aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorDmitry Torokhov <dmitry.torokhov@gmail.com>2012-07-04 16:13:55 -0400
committerDmitry Torokhov <dmitry.torokhov@gmail.com>2012-07-04 16:13:55 -0400
commit404c3bc30cb1361e1b3533643326ab472d24a618 (patch)
tree156cc9032c8aee17167d926c5bdae009ba8f36d2 /security
parent6795a524f0b049ceb5417d5036ab5e233345b900 (diff)
parent6887a4131da3adaab011613776d865f4bcfb5678 (diff)
Merge commit 'v3.5-rc5' into next
Diffstat (limited to 'security')
-rw-r--r--security/Kconfig68
-rw-r--r--security/apparmor/audit.c11
-rw-r--r--security/apparmor/capability.c4
-rw-r--r--security/apparmor/domain.c35
-rw-r--r--security/apparmor/file.c2
-rw-r--r--security/apparmor/include/audit.h1
-rw-r--r--security/apparmor/ipc.c2
-rw-r--r--security/apparmor/lib.c2
-rw-r--r--security/apparmor/lsm.c21
-rw-r--r--security/apparmor/path.c2
-rw-r--r--security/apparmor/policy.c6
-rw-r--r--security/apparmor/policy_unpack.c2
-rw-r--r--security/apparmor/resource.c2
-rw-r--r--security/capability.c7
-rw-r--r--security/commoncap.c85
-rw-r--r--security/device_cgroup.c10
-rw-r--r--security/integrity/ima/ima_main.c4
-rw-r--r--security/keys/Kconfig71
-rw-r--r--security/keys/Makefile12
-rw-r--r--security/keys/compat.c5
-rw-r--r--security/keys/gc.c94
-rw-r--r--security/keys/internal.h17
-rw-r--r--security/keys/key.c27
-rw-r--r--security/keys/keyctl.c111
-rw-r--r--security/keys/keyring.c167
-rw-r--r--security/keys/permission.c48
-rw-r--r--security/keys/proc.c3
-rw-r--r--security/keys/process_keys.c24
-rw-r--r--security/keys/request_key.c13
-rw-r--r--security/lsm_audit.c15
-rw-r--r--security/security.c55
-rw-r--r--security/selinux/avc.c130
-rw-r--r--security/selinux/hooks.c283
-rw-r--r--security/selinux/include/avc.h100
-rw-r--r--security/selinux/include/security.h4
-rw-r--r--security/selinux/netif.c6
-rw-r--r--security/selinux/netnode.c6
-rw-r--r--security/selinux/netport.c6
-rw-r--r--security/selinux/nlmsgtab.c13
-rw-r--r--security/selinux/selinuxfs.c47
-rw-r--r--security/selinux/ss/context.h20
-rw-r--r--security/selinux/ss/mls.c24
-rw-r--r--security/selinux/ss/policydb.c44
-rw-r--r--security/selinux/ss/policydb.h14
-rw-r--r--security/selinux/ss/services.c56
-rw-r--r--security/smack/smack.h59
-rw-r--r--security/smack/smack_access.c233
-rw-r--r--security/smack/smack_lsm.c258
-rw-r--r--security/smack/smackfs.c993
-rw-r--r--security/tomoyo/common.c26
-rw-r--r--security/tomoyo/common.h1
-rw-r--r--security/tomoyo/tomoyo.c6
-rw-r--r--security/yama/yama_lsm.c63
53 files changed, 2030 insertions, 1288 deletions
diff --git a/security/Kconfig b/security/Kconfig
index ccc61f8006b2..e9c6ac724fef 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -4,73 +4,7 @@
4 4
5menu "Security options" 5menu "Security options"
6 6
7config KEYS 7source security/keys/Kconfig
8 bool "Enable access key retention support"
9 help
10 This option provides support for retaining authentication tokens and
11 access keys in the kernel.
12
13 It also includes provision of methods by which such keys might be
14 associated with a process so that network filesystems, encryption
15 support and the like can find them.
16
17 Furthermore, a special type of key is available that acts as keyring:
18 a searchable sequence of keys. Each process is equipped with access
19 to five standard keyrings: UID-specific, GID-specific, session,
20 process and thread.
