Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security layer updates from James Morris:
 "Highlights:

   - Smack adds secmark support for Netfilter
   - /proc/keys is now mandatory if CONFIG_KEYS=y
   - TPM gets its own device class
   - Added TPM 2.0 support
   - Smack file hook rework (all Smack users should review this!)"

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (64 commits)
  cipso: don't use IPCB() to locate the CIPSO IP option
  SELinux: fix error code in policydb_init()
  selinux: add security in-core xattr support for pstore and debugfs
  selinux: quiet the filesystem labeling behavior message
  selinux: Remove unused function avc_sidcmp()
  ima: /proc/keys is now mandatory
  Smack: Repair netfilter dependency
  X.509: silence asn1 compiler debug output
  X.509: shut up about included cert for silent build
  KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y
  MAINTAINERS: email update
  tpm/tpm_tis: Add missing ifdef CONFIG_ACPI for pnp_acpi_device
  smack: fix possible use after frees in task_security() callers
  smack: Add missing logging in bidirectional UDS connect check
  Smack: secmark support for netfilter
  Smack: Rework file hooks
  tpm: fix format string error in tpm-chip.c
  char/tpm/tpm_crb: fix build error
  smack: Fix a bidirectional UDS connect check typo
  smack: introduce a special case for tmpfs in smack_d_instantiate()
  ...

2 files changed, 40 insertions, 26 deletions

diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 5160c710f2eb..e361ea6f3fc8 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -378,20 +378,18 @@ static int cipso_v4_cache_check(const unsigned char *key,
  * negative values on failure.
  *
  */
-int cipso_v4_cache_add(const struct sk_buff *skb,
+int cipso_v4_cache_add(const unsigned char *cipso_ptr,
                        const struct netlbl_lsm_secattr *secattr)
 {
         int ret_val = -EPERM;
         u32 bkt;
         struct cipso_v4_map_cache_entry *entry = NULL;
         struct cipso_v4_map_cache_entry *old_entry = NULL;
-        unsigned char *cipso_ptr;
         u32 cipso_ptr_len;
 
         if (!cipso_v4_cache_enabled || cipso_v4_cache_bucketsize <= 0)
                 return 0;
 
-        cipso_ptr = CIPSO_V4_OPTPTR(skb);
         cipso_ptr_len = cipso_ptr[1];
 
         entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
@@ -1579,6 +1577,33 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def,
 }
 
 /**
+ * cipso_v4_optptr - Find the CIPSO option in the packet
+ * @skb: the packet
+ *
+ * Description:
+ * Parse the packet's IP header looking for a CIPSO option.  Returns a pointer
+ * to the start of the CIPSO option on success, NULL if one if not found.
+ *
+ */
+unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+{
+        const struct iphdr *iph = ip_hdr(skb);
+        unsigned char *optptr = (unsigned char *)&(ip_hdr(skb)[1]);
+        int optlen;
+        int taglen;
+
+        for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
+                if (optptr[0] == IPOPT_CIPSO)
+                        return optptr;
+                taglen = optptr[1];
+                optlen -= taglen;
+                optptr += taglen;
+        }
+
+        return NULL;
+}
+
+/**
  * cipso_v4_validate - Validate a CIPSO option
  * @option: the start of the option, on error it is set to point to the error
  *
@@ -2119,8 +2144,8 @@ void cipso_v4_req_delattr(struct request_sock *req)
  * on success and negative values on failure.
  *
  */
-static int cipso_v4_getattr(const unsigned char *cipso,
-                            struct netlbl_lsm_secattr *secattr)
+int cipso_v4_getattr(const unsigned char *cipso,
+                     struct netlbl_lsm_secattr *secattr)
 {
         int ret_val = -ENOMSG;
         u32 doi;
@@ -2305,22 +2330,6 @@ int cipso_v4_skbuff_delattr(struct sk_buff *skb)
         return 0;
 }
 
-/**
- * cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option
- * @skb: the packet
- * @secattr: the security attributes
- *
- * Description:
- * Parse the given packet's CIPSO option and return the security attributes.
- * Returns zero on success and negative values on failure.
- *
- */
-int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
-                            struct netlbl_lsm_secattr *secattr)
-{
-        return cipso_v4_getattr(CIPSO_V4_OPTPTR(skb), secattr);
-}
-
 /*
  * Setup Functions
  */
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index a845cd4cf21e..28cddc85b700 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -1065,10 +1065,12 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb,
                           u16 family,
                           struct netlbl_lsm_secattr *secattr)
 {
+        unsigned char *ptr;
+
         switch (family) {
         case AF_INET:
-                if (CIPSO_V4_OPTEXIST(skb) &&
-                    cipso_v4_skbuff_getattr(skb, secattr) == 0)
+                ptr = cipso_v4_optptr(skb);
+                if (ptr && cipso_v4_getattr(ptr, secattr) == 0)
                         return 0;
                 break;
 #if IS_ENABLED(CONFIG_IPV6)
@@ -1094,7 +1096,7 @@ int netlbl_skbuff_getattr(const struct sk_buff *skb,
  */
 void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway)
 {
-        if (CIPSO_V4_OPTEXIST(skb))
+        if (cipso_v4_optptr(skb))
                 cipso_v4_error(skb, error, gateway);
 }
 
@@ -1126,11 +1128,14 @@ void netlbl_cache_invalidate(void)
 int netlbl_cache_add(const struct sk_buff *skb,
                      const struct netlbl_lsm_secattr *secattr)
 {
+        unsigned char *ptr;
+
         if ((secattr->flags & NETLBL_SECATTR_CACHE) == 0)
                 return -ENOMSG;
 
-        if (CIPSO_V4_OPTEXIST(skb))
-                return cipso_v4_cache_add(skb, secattr);
+        ptr = cipso_v4_optptr(skb);
+        if (ptr)
+                return cipso_v4_cache_add(ptr, secattr);
 
         return -ENOMSG;
 }