Merge branch 'serge-next-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux-security

Pull security layer updates from Serge Hallyn:
 "This is a merge of James Morris' security-next tree from 3.14 to
  yesterday's master, plus four patches from Paul Moore which are in
  linux-next, plus one patch from Mimi"

* 'serge-next-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux-security:
  ima: audit log files opened with O_DIRECT flag
  selinux: conditionally reschedule in hashtab_insert while loading selinux policy
  selinux: conditionally reschedule in mls_convert_context while loading selinux policy
  selinux: reject setexeccon() on MNT_NOSUID applications with -EACCES
  selinux:  Report permissive mode in avc: denied messages.
  Warning in scanf string typing
  Smack: Label cgroup files for systemd
  Smack: Verify read access on file open - v3
  security: Convert use of typedef ctl_table to struct ctl_table
  Smack: bidirectional UDS connect check
  Smack: Correctly remove SMACK64TRANSMUTE attribute
  SMACK: Fix handling value==NULL in post setxattr
  bugfix patch for SMACK
  Smack: adds smackfs/ptrace interface
  Smack: unify all ptrace accesses in the smack
  Smack: fix the subject/object order in smack_ptrace_traceme()
  Minor improvement of 'smack_sb_kern_mount'
  smack: fix key permission verification
  KEYS: Move the flags representing required permission to linux/key.h

4 files changed, 19 insertions, 3 deletions

diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index ba9e4d792dd5..d9cd5ce14d2b 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -199,6 +199,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
                             struct evm_ima_xattr_data **xattr_value,
                             int *xattr_len)
 {
+        const char *audit_cause = "failed";
         struct inode *inode = file_inode(file);
         const char *filename = file->f_dentry->d_name.name;
         int result = 0;
@@ -213,6 +214,12 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
         if (!(iint->flags & IMA_COLLECTED)) {
                 u64 i_version = file_inode(file)->i_version;
 
+                if (file->f_flags & O_DIRECT) {
+                        audit_cause = "failed(directio)";
+                        result = -EACCES;
+                        goto out;
+                }
+
                 /* use default hash algorithm */
                 hash.hdr.algo = ima_hash_algo;
 
@@ -233,9 +240,10 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
                                 result = -ENOMEM;
                 }
         }
+out:
         if (result)
                 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
-                                    filename, "collect_data", "failed",
+                                    filename, "collect_data", audit_cause,
                                     result, 0);
         return result;
 }
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 52ac6cf41f88..dcc98cf542d8 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -214,8 +214,11 @@ static int process_measurement(struct file *file, const char *filename,
                 xattr_ptr = &xattr_value;
 
         rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len);
-        if (rc != 0)
+        if (rc != 0) {
+                if (file->f_flags & O_DIRECT)
+                        rc = (iint->flags & IMA_PERMIT_DIRECTIO) ? 0 : -EACCES;
                 goto out_digsig;
+        }
 
         pathname = filename ?: ima_d_path(&file->f_path, &pathbuf);
 
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 93873a450ff7..40a7488f6721 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -353,7 +353,7 @@ enum {
         Opt_obj_user, Opt_obj_role, Opt_obj_type,
         Opt_subj_user, Opt_subj_role, Opt_subj_type,
         Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner,
-        Opt_appraise_type, Opt_fsuuid
+        Opt_appraise_type, Opt_fsuuid, Opt_permit_directio
 };
 
 static match_table_t policy_tokens = {
@@ -375,6 +375,7 @@ static match_table_t policy_tokens = {
         {Opt_uid, "uid=%s"},
         {Opt_fowner, "fowner=%s"},
         {Opt_appraise_type, "appraise_type=%s"},
+        {Opt_permit_directio, "permit_directio"},
         {Opt_err, NULL}
 };
 
@@ -622,6 +623,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
                         else
                                 result = -EINVAL;
                         break;
+                case Opt_permit_directio:
+                        entry->flags |= IMA_PERMIT_DIRECTIO;
+                        break;
                 case Opt_err:
                         ima_log_string(ab, "UNKNOWN", p);
                         result = -EINVAL;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 2fb5e53e927f..33c0a70f6b15 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -30,6 +30,7 @@
 #define IMA_ACTION_FLAGS        0xff000000
 #define IMA_DIGSIG              0x01000000
 #define IMA_DIGSIG_REQUIRED     0x02000000
+#define IMA_PERMIT_DIRECTIO     0x04000000
 
 #define IMA_DO_MASK             (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
                                  IMA_APPRAISE_SUBMASK)