348,17 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
 
                 switch (f->type) {
                 case AUDIT_PID:
-                        result = audit_comparator(cb->creds.pid, f->op, f->val);
+                        result = audit_comparator(task_pid_vnr(current), f->op, f->val);
                         break;
                 case AUDIT_UID:
-                        result = audit_comparator(cb->creds.uid, f->op, f->val);
+                        result = audit_uid_comparator(current_uid(), f->op, f->uid);
                         break;
                 case AUDIT_GID:
-                        result = audit_comparator(cb->creds.gid, f->op, f->val);
+                        result = audit_gid_comparator(current_gid(), f->op, f->gid);
                         break;
                 case AUDIT_LOGINUID:
-                        result = audit_comparator(audit_get_loginuid(current),
-                                                  f->op, f->val);
+                        result = audit_uid_comparator(audit_get_loginuid(current),
+                                                  f->op, f->uid);
                         break;
                 case AUDIT_SUBJ_USER:
                 case AUDIT_SUBJ_ROLE:
@@ -1287,7 +1386,7 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb,
         return 1;
 }
 
-int audit_filter_user(struct netlink_skb_parms *cb)
+int audit_filter_user(void)
 {
         enum audit_state state = AUDIT_DISABLED;
         struct audit_entry *e;
@@ -1295,7 +1394,7 @@ int audit_filter_user(struct netlink_skb_parms *cb)
 
         rcu_read_lock();
         list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
-                if (audit_filter_user_rules(cb, &e->rule, &state)) {
+                if (audit_filter_user_rules(&e->rule, &state)) {
                         if (state == AUDIT_DISABLED)
                                 ret = 0;
                         break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4b96415527b..ff4798fcb48 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -113,8 +113,8 @@ struct audit_names {
         unsigned long   ino;
         dev_t           dev;
         umode_t         mode;
-        uid_t           uid;
-        gid_t           gid;
+        kuid_t          uid;
+        kgid_t          gid;
         dev_t           rdev;
         u32             osid;
         struct audit_cap_data fcap;
@@ -149,8 +149,8 @@ struct audit_aux_data_execve {
 struct audit_aux_data_pids {
         struct audit_aux_data   d;
         pid_t                   target_pid[AUDIT_AUX_PIDS];
-        uid_t                   target_auid[AUDIT_AUX_PIDS];
-        uid_t                   target_uid[AUDIT_AUX_PIDS];
+        kuid_t                  target_auid[AUDIT_AUX_PIDS];
+        kuid_t                  target_uid[AUDIT_AUX_PIDS];
         unsigned int            target_sessionid[AUDIT_AUX_PIDS];
         u32                     target_sid[AUDIT_AUX_PIDS];
         char                    target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
@@ -208,14 +208,14 @@ struct audit_context {
         size_t sockaddr_len;
                                 /* Save things to print about task_struct */
         pid_t               pid, ppid;
-        uid_t               uid, euid, suid, fsuid;
-        gid_t               gid, egid, sgid, fsgid;
+        kuid_t              uid, euid, suid, fsuid;
+        kgid_t              gid, egid, sgid, fsgid;
         unsigned long       personality;
         int                 arch;
 
         pid_t               target_pid;
-        uid_t               target_auid;
-        uid_t               target_uid;
+        kuid_t              target_auid;
+        kuid_t              target_uid;
         unsigned int        target_sessionid;
         u32                 target_sid;
         char                target_comm[TASK_COMM_LEN];
@@ -231,8 +231,8 @@ struct audit_context {
                         long args[6];
                 } socketcall;
                 struct {
-                        uid_t                   uid;
-                        gid_t                   gid;
+                        kuid_t                  uid;
+                        kgid_t                  gid;
                         umode_t                 mode;
                         u32                     osid;
                         int                     has_perm;
@@ -464,37 +464,47 @@ static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
         return 0;
 }
 
-static int audit_compare_id(uid_t uid1,
-                            struct audit_names *name,
-                            unsigned long name_offset,
-                            struct audit_field *f,
-                            struct audit_context *ctx)
+static int audit_compare_uid(kuid_t uid,
+                             struct audit_names *name,
+                             struct audit_field *f,
+                             struct audit_context *ctx)
 {
         struct audit_names *n;
-        unsigned long addr;
-        uid_t uid2;
         int rc;
-
-        BUILD_BUG_ON(sizeof(uid_t) != sizeof(gid_t));
-
+ 
         if (name) {
-                addr = (unsigned long)name;
-                addr += name_offset;
-
-                uid2 = *(uid_t *)addr;
-                rc = audit_comparator(uid1, f->op, uid2);
+                rc = audit_uid_comparator(uid, f->op, name->uid);
                 if (rc)
                         return rc;
         }
-
+ 
         if (ctx) {
                 list_for_each_entry(n, &ctx->names_list, list) {
-                        addr = (unsigned long)n;
-                        addr += name_offset;
-
-                        uid2 = *(uid_t *)addr;
+                        rc = audit_uid_comparator(uid, f->op, n->uid);
+                        if (rc)
+                                return rc;
+                }
+        }
+        return 0;
+}
 