21
22 If you are unsure as to whether this is required, answer N.
23
24config TRUSTED_KEYS
25 tristate "TRUSTED KEYS"
26 depends on KEYS && TCG_TPM
27 select CRYPTO
28 select CRYPTO_HMAC
29 select CRYPTO_SHA1
30 help
31 This option provides support for creating, sealing, and unsealing
32 keys in the kernel. Trusted keys are random number symmetric keys,
33 generated and RSA-sealed by the TPM. The TPM only unseals the keys,
34 if the boot PCRs and other criteria match. Userspace will only ever
35 see encrypted blobs.
36
37 If you are unsure as to whether this is required, answer N.
38
39config ENCRYPTED_KEYS
40 tristate "ENCRYPTED KEYS"
41 depends on KEYS
42 select CRYPTO
43 select CRYPTO_HMAC
44 select CRYPTO_AES
45 select CRYPTO_CBC
46 select CRYPTO_SHA256
47 select CRYPTO_RNG
48 help
49 This option provides support for create/encrypting/decrypting keys
50 in the kernel. Encrypted keys are kernel generated random numbers,
51 which are encrypted/decrypted with a 'master' symmetric key. The
52 'master' key can be either a trusted-key or user-key type.
53 Userspace only ever sees/stores encrypted blobs.
54
55 If you are unsure as to whether this is required, answer N.
56
57config KEYS_DEBUG_PROC_KEYS
58 bool "Enable the /proc/keys file by which keys may be viewed"
59 depends on KEYS
60 help
61 This option turns on support for the /proc/keys file - through which
62 can be listed all the keys on the system that are viewable by the
63 reading process.
64
65 The only keys included in the list are those that grant View
66 permission to the reading process whether or not it possesses them.
67 Note that LSM security checks are still performed, and may further
68 filter out keys that the current process is not authorised to view.
69
70 Only key attributes are listed here; key payloads are not included in
71 the resulting table.
72
73 If you are unsure as to whether this is required, answer N.
74 8
75config SECURITY_DMESG_RESTRICT 9config SECURITY_DMESG_RESTRICT
76 bool "Restrict unprivileged access to the kernel syslog" 10 bool "Restrict unprivileged access to the kernel syslog"
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index cc3520d39a78..3ae28db5a64f 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -111,7 +111,7 @@ static const char *const aa_audit_type[] = {
111static void audit_pre(struct audit_buffer *ab, void *ca) 111static void audit_pre(struct audit_buffer *ab, void *ca)
112{ 112{
113 struct common_audit_data *sa = ca; 113 struct common_audit_data *sa = ca;
114 struct task_struct *tsk = sa->tsk ? sa->tsk : current; 114 struct task_struct *tsk = sa->aad->tsk ? sa->aad->tsk : current;
115 115
116 if (aa_g_audit_header) { 116 if (aa_g_audit_header) {
117 audit_log_format(ab, "apparmor="); 117 audit_log_format(ab, "apparmor=");
@@ -149,6 +149,12 @@ static void audit_pre(struct audit_buffer *ab, void *ca)
149 audit_log_format(ab, " name="); 149 audit_log_format(ab, " name=");
150 audit_log_untrustedstring(ab, sa->aad->name); 150 audit_log_untrustedstring(ab, sa->aad->name);
151 } 151 }
152
153 if (sa->aad->tsk) {
154 audit_log_format(ab, " pid=%d comm=", tsk->pid);
155 audit_log_untrustedstring(ab, tsk->comm);
156 }
157
152} 158}
153 159
154/** 160/**
@@ -205,7 +211,8 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
205 aa_audit_msg(type, sa, cb); 211 aa_audit_msg(type, sa, cb);
206 212
207 if (sa->aad->type == AUDIT_APPARMOR_KILL) 213 if (sa->aad->type == AUDIT_APPARMOR_KILL)
208 (void)send_sig_info(SIGKILL, NULL, sa->tsk ? sa->tsk : current); 214 (void)send_sig_info(SIGKILL, NULL,
215 sa->aad->tsk ? sa->aad->tsk : current);
209 216
210 if (sa->aad->type == AUDIT_APPARMOR_ALLOWED) 217 if (sa->aad->type == AUDIT_APPARMOR_ALLOWED)
211 return complain_error(sa->aad->error); 218 return complain_error(sa->aad->error);
diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
index 088dba3bf7dc..887a5e948945 100644
--- a/security/apparmor/capability.c
+++ b/security/apparmor/capability.c
@@ -65,10 +65,10 @@ static int audit_caps(struct aa_profile *profile, struct task_struct *task,
65 int type = AUDIT_APPARMOR_AUTO; 65 int type = AUDIT_APPARMOR_AUTO;
66 struct common_audit_data sa; 66 struct common_audit_data sa;
67 struct apparmor_audit_data aad = {0,}; 67 struct apparmor_audit_data aad = {0,};
68 COMMON_AUDIT_DATA_INIT(&sa, CAP); 68 sa.type = LSM_AUDIT_DATA_CAP;
69 sa.aad = &aad; 69 sa.aad = &aad;
70 sa.tsk = task;
71 sa.u.cap = cap; 70 sa.u.cap = cap;
71 sa.aad->tsk = task;
72 sa.aad->op = OP_CAPABLE; 72 sa.aad->op = OP_CAPABLE;
73 sa.aad->error = error; 73 sa.aad->error = error;
74 74
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 6327685c101e..b81ea10a17a3 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -394,6 +394,11 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
394 new_profile = find_attach(ns, &ns->base.profiles, name); 394 new_profile = find_attach(ns, &ns->base.profiles, name);
395 if (!new_profile) 395 if (!new_profile)
396 goto cleanup; 396 goto cleanup;
397 /*
398 * NOTE: Domain transitions from unconfined are allowed
399 * even when no_new_privs is set because this aways results
400 * in a further reduction of permissions.
401 */
397 goto apply; 402 goto apply;
398 } 403 }
399 404
@@ -455,6 +460,16 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
455 /* fail exec */ 460 /* fail exec */
456 error = -EACCES; 461 error = -EACCES;
457 462
463 /*
464 * Policy has specified a domain transition, if no_new_privs then
465 * fail the exec.
466 */
467 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) {
468 aa_put_profile(new_profile);
469 error = -EPERM;
470 goto cleanup;
471 }
472
458 if (!new_profile) 473 if (!new_profile)
459 goto audit; 474 goto audit;
460 475
@@ -609,6 +624,14 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
609 const char *target = NULL, *info = NULL; 624 const char *target = NULL, *info = NULL;
610 int error = 0; 625 int error = 0;
611 626
627 /*
628 * Fail explicitly requested domain transitions if no_new_privs.
629 * There is no exception for unconfined as change_hat is not
630 * available.
631 */
632 if (current->no_new_privs)
633 return -EPERM;
634
612 /* released below */ 635 /* released below */
613 cred = get_current_cred(); 636 cred = get_current_cred();
614 cxt = cred->security; 637 cxt = cred->security;
@@ -750,6 +773,18 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
750 cxt = cred->security; 773 cxt = cred->security;
751 profile = aa_cred_profile(cred); 774 profile = aa_cred_profile(cred);
752 775
776 /*
777 * Fail explicitly requested domain transitions if no_new_privs
778 * and not unconfined.
779 * Domain transitions from unconfined are allowed even when
780 * no_new_privs is set because this aways results in a reduction
781 * of permissions.
782 */
783 if (current->no_new_privs && !unconfined(profile)) {
784 put_cred(cred);
785 return -EPERM;
786 }
787
753 if (ns_name) { 788 if (ns_name) {
754 /* released below */ 789 /* released below */
755 ns = aa_find_namespace(profile->ns, ns_name); 790 ns = aa_find_namespace(profile->ns, ns_name);
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index 2f8fcba9ce4b..cf19d4093ca4 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -108,7 +108,7 @@ int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
108 int type = AUDIT_APPARMOR_AUTO; 108 int type = AUDIT_APPARMOR_AUTO;
109 struct common_audit_data sa; 109 struct common_audit_data sa;
110 struct apparmor_audit_data aad = {0,}; 110 struct apparmor_audit_data aad = {0,};
111 COMMON_AUDIT_DATA_INIT(&sa, NONE); 111 sa.type = LSM_AUDIT_DATA_NONE;
112 sa.aad = &aad; 112 sa.aad = &aad;
113 aad.op = op, 113 aad.op = op,
114 aad.fs.request = request; 114 aad.fs.request = request;
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 3868b1e5d5ba..4b7e18951aea 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -110,6 +110,7 @@ struct apparmor_audit_data {
110 void *profile; 110 void *profile;
111 const char *name; 111 const char *name;
112 const char *info; 112 const char *info;
113 struct task_struct *tsk;
113 union { 114 union {
114 void *target; 115 void *target;
115 struct { 116 struct {
diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
index c3da93a5150d..cf1071b14232 100644
--- a/security/apparmor/ipc.c
+++ b/security/apparmor/ipc.c
@@ -42,7 +42,7 @@ static int aa_audit_ptrace(struct aa_profile *profile,