-                        rc = audit_comparator(uid1, f->op, uid2);
+static int audit_compare_gid(kgid_t gid,
+                             struct audit_names *name,
+                             struct audit_field *f,
+                             struct audit_context *ctx)
+{
+        struct audit_names *n;
+        int rc;
+ 
+        if (name) {
+                rc = audit_gid_comparator(gid, f->op, name->gid);
+                if (rc)
+                        return rc;
+        }
+ 
+        if (ctx) {
+                list_for_each_entry(n, &ctx->names_list, list) {
+                        rc = audit_gid_comparator(gid, f->op, n->gid);
                         if (rc)
                                 return rc;
                 }
@@ -511,80 +521,62 @@ static int audit_field_compare(struct task_struct *tsk,
         switch (f->val) {
         /* process to file object comparisons */
         case AUDIT_COMPARE_UID_TO_OBJ_UID:
-                return audit_compare_id(cred->uid,
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
+                return audit_compare_uid(cred->uid, name, f, ctx);
         case AUDIT_COMPARE_GID_TO_OBJ_GID:
-                return audit_compare_id(cred->gid,
-                                        name, offsetof(struct audit_names, gid),
-                                        f, ctx);
+                return audit_compare_gid(cred->gid, name, f, ctx);
         case AUDIT_COMPARE_EUID_TO_OBJ_UID:
-                return audit_compare_id(cred->euid,
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
+                return audit_compare_uid(cred->euid, name, f, ctx);
         case AUDIT_COMPARE_EGID_TO_OBJ_GID:
-                return audit_compare_id(cred->egid,
-                                        name, offsetof(struct audit_names, gid),
-                                        f, ctx);
+                return audit_compare_gid(cred->egid, name, f, ctx);
         case AUDIT_COMPARE_AUID_TO_OBJ_UID:
-                return audit_compare_id(tsk->loginuid,
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
+                return audit_compare_uid(tsk->loginuid, name, f, ctx);
         case AUDIT_COMPARE_SUID_TO_OBJ_UID:
-                return audit_compare_id(cred->suid,
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
+                return audit_compare_uid(cred->suid, name, f, ctx);
         case AUDIT_COMPARE_SGID_TO_OBJ_GID:
-                return audit_compare_id(cred->sgid,
-                                        name, offsetof(struct audit_names, gid),
-                                        f, ctx);
+                return audit_compare_gid(cred->sgid, name, f, ctx);
         case AUDIT_COMPARE_FSUID_TO_OBJ_UID:
-                return audit_compare_id(cred->fsuid,
-                                        name, offsetof(struct audit_names, uid),
-                                        f, ctx);
+                return audit_compare_uid(cred->fsuid, name, f, ctx);
         case AUDIT_COMPARE_FSGID_TO_OBJ_GID:
-                return audit_compare_id(cred->fsgid,
-                                        name, offsetof(struct audit_names, gid),
-                                        f, ctx);
+                return audit_compare_gid(cred->fsgid, name, f, ctx);
         /* uid comparisons */
         case AUDIT_COMPARE_UID_TO_AUID:
-                return audit_comparator(cred->uid, f->op, tsk->loginuid);
+                return audit_uid_comparator(cred->uid, f->op, tsk->loginuid);
         case AUDIT_COMPARE_UID_TO_EUID:
-                return audit_comparator(cred->uid, f->op, cred->euid);
+                return audit_uid_comparator(cred->uid, f->op, cred->euid);
         case AUDIT_COMPARE_UID_TO_SUID:
-                return audit_comparator(cred->uid, f->op, cred->suid);
+                return audit_uid_comparator(cred->uid, f->op, cred->suid);
         case AUDIT_COMPARE_UID_TO_FSUID:
-                return audit_comparator(cred->uid, f->op, cred->fsuid);
+                return audit_uid_comparator(cred->uid, f->op, cred->fsuid);
         /* auid comparisons */
         case AUDIT_COMPARE_AUID_TO_EUID:
-                return audit_comparator(tsk->loginuid, f->op, cred->euid);
+                return audit_uid_comparator(tsk->loginuid, f->op, cred->euid);
         case AUDIT_COMPARE_AUID_TO_SUID:
-                return audit_comparator(tsk->loginuid, f->op, cred->suid);
+                return audit_uid_comparator(tsk->loginuid, f->op, cred->suid);
         case AUDIT_COMPARE_AUID_TO_FSUID:
-                return audit_comparator(tsk->loginuid, f->op, cred->fsuid);
+                return audit_uid_comparator(tsk->loginuid, f->op, cred->fsuid);
         /* euid comparisons */
         case AUDIT_COMPARE_EUID_TO_SUID:
-                return audit_comparator(cred->euid, f->op, cred->suid);
+                return audit_uid_comparator(cred->euid, f->op, cred->suid);
         case AUDIT_COMPARE_EUID_TO_FSUID:
-                return audit_comparator(cred->euid, f->op, cred->fsuid);
+                return audit_uid_comparator(cred->euid, f->op, cred->fsuid);
         /* suid comparisons */
         case AUDIT_COMPARE_SUID_TO_FSUID:
-                return audit_comparator(cred->suid, f->op, cred->fsuid);
+                return audit_uid_comparator(cred->suid, f->op, cred->fsuid);
         /* gid comparisons */
         case AUDIT_COMPARE_GID_TO_EGID:
-                return audit_comparator(cred->gid, f->op, cred->egid);
+                return audit_gid_comparator(cred->gid, f->op, cred->egid);
         case AUDIT_COMPARE_GID_TO_SGID:
-                return audit_comparator(cred->gid, f->op, cred->sgid);
+                return audit_gid_comparator(cred->gid, f->op, cred->sgid);
         case AUDIT_COMPARE_GID_TO_FSGID:
-                return audit_comparator(cred->gid, f->op, cred->fsgid);
+                return audit_gid_comparator(cred->gid, f->op, cred->fsgid);
         /* egid comparisons */
         case AUDIT_COMPARE_EGID_TO_SGID:
-                return audit_comparator(cred->egid, f->op, cred->sgid);
+                return audit_gid_comparator(cred->egid, f->op, cred->sgid);
         case AUDIT_COMPARE_EGID_TO_FSGID:
-                return audit_comparator(cred->egid, f->op, cred->fsgid);
+                return audit_gid_comparator(cred->egid, f->op, cred->fsgid);
         /* sgid comparison */
         case AUDIT_COMPARE_SGID_TO_FSGID:
-                return audit_comparator(cred->sgid, f->op, cred->fsgid);
+                return audit_gid_comparator(cred->sgid, f->op, cred->fsgid);
         default:
                 WARN(1, "Missing AUDIT_COMPARE define.  Report as a bug\n");
                 return 0;
@@ -630,28 +622,28 @@ static int audit_filter_rules(struct task_struct *tsk,
                         }
                         break;
                 case AUDIT_UID:
-                        result = audit_comparator(cred->uid, f->op, f->val);
+                        result = audit_uid_comparator(cred->uid, f->op, f->uid);
                         break;
                 case AUDIT_EUID:
-                        result = audit_comparator(cred->euid, f->op, f->val);
+                        result = audit_uid_comparator(cred->euid, f->op, f->uid);
                         break;
                 case AUDIT_SUID:
-                        result = audit_comparator(cred->suid, f->op, f->val);
+                        result = audit_uid_comparator(cred->suid, f->op, f->uid);
                         break;
                 case AUDIT_FSUID:
-                        result = audit_comparator(cred->fsuid, f->op, f->val);
+                        result = audit_uid_comparator(cred->fsuid, f->op, f->uid);
                         break;
                 case AUDIT_GID:
-                        result = audit_comparator(cred->gid, f->op, f->val);
+                        result = audit_gid_comparator(cred->gid, f->op, f->gid);
                         break;
                 case AUDIT_EGID:
-                        result = audit_comparator(cred->egid, f->op, f->val);
+                        result = audit_gid_comparator(cred->egid, f->op, f->gid);
                         break;
                 case AUDIT_SGID:
-                        result = audit_comparator(cred->sgid, f->op, f->val);
+                        result = audit_gid_comparator(cred->sgid, f->op, f->gid);
                         break;
                 case AUDIT_FSGID:
-                        result = audit_comparator(cred->fsgid, f->op, f->val);
+                        result = audit_gid_comparator(cred->fsgid, f->op, f->gid);
                         break;
                 case AUDIT_PERS:
                         result = audit_comparator(tsk->personality, f->op, f->val);
@@ -717,10 +709,10 @@ static int audit_filter_rules(struct task_struct *tsk,
                         break;
                 case AUDIT_OBJ_UID:
                         if (name) {
-                                result = audit_comparator(name->uid, f->op, f->val);
+                                result = audit_uid_comparator(name->uid, f->op, f->uid);
                         } else if (ctx) {
                                 list_for_each_entry(n, &ctx->names_list, list) {
-                                        if (audit_comparator(n->uid, f->op, f->val)) {
+                                        if (audit_uid_comparator(n->uid, f->op, f->uid)) {
                                                 ++result;
                                                 break;
                                         }
@@ -729,10 +721,10 @@ static int audit_filter_rules(struct task_struct *tsk,
                         break;
                 case AUDIT_OBJ_GID:
                         if (name) {
-                                result = audit_comparator(name->gid, f->op, f->val);
+                                result = audit_gid_comparator(name->gid, f->op, f->gid);
                         } else if (ctx) {
                                 list_for_each_entry(n, &ctx->names_list, list) {
-                                        if (audit_comparator(n->gid, f->op, f->val)) {
+                                        if (audit_gid_comparator(n->gid, f->op, f->gid)) {
                                                 ++result;
                                                 break;
                                         }
@@ -750,7 +742,7 @@ static int audit_filter_rules(struct task_struct *tsk,
                 case AUDIT_LOGINUID:
                         result = 0;
                         if (ctx)
-                                result = audit_comparator(tsk->loginuid, f->op, f->val);
+                                result = audit_uid_comparator(tsk->loginuid, f->op, f->uid);
                         break;
                 case AUDIT_SUBJ_USER:
                 case AUDIT_SUBJ_ROLE:
@@ -1184,7 +1176,7 @@ static void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk
 }
 
 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
-                                 uid_t auid, uid_t uid, unsigned int sessionid,
+                                 kuid_t auid, kuid_t uid, unsigned int sessionid,
                                  u32 sid, char *comm)
 {
         struct audit_buffer *ab;
@@ -1196,8 +1188,9 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
         if (!ab)
                 return rc;
 
-        audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
-                         uid, sessionid);
+        audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
+                         from_kuid(&init_user_ns, auid),
+                         from_kuid(&init_user_ns, uid), sessionid);
         if (security_secid_to_secctx(sid, &ctx, &len)) {
                 audit_log_format(ab, " obj=(none)");
                 rc = 1;
@@ -1447,7 +1440,9 @@ static void show_special(struct audit_context *context, int *call_panic)
                 u32 osid = context->ipc.osid;
 
                 audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
-                         context->ipc.uid, context->ipc.gid, context->ipc.mode);
+                                 from_kuid(&init_user_ns, context->ipc.uid),
+                                 from_kgid(&init_user_ns, context->ipc.gid),
+                                 context->ipc.mode);
                 if (osid) {
                         char *ctx = NULL;
                         u32 len;
@@ -1560,8 +1555,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
                                  MAJOR(n->dev),
                                  MINOR(n->dev),
                                  n->mode,
-                                 n->uid,
-                                 n->gid,
+                                 from_kuid(&init_user_ns, n->uid),
+                                 from_kgid(&init_user_ns, n->gid),
                                  MAJOR(n->rdev),
                                  MINOR(n->rdev));
         }
@@ -1638,11 +1633,16 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
                   context->name_count,
                   context->ppid,
                   context->pid,
-                  tsk->loginuid,
-                  context->uid,
-                  context->gid,
-                  context->euid, context->suid, context->fsuid,
-                  context->egid, context->sgid, context->fsgid, tty,
+                  from_kuid(&init_user_ns, tsk->loginuid),
+                  from_kuid(&init_user_ns, context->uid),
+                  from_kgid(&init_user_ns, context->gid),
+                  from_kuid(&init_user_ns, context->euid),
+                  from_kuid(&init_user_ns, context->suid),
+                  from_kuid(&init_user_ns, context->fsuid),
+                  from_kgid(&init_user_ns, context->egid),
+                  from_kgid(&init_user_ns, context->sgid),
+                  from_kgid(&init_user_ns, context->fsgid),
+                  tty,
                   tsk->sessionid);
 
 
@@ -2299,14 +2299,14 @@ static atomic_t session_id = ATOMIC_INIT(0);
  *
  * Called (set) from fs/proc/base.c::proc_loginuid_write().
  */
-int audit_set_loginuid(uid_t loginuid)
+int audit_set_loginuid(kuid_t loginuid)
 {
         struct task_struct *task = current;
         struct audit_context *context = task->audit_context;
         unsigned int sessionid;
 
 #ifdef CONFIG_AUDIT_LOGINUID_IMMUTABLE
-        if (task->loginuid != -1)
+        if (uid_valid(task->loginuid))
                 return -EPERM;
 #else /* CONFIG_AUDIT_LOGINUID_IMMUTABLE */
         if (!capable(CAP_AUDIT_CONTROL))
@@ -2322,8 +2322,10 @@ int audit_set_loginuid(uid_t loginuid)
                         audit_log_format(ab, "login pid=%d uid=%u "
                                 "old auid=%u new auid=%u"
                                 " old ses=%u new ses=%u",
-                                task->pid, task_uid(task),
-                                task->loginuid, loginuid,
+                                task->pid,
+                                from_kuid(&init_user_ns, task_uid(task)),
+                                from_kuid(&init_user_ns, task->loginuid),
+                                from_kuid(&init_user_ns, loginuid),
                                 task->sessionid, sessionid);
                         audit_log_end(ab);
                 }
@@ -2546,12 +2548,12 @@ int __audit_signal_info(int sig, struct task_struct *t)
         struct audit_aux_data_pids *axp;
         struct task_struct *tsk = current;
         struct audit_context *ctx = tsk->audit_context;
-        uid_t uid = current_uid(), t_uid = task_uid(t);
+        kuid_t uid = current_uid(), t_uid = task_uid(t);
 
         if (audit_pid && t->tgid == audit_pid) {
                 if (sig == SIGTERM || sig == SIGHUP || sig == SIGUSR1 || sig == SIGUSR2) {
                         audit_sig_pid = tsk->pid;
-                        if (tsk->loginuid != -1)
+                        if (uid_valid(tsk->loginuid))
                                 audit_sig_uid = tsk->loginuid;
                         else
                                 audit_sig_uid = uid;
@@ -2672,8 +2674,8 @@ void __audit_mmap_fd(int fd, int flags)
 
 static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
 {
-        uid_t auid, uid;
-        gid_t gid;
+        kuid_t auid, uid;
+        kgid_t gid;
         unsigned int sessionid;
 
         auid = audit_get_loginuid(current);
@@ -2681,7 +2683,10 @@ static void audit_log_abend(struct audit_buffer *ab, char *reason, long signr)
         current_uid_gid(&uid, &gid);
 
         audit_log_format(ab, "auid=%u uid=%u gid=%u ses=%u",
-                         auid, uid, gid, sessionid);
+                         from_kuid(&init_user_ns, auid),
+                         from_kuid(&init_user_ns, uid),
+                         from_kgid(&init_user_ns, gid),
+                         sessionid);
         audit_log_task_context(ab);
         audit_log_format(ab, " pid=%d comm=", current->pid);
         audit_log_untrustedstring(ab, current->comm);
diff --git a/kernel/cred.c b/kernel/cred.c
index de728ac50d8..48cea3da6d0 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -799,9 +799,15 @@ static void dump_invalid_creds(const struct cred *cred, const char *label,
                atomic_read(&cred->usage),
                read_cred_subscribers(cred));
         printk(KERN_ERR "CRED: ->*uid = { %d,%d,%d,%d }\n",
-               cred->uid, cred->euid, cred->suid, cred->fsuid);
+                from_kuid_munged(&init_user_ns, cred->uid),
+                from_kuid_munged(&init_user_ns, cred->euid),
+                from_kuid_munged(&init_user_ns, cred->suid),
+                from_kuid_munged(&init_user_ns, cred->fsuid));
         printk(KERN_ERR "CRED: ->*gid = { %d,%d,%d,%d }\n",
-               cred->gid, cred->egid, cred->sgid, cred->fsgid);
+                from_kgid_munged(&init_user_ns, cred->gid),
+                from_kgid_munged(&init_user_ns, cred->egid),
+                from_kgid_munged(&init_user_ns, cred->sgid),
+                from_kgid_munged(&init_user_ns, cred->fsgid));
 #ifdef CONFIG_SECURITY
         printk(KERN_ERR "CRED: ->security is %p\n", cred->security);
         if ((unsigned long) cred->security >= PAGE_SIZE &&
diff --git a/kernel/pid.c b/kernel/pid.c
index e86b291ad83..aebd4f5aaf4 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -479,6 +479,7 @@ pid_t pid_nr_ns(struct pid *pid, struct pid_namespace *ns)
         }
         return nr;
 }
+EXPORT_SYMBOL_GPL(pid_nr_ns);
 
 pid_t pid_vnr(struct pid *pid)
 {
diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
index 6144bab8fd8..478bad2745e 100644
--- a/kernel/pid_namespace.c
+++ b/kernel/pid_namespace.c
@@ -16,6 +16,7 @@
 #include <linux/slab.h>
 #include <linux/proc_fs.h>
 #include <linux/reboot.h>
+#include <linux/export.h>
 
 #define BITS_PER_PAGE           (PAGE_SIZE*8)
 
@@ -144,6 +145,7 @@ void free_pid_ns(struct kref *kref)
         if (parent != NULL)
                 put_pid_ns(parent);
 }
+EXPORT_SYMBOL_GPL(free_pid_ns);
 
 void zap_pid_ns_processes(struct pid_namespace *pid_ns)
 {
diff --git a/kernel/taskstats.c b/kernel/taskstats.c
index d0a32796550..3880df2acf0 100644
--- a/kernel/taskstats.c
+++ b/kernel/taskstats.c
@@ -27,6 +27,7 @@
 #include <linux/cgroup.h>
 #include <linux/fs.h>
 #include <linux/file.h>
+#include <linux/pid_namespace.h>
 #include <net/genetlink.h>
 #include <linux/atomic.h>
 
@@ -174,7 +175,9 @@ static void send_cpu_listeners(struct sk_buff *skb,
         up_write(&listeners->sem);
 }
 
-static void fill_stats(struct task_struct *tsk, struct taskstats *stats)
+static void fill_stats(struct user_namespace *user_ns,
+                       struct pid_namespace *pid_ns,
+                       struct task_struct *tsk, struct taskstats *stats)
 {
         memset(stats, 0, sizeof(*stats));
         /*
@@ -190,7 +193,7 @@ static void fill_stats(struct task_struct *tsk, struct taskstats *stats)
         stats->version = TASKSTATS_VERSION;
         stats->nvcsw = tsk->nvcsw;
         stats->nivcsw = tsk->nivcsw;
-        bacct_add_tsk(stats, tsk);
+        bacct_add_tsk(user_ns, pid_ns, stats, tsk);
 
         /* fill in extended acct fields */
         xacct_add_tsk(stats, tsk);
@@ -207,7 +210,7 @@ static int fill_stats_for_pid(pid_t pid, struct taskstats *stats)
         rcu_read_unlock();
         if (!tsk)
                 return -ESRCH;
-        fill_stats(tsk, stats);
+        fill_stats(current_user_ns(), task_active_pid_ns(current), tsk, stats);
         put_task_struct(tsk);
         return 0;
 }
@@ -291,6 +294,12 @@ static int add_del_listener(pid_t pid, const struct cpumask *mask, int isadd)
         if (!cpumask_subset(mask, cpu_possible_mask))
                 return -EINVAL;
 
+        if (current_user_ns() != &init_user_ns)
+                return -EINVAL;
+
+        if (task_active_pid_ns(current) != &init_pid_ns)
+                return -EINVAL;
+
         if (isadd == REGISTER) {
                 for_each_cpu(cpu, mask) {
                         s = kmalloc_node(sizeof(struct listener),
@@ -631,11 +640,12 @@ void taskstats_exit(struct task_struct *tsk, int group_dead)
         if (rc < 0)
                 return;
 
-        stats = mk_reply(rep_skb, TASKSTATS_TYPE_PID, tsk->pid);
+        stats = mk_reply(rep_skb, TASKSTATS_TYPE_PID,
+                         task_pid_nr_ns(tsk, &init_pid_ns));
         if (!stats)
                 goto err;
 
-        fill_stats(tsk, stats);
+        fill_stats(&init_user_ns, &init_pid_ns, tsk, stats);
 
         /*
          * Doesn't matter if tsk is the leader or the last group member leaving
@@ -643,7 +653,8 @@ void taskstats_exit(struct task_struct *tsk, int group_dead)
         if (!is_thread_group || !group_dead)
                 goto send;
 
-        stats = mk_reply(rep_skb, TASKSTATS_TYPE_TGID, tsk->tgid);
+        stats = mk_reply(rep_skb, TASKSTATS_TYPE_TGID,
+                         task_tgid_nr_ns(tsk, &init_pid_ns));
         if (!stats)
                 goto err;
 
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 1ec5c1dab62..cdcb59450b4 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -2061,7 +2061,8 @@ print_trace_header(struct seq_file *m, struct trace_iterator *iter)
         seq_puts(m, "#    -----------------\n");
         seq_printf(m, "#    | task: %.16s-%d "
                    "(uid:%d nice:%ld policy:%ld rt_prio:%ld)\n",
-                   data->comm, data->pid, data->uid, data->nice,
+                   data->comm, data->pid,
+                   from_kuid_munged(seq_user_ns(m), data->uid), data->nice,
                    data->policy, data->rt_priority);
         seq_puts(m, "#    -----------------\n");
 
diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
index 63a2da0b9a6..c15f528c1af 100644
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -147,7 +147,7 @@ struct trace_array_cpu {
         unsigned long           skipped_entries;
         cycle_t                 preempt_timestamp;
         pid_t                   pid;
-        uid_t                   uid;
+        kuid_t                  uid;
         char                    comm[TASK_COMM_LEN];
 };
 
diff --git a/kernel/tsacct.c b/kernel/tsacct.c
index 23b4d784ebd..625df0b4469 100644
--- a/kernel/tsacct.c
+++ b/kernel/tsacct.c
@@ -26,7 +26,9 @@
 /*
  * fill in basic accounting fields
  */
-void bacct_add_tsk(struct taskstats *stats, struct task_struct *tsk)
+void bacct_add_tsk(struct user_namespace *user_ns,
+                   struct pid_namespace *pid_ns,
+                   struct taskstats *stats, struct task_struct *tsk)
 {
         const struct cred *tcred;
         struct timespec uptime, ts;
@@ -55,13 +57,13 @@ void bacct_add_tsk(struct taskstats *stats, struct task_struct *tsk)
                 stats->ac_flag |= AXSIG;
         stats->ac_nice   = task_nice(tsk);
         stats->ac_sched  = tsk->policy;
-        stats->ac_pid    = tsk->pid;
+        stats->ac_pid    = task_pid_nr_ns(tsk, pid_ns);
         rcu_read_lock();
         tcred = __task_cred(tsk);
-        stats->ac_uid    = tcred->uid;
-        stats->ac_gid    = tcred->gid;
+        stats->ac_uid    = from_kuid_munged(user_ns, tcred->uid);
+        stats->ac_gid    = from_kgid_munged(user_ns, tcred->gid);
         stats->ac_ppid   = pid_alive(tsk) ?
-                                rcu_dereference(tsk->real_parent)->tgid : 0;
+                task_tgid_nr_ns(rcu_dereference(tsk->real_parent), pid_ns) : 0;
         rcu_read_unlock();
         stats->ac_utime = cputime_to_usecs(tsk->utime);
         stats->ac_stime = cputime_to_usecs(tsk->stime);
diff --git a/kernel/user.c b/kernel/user.c
index b815fefbe76..750acffbe9e 100644
--- a/kernel/user.c
+++ b/kernel/user.c
@@ -38,6 +38,14 @@ struct user_namespace init_user_ns = {
                         .count = 4294967295U,
                 },
         },
+        .projid_map = {
+                .nr_extents = 1,
+                .extent[0] = {
+                        .first = 0,
+                        .lower_first = 0,
+                        .count = 4294967295U,
+                },
+        },
         .kref = {
                 .refcount       = ATOMIC_INIT(3),
         },
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 86602316422..456a6b9fba3 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -19,6 +19,7 @@
 #include <linux/fs.h>
 #include <linux/uaccess.h>
 #include <linux/ctype.h>
+#include <linux/projid.h>
 
 static struct kmem_cache *user_ns_cachep __read_mostly;
 
@@ -295,6 +296,75 @@ gid_t from_kgid_munged(struct user_namespace *targ, kgid_t kgid)
 }
 EXPORT_SYMBOL(from_kgid_munged);
 
+/**
+ *      make_kprojid - Map a user-namespace projid pair into a kprojid.
+ *      @ns:  User namespace that the projid is in
+ *      @projid: Project identifier
+ *
+ *      Maps a user-namespace uid pair into a kernel internal kuid,
+ *      and returns that kuid.
+ *
+ *      When there is no mapping defined for the user-namespace projid
+ *      pair INVALID_PROJID is returned.  Callers are expected to test
+ *      for and handle handle INVALID_PROJID being returned.  INVALID_PROJID
+ *      may be tested for using projid_valid().
+ */
+kprojid_t make_kprojid(struct user_namespace *ns, projid_t projid)
+{
+        /* Map the uid to a global kernel uid */
+        return KPROJIDT_INIT(map_id_down(&ns->projid_map, projid));
+}
+EXPORT_SYMBOL(make_kprojid);
+
+/**
+ *      from_kprojid - Create a projid from a kprojid user-namespace pair.
+ *      @targ: The user namespace we want a projid in.
+ *      @kprojid: The kernel internal project identifier to start with.
+ *
+ *      Map @kprojid into the user-namespace specified by @targ and
+ *      return the resulting projid.
+ *
+ *      There is always a mapping into the initial user_namespace.
+ *
+ *      If @kprojid has no mapping in @targ (projid_t)-1 is returned.
+ */
+projid_t from_kprojid(struct user_namespace *targ, kprojid_t kprojid)
+{
+        /* Map the uid from a global kernel uid */
+        return map_id_up(&targ->projid_map, __kprojid_val(kprojid));
+}
+EXPORT_SYMBOL(from_kprojid);
+
+/**
+ *      from_kprojid_munged - Create a projiid from a kprojid user-namespace pair.
+ *      @targ: The user namespace we want a projid in.
+ *      @kprojid: The kernel internal projid to start with.
+ *
+ *      Map @kprojid into the user-namespace specified by @targ and
+ *      return the resulting projid.
+ *
+ *      There is always a mapping into the initial user_namespace.
+ *
+ *      Unlike from_kprojid from_kprojid_munged never fails and always
+ *      returns a valid projid.  This makes from_kprojid_munged
+ *      appropriate for use in syscalls like stat and where
+ *      failing the system call and failing to provide a valid projid are
+ *      not an options.
+ *
+ *      If @kprojid has no mapping in @targ OVERFLOW_PROJID is returned.
+ */
+projid_t from_kprojid_munged(struct user_namespace *targ, kprojid_t kprojid)
+{
+        projid_t projid;
+        projid = from_kprojid(targ, kprojid);
+
+        if (projid == (projid_t) -1)
+                projid = OVERFLOW_PROJID;
+        return projid;
+}
+EXPORT_SYMBOL(from_kprojid_munged);
+
+
 static int uid_m_show(struct seq_file *seq, void *v)
 {
         struct user_namespace *ns = seq->private;
@@ -337,6 +407,27 @@ static int gid_m_show(struct seq_file *seq, void *v)
         return 0;
 }
 
+static int projid_m_show(struct seq_file *seq, void *v)
+{
+        struct user_namespace *ns = seq->private;
+        struct uid_gid_extent *extent = v;
+        struct user_namespace *lower_ns;
+        projid_t lower;
+
+        lower_ns = seq_user_ns(seq);
+        if ((lower_ns == ns) && lower_ns->parent)
+                lower_ns = lower_ns->parent;
+
+        lower = from_kprojid(lower_ns, KPROJIDT_INIT(extent->lower_first));
+
+        seq_printf(seq, "%10u %10u %10u\n",
+                extent->first,
+                lower,
+                extent->count);
+
+        return 0;
+}
+
 static void *m_start(struct seq_file *seq, loff_t *ppos, struct uid_gid_map *map)
 {
         struct uid_gid_extent *extent = NULL;
@@ -362,6 +453,13 @@ static void *gid_m_start(struct seq_file *seq, loff_t *ppos)
         return m_start(seq, ppos, &ns->gid_map);
 }
 
+static void *projid_m_start(struct seq_file *seq, loff_t *ppos)
+{
+        struct user_namespace *ns = seq->private;
+
+        return m_start(seq, ppos, &ns->projid_map);
+}
+
 static void *m_next(struct seq_file *seq, void *v, loff_t *pos)
 {
         (*pos)++;
@@ -387,6 +485,13 @@ struct seq_operations proc_gid_seq_operations = {
         .show = gid_m_show,
 };
 
+struct seq_operations proc_projid_seq_operations = {
+        .start = projid_m_start,
+        .stop = m_stop,
+        .next = m_next,
+        .show = projid_m_show,
+};
+
 static DEFINE_MUTEX(id_map_mutex);
 
 static ssize_t map_write(struct file *file, const char __user *buf,
@@ -434,7 +539,7 @@ static ssize_t map_write(struct file *file, const char __user *buf,
         /* Require the appropriate privilege CAP_SETUID or CAP_SETGID
          * over the user namespace in order to set the id mapping.
          */
-        if (!ns_capable(ns, cap_setid))
+        if (cap_valid(cap_setid) && !ns_capable(ns, cap_setid))
                 goto out;
 
         /* Get a buffer */
@@ -584,9 +689,30 @@ ssize_t proc_gid_map_write(struct file *file, const char __user *buf, size_t siz
                          &ns->gid_map, &ns->parent->gid_map);
 }
 
+ssize_t proc_projid_map_write(struct file *file, const char __user *buf, size_t size, loff_t *ppos)
+{
+        struct seq_file *seq = file->private_data;
+        struct user_namespace *ns = seq->private;
+        struct user_namespace *seq_ns = seq_user_ns(seq);
+
+        if (!ns->parent)
+                return -EPERM;
+
+        if ((seq_ns != ns) && (seq_ns != ns->parent))
+                return -EPERM;
+
+        /* Anyone can set any valid project id no capability needed */
+        return map_write(file, buf, size, ppos, -1,
+                         &ns->projid_map, &ns->parent->projid_map);
+}
+
 static bool new_idmap_permitted(struct user_namespace *ns, int cap_setid,
                                 struct uid_gid_map *new_map)
 {
+        /* Allow anyone to set a mapping that doesn't require privilege */
+        if (!cap_valid(cap_setid))
+                return true;
+
         /* Allow the specified ids if we have the appropriate capability
          * (CAP_SETUID or CAP_SETGID) over the parent user namespace.
          */