42{ 42{
43 struct common_audit_data sa; 43 struct common_audit_data sa;
44 struct apparmor_audit_data aad = {0,}; 44 struct apparmor_audit_data aad = {0,};
45 COMMON_AUDIT_DATA_INIT(&sa, NONE); 45 sa.type = LSM_AUDIT_DATA_NONE;
46 sa.aad = &aad; 46 sa.aad = &aad;
47 aad.op = OP_PTRACE; 47 aad.op = OP_PTRACE;
48 aad.target = target; 48 aad.target = target;
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index e75829ba0ff9..7430298116d6 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -66,7 +66,7 @@ void aa_info_message(const char *str)
66 if (audit_enabled) { 66 if (audit_enabled) {
67 struct common_audit_data sa; 67 struct common_audit_data sa;
68 struct apparmor_audit_data aad = {0,}; 68 struct apparmor_audit_data aad = {0,};
69 COMMON_AUDIT_DATA_INIT(&sa, NONE); 69 sa.type = LSM_AUDIT_DATA_NONE;
70 sa.aad = &aad; 70 sa.aad = &aad;
71 aad.info = str; 71 aad.info = str;
72 aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL); 72 aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index ad05d391974d..8ea39aabe948 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -373,7 +373,7 @@ static int apparmor_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
373 AA_MAY_META_READ); 373 AA_MAY_META_READ);
374} 374}
375 375
376static int apparmor_dentry_open(struct file *file, const struct cred *cred) 376static int apparmor_file_open(struct file *file, const struct cred *cred)
377{ 377{
378 struct aa_file_cxt *fcxt = file->f_security; 378 struct aa_file_cxt *fcxt = file->f_security;
379 struct aa_profile *profile; 379 struct aa_profile *profile;
@@ -490,17 +490,9 @@ static int common_mmap(int op, struct file *file, unsigned long prot,
490 return common_file_perm(op, file, mask); 490 return common_file_perm(op, file, mask);
491} 491}
492 492
493static int apparmor_file_mmap(struct file *file, unsigned long reqprot, 493static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
494 unsigned long prot, unsigned long flags, 494 unsigned long prot, unsigned long flags)
495 unsigned long addr, unsigned long addr_only)
496{ 495{
497 int rc = 0;
498
499 /* do DAC check */
500 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
501 if (rc || addr_only)
502 return rc;
503
504 return common_mmap(OP_FMMAP, file, prot, flags); 496 return common_mmap(OP_FMMAP, file, prot, flags);
505} 497}
506 498
@@ -589,7 +581,7 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
589 } else { 581 } else {
590 struct common_audit_data sa; 582 struct common_audit_data sa;
591 struct apparmor_audit_data aad = {0,}; 583 struct apparmor_audit_data aad = {0,};
592 COMMON_AUDIT_DATA_INIT(&sa, NONE); 584 sa.type = LSM_AUDIT_DATA_NONE;
593 sa.aad = &aad; 585 sa.aad = &aad;
594 aad.op = OP_SETPROCATTR; 586 aad.op = OP_SETPROCATTR;
595 aad.info = name; 587 aad.info = name;
@@ -640,13 +632,14 @@ static struct security_operations apparmor_ops = {
640 .path_chmod = apparmor_path_chmod, 632 .path_chmod = apparmor_path_chmod,
641 .path_chown = apparmor_path_chown, 633 .path_chown = apparmor_path_chown,
642 .path_truncate = apparmor_path_truncate, 634 .path_truncate = apparmor_path_truncate,
643 .dentry_open = apparmor_dentry_open,
644 .inode_getattr = apparmor_inode_getattr, 635 .inode_getattr = apparmor_inode_getattr,
645 636
637 .file_open = apparmor_file_open,
646 .file_permission = apparmor_file_permission, 638 .file_permission = apparmor_file_permission,
647 .file_alloc_security = apparmor_file_alloc_security, 639 .file_alloc_security = apparmor_file_alloc_security,
648 .file_free_security = apparmor_file_free_security, 640 .file_free_security = apparmor_file_free_security,
649 .file_mmap = apparmor_file_mmap, 641 .mmap_file = apparmor_mmap_file,
642 .mmap_addr = cap_mmap_addr,
650 .file_mprotect = apparmor_file_mprotect, 643 .file_mprotect = apparmor_file_mprotect,
651 .file_lock = apparmor_file_lock, 644 .file_lock = apparmor_file_lock,
652 645
diff --git a/security/apparmor/path.c b/security/apparmor/path.c
index 2daeea4f9266..e91ffee80162 100644
--- a/security/apparmor/path.c
+++ b/security/apparmor/path.c
@@ -94,6 +94,8 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
94 * be returned. 94 * be returned.
95 */ 95 */
96 if (!res || IS_ERR(res)) { 96 if (!res || IS_ERR(res)) {
97 if (PTR_ERR(res) == -ENAMETOOLONG)
98 return -ENAMETOOLONG;
97 connected = 0; 99 connected = 0;
98 res = dentry_path_raw(path->dentry, buf, buflen); 100 res = dentry_path_raw(path->dentry, buf, buflen);
99 if (IS_ERR(res)) { 101 if (IS_ERR(res)) {
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index f1f7506a464d..cf5fd220309b 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -903,6 +903,10 @@ struct aa_profile *aa_lookup_profile(struct aa_namespace *ns, const char *hname)
903 profile = aa_get_profile(__lookup_profile(&ns->base, hname)); 903 profile = aa_get_profile(__lookup_profile(&ns->base, hname));
904 read_unlock(&ns->lock); 904 read_unlock(&ns->lock);
905 905
906 /* the unconfined profile is not in the regular profile list */
907 if (!profile && strcmp(hname, "unconfined") == 0)
908 profile = aa_get_profile(ns->unconfined);
909
906 /* refcount released by caller */ 910 /* refcount released by caller */
907 return profile; 911 return profile;
908} 912}
@@ -965,7 +969,7 @@ static int audit_policy(int op, gfp_t gfp, const char *name, const char *info,
965{ 969{
966 struct common_audit_data sa; 970 struct common_audit_data sa;
967 struct apparmor_audit_data aad = {0,}; 971 struct apparmor_audit_data aad = {0,};
968 COMMON_AUDIT_DATA_INIT(&sa, NONE); 972 sa.type = LSM_AUDIT_DATA_NONE;
969 sa.aad = &aad; 973 sa.aad = &aad;
970 aad.op = op; 974 aad.op = op;
971 aad.name = name; 975 aad.name = name;
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index deab7c7e8dc0..329b1fd30749 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -95,7 +95,7 @@ static int audit_iface(struct aa_profile *new, const char *name,
95 struct aa_profile *profile = __aa_current_profile(); 95 struct aa_profile *profile = __aa_current_profile();
96 struct common_audit_data sa; 96 struct common_audit_data sa;
97 struct apparmor_audit_data aad = {0,}; 97 struct apparmor_audit_data aad = {0,};
98 COMMON_AUDIT_DATA_INIT(&sa, NONE); 98 sa.type = LSM_AUDIT_DATA_NONE;
99 sa.aad = &aad; 99 sa.aad = &aad;
100 if (e) 100 if (e)
101 aad.iface.pos = e->pos - e->start; 101 aad.iface.pos = e->pos - e->start;
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index 2fe8613efe33..e1f3d7ef2c54 100644
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -52,7 +52,7 @@ static int audit_resource(struct aa_profile *profile, unsigned int resource,
52 struct common_audit_data sa; 52 struct common_audit_data sa;
53 struct apparmor_audit_data aad = {0,}; 53 struct apparmor_audit_data aad = {0,};
54 54
55 COMMON_AUDIT_DATA_INIT(&sa, NONE); 55 sa.type = LSM_AUDIT_DATA_NONE;
56 sa.aad = &aad; 56 sa.aad = &aad;
57 aad.op = OP_SETRLIMIT, 57 aad.op = OP_SETRLIMIT,
58 aad.rlim.rlim = resource; 58 aad.rlim.rlim = resource;
diff --git a/security/capability.c b/security/capability.c
index 5bb21b1c448c..61095df8b89a 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -348,7 +348,7 @@ static int cap_file_receive(struct file *file)
348 return 0; 348 return 0;
349} 349}
350 350
351static int cap_dentry_open(struct file *file, const struct cred *cred) 351static int cap_file_open(struct file *file, const struct cred *cred)
352{ 352{
353 return 0; 353 return 0;
354} 354}
@@ -949,14 +949,15 @@ void __init security_fixup_ops(struct security_operations *ops)
949 set_to_cap_if_null(ops, file_alloc_security); 949 set_to_cap_if_null(ops, file_alloc_security);
950 set_to_cap_if_null(ops, file_free_security); 950 set_to_cap_if_null(ops, file_free_security);
951 set_to_cap_if_null(ops, file_ioctl); 951 set_to_cap_if_null(ops, file_ioctl);
952 set_to_cap_if_null(ops, file_mmap); 952 set_to_cap_if_null(ops, mmap_addr);
953 set_to_cap_if_null(ops, mmap_file);
953 set_to_cap_if_null(ops, file_mprotect); 954 set_to_cap_if_null(ops, file_mprotect);
954 set_to_cap_if_null(ops, file_lock); 955 set_to_cap_if_null(ops, file_lock);
955 set_to_cap_if_null(ops, file_fcntl); 956 set_to_cap_if_null(ops, file_fcntl);
956 set_to_cap_if_null(ops, file_set_fowner); 957 set_to_cap_if_null(ops, file_set_fowner);
957 set_to_cap_if_null(ops, file_send_sigiotask); 958 set_to_cap_if_null(ops, file_send_sigiotask);
958 set_to_cap_if_null(ops, file_receive); 959 set_to_cap_if_null(ops, file_receive);
959 set_to_cap_if_null(ops, dentry_open); 960 set_to_cap_if_null(ops, file_open);
960 set_to_cap_if_null(ops, task_create); 961 set_to_cap_if_null(ops, task_create);
961 set_to_cap_if_null(ops, task_free); 962 set_to_cap_if_null(ops, task_free);
962 set_to_cap_if_null(ops, cred_alloc_blank); 963 set_to_cap_if_null(ops, cred_alloc_blank);
diff --git a/security/commoncap.c b/security/commoncap.c
index 71a166a05975..6dbae4650abe 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -77,12 +77,12 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
77 int cap, int audit) 77 int cap, int audit)
78{ 78{
79 for (;;) { 79 for (;;) {
80 /* The creator of the user namespace has all caps. */ 80 /* The owner of the user namespace has all caps. */
81 if (targ_ns != &init_user_ns && targ_ns->creator == cred->user) 81 if (targ_ns != &init_user_ns && uid_eq(targ_ns->owner, cred->euid))
82 return 0; 82 return 0;
83 83
84 /* Do we have the necessary capabilities? */ 84 /* Do we have the necessary capabilities? */
85 if (targ_ns == cred->user->user_ns) 85 if (targ_ns == cred->user_ns)
86 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; 86 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
87 87
88 /* Have we tried all of the parent namespaces? */ 88 /* Have we tried all of the parent namespaces? */
@@ -93,7 +93,7 @@ int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
93 *If you have a capability in a parent user ns, then you have 93 *If you have a capability in a parent user ns, then you have
94 * it over all children user namespaces as well. 94 * it over all children user namespaces as well.
95 */ 95 */
96 targ_ns = targ_ns->creator->user_ns; 96 targ_ns = targ_ns->parent;
97 } 97 }
98 98
99 /* We never get here */ 99 /* We never get here */
@@ -137,10 +137,10 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
137 rcu_read_lock(); 137 rcu_read_lock();
138 cred = current_cred(); 138 cred = current_cred();
139 child_cred = __task_cred(child); 139 child_cred = __task_cred(child);
140 if (cred->user->user_ns == child_cred->user->user_ns && 140 if (cred->user_ns == child_cred->user_ns &&
141 cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) 141 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
142 goto out; 142 goto out;
143 if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE)) 143 if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
144 goto out; 144 goto out;
145 ret = -EPERM; 145 ret = -EPERM;
146out: 146out:
@@ -169,10 +169,10 @@ int cap_ptrace_traceme(struct task_struct *parent)
169 rcu_read_lock(); 169 rcu_read_lock();
170 cred = __task_cred(parent); 170 cred = __task_cred(parent);
171 child_cred = current_cred(); 171 child_cred = current_cred();
172 if (cred->user->user_ns == child_cred->user->user_ns && 172 if (cred->user_ns == child_cred->user_ns &&
173 cap_issubset(child_cred->cap_permitted, cred->cap_permitted)) 173 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
174 goto out; 174 goto out;
175 if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE)) 175 if (has_ns_capability(parent, child_cred->user_ns, CAP_SYS_PTRACE))
176 goto out; 176 goto out;
177 ret = -EPERM; 177 ret = -EPERM;
178out: 178out:
@@ -215,7 +215,7 @@ static inline int cap_inh_is_capped(void)
215 /* they are so limited unless the current task has the CAP_SETPCAP 215 /* they are so limited unless the current task has the CAP_SETPCAP
216 * capability 216 * capability
217 */ 217 */
218 if (cap_capable(current_cred(), current_cred()->user->user_ns, 218 if (cap_capable(current_cred(), current_cred()->user_ns,
219 CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0) 219 CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
220 return 0; 220 return 0;
221 return 1; 221 return 1;
@@ -473,19 +473,22 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
473 struct cred *new = bprm->cred; 473 struct cred *new = bprm->cred;
474 bool effective, has_cap = false; 474 bool effective, has_cap = false;
475 int ret; 475 int ret;
476 kuid_t root_uid;
476 477
477 effective = false; 478 effective = false;
478 ret = get_file_caps(bprm, &effective, &has_cap); 479 ret = get_file_caps(bprm, &effective, &has_cap);
479 if (ret < 0) 480 if (ret < 0)
480 return ret; 481 return ret;
481 482
483 root_uid = make_kuid(new->user_ns, 0);
484
482 if (!issecure(SECURE_NOROOT)) { 485 if (!issecure(SECURE_NOROOT)) {
483 /* 486 /*
484 * If the legacy file capability is set, then don't set privs 487 * If the legacy file capability is set, then don't set privs
485 * for a setuid root binary run by a non-root user. Do set it 488 * for a setuid root binary run by a non-root user. Do set it
486 * for a root user just to cause least surprise to an admin. 489 * for a root user just to cause least surprise to an admin.
487 */ 490 */
488 if (has_cap && new->uid != 0 && new->euid == 0) { 491 if (has_cap && !uid_eq(new->uid, root_uid) && uid_eq(new->euid, root_uid)) {
489 warn_setuid_and_fcaps_mixed(bprm->filename); 492 warn_setuid_and_fcaps_mixed(bprm->filename);
490 goto skip; 493 goto skip;
491 } 494 }
@@ -496,12 +499,12 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
496 * 499 *
497 * If only the real uid is 0, we do not set the effective bit. 500 * If only the real uid is 0, we do not set the effective bit.
498 */ 501 */
499 if (new->euid == 0 || new->uid == 0) { 502 if (uid_eq(new->euid, root_uid) || uid_eq(new->uid, root_uid)) {
500 /* pP' = (cap_bset & ~0) | (pI & ~0) */ 503 /* pP' = (cap_bset & ~0) | (pI & ~0) */
501 new->cap_permitted = cap_combine(old->cap_bset, 504 new->cap_permitted = cap_combine(old->cap_bset,
502 old->cap_inheritable); 505 old->cap_inheritable);
503 } 506 }
504 if (new->euid == 0) 507 if (uid_eq(new->euid, root_uid))
505 effective = true; 508 effective = true;
506 } 509 }
507skip: 510skip:
@@ -512,14 +515,17 @@ skip:
512 515
513 516
514 /* Don't let someone trace a set[ug]id/setpcap binary with the revised 517 /* Don't let someone trace a set[ug]id/setpcap binary with the revised
515 * credentials unless they have the appropriate permit 518 * credentials unless they have the appropriate permit.
519 *
520 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
516 */ 521 */
517 if ((new->euid != old->uid || 522 if ((!uid_eq(new->euid, old->uid) ||
518 new->egid != old->gid || 523 !gid_eq(new->egid, old->gid) ||
519 !cap_issubset(new->cap_permitted, old->cap_permitted)) && 524 !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
520 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) { 525 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
521 /* downgrade; they get no more than they had, and maybe less */ 526 /* downgrade; they get no more than they had, and maybe less */
522 if (!capable(CAP_SETUID)) { 527 if (!capable(CAP_SETUID) ||
528 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
523 new->euid = new->uid; 529 new->euid = new->uid;
524 new->egid = new->gid; 530 new->egid = new->gid;
525 } 531 }
@@ -550,7 +556,7 @@ skip:
550 */ 556 */
551 if (!cap_isclear(new->cap_effective)) { 557 if (!cap_isclear(new->cap_effective)) {
552 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) || 558 if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
553 new->euid != 0 || new->uid != 0 || 559 !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) ||
554 issecure(SECURE_NOROOT)) { 560 issecure(SECURE_NOROOT)) {
555 ret = audit_log_bprm_fcaps(bprm, new, old); 561 ret = audit_log_bprm_fcaps(bprm, new, old);
556 if (ret < 0) 562 if (ret < 0)
@@ -575,16 +581,17 @@ skip:
575int cap_bprm_secureexec(struct linux_binprm *bprm) 581int cap_bprm_secureexec(struct linux_binprm *bprm)
576{ 582{
577 const struct cred *cred = current_cred(); 583 const struct cred *cred = current_cred();
584 kuid_t root_uid = make_kuid(cred->user_ns, 0);
578 585
579 if (cred->uid != 0) { 586 if (!uid_eq(cred->uid, root_uid)) {
580 if (bprm->cap_effective) 587 if (bprm->cap_effective)
581 return 1; 588 return 1;
582 if (!cap_isclear(cred->cap_permitted)) 589 if (!cap_isclear(cred->cap_permitted))
583 return 1; 590 return 1;
584 } 591 }
585 592
586 return (cred->euid != cred->uid || 593 return (!uid_eq(cred->euid, cred->uid) ||
587 cred->egid != cred->gid); 594 !gid_eq(cred->egid, cred->gid));
588} 595}
589 596
590/** 597/**
@@ -674,15 +681,21 @@ int cap_inode_removexattr(struct dentry *dentry, const char *name)
674 */ 681 */
675static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old) 682static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
676{ 683{
677 if ((old->uid == 0 || old->euid == 0 || old->suid == 0) && 684 kuid_t root_uid = make_kuid(old->user_ns, 0);
678 (new->uid != 0 && new->euid != 0 && new->suid != 0) && 685
686 if ((uid_eq(old->uid, root_uid) ||
687 uid_eq(old->euid, root_uid) ||
688 uid_eq(old->suid, root_uid)) &&
689 (!uid_eq(new->uid, root_uid) &&
690 !uid_eq(new->euid, root_uid) &&
691 !uid_eq(new->suid, root_uid)) &&
679 !issecure(SECURE_KEEP_CAPS)) { 692 !issecure(SECURE_KEEP_CAPS)) {
680 cap_clear(new->cap_permitted); 693 cap_clear(new->cap_permitted);
681 cap_clear(new->cap_effective); 694 cap_clear(new->cap_effective);
682 } 695 }
683 if (old->euid == 0 && new->euid != 0) 696 if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))
684 cap_clear(new->cap_effective); 697 cap_clear(new->cap_effective);
685 if (old->euid != 0 && new->euid == 0) 698 if (!uid_eq(old->euid, root_uid) && uid_eq(new->euid, root_uid))
686 new->cap_effective = new->cap_permitted; 699 new->cap_effective = new->cap_permitted;
687} 700}
688 701
@@ -715,11 +728,12 @@ int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
715 * if not, we might be a bit too harsh here. 728 * if not, we might be a bit too harsh here.
716 */ 729 */
717 if (!issecure(SECURE_NO_SETUID_FIXUP)) { 730 if (!issecure(SECURE_NO_SETUID_FIXUP)) {
718 if (old->fsuid == 0 && new->fsuid != 0) 731 kuid_t root_uid = make_kuid(old->user_ns, 0);
732 if (uid_eq(old->fsuid, root_uid) && !uid_eq(new->fsuid, root_uid))
719 new->cap_effective = 733 new->cap_effective =
720 cap_drop_fs_set(new->cap_effective); 734 cap_drop_fs_set(new->cap_effective);
721 735
722 if (old->fsuid != 0 && new->fsuid == 0) 736 if (!uid_eq(old->fsuid, root_uid) && uid_eq(new->fsuid, root_uid))
723 new->cap_effective = 737 new->cap_effective =
724 cap_raise_fs_set(new->cap_effective, 738 cap_raise_fs_set(new->cap_effective,
725 new->cap_permitted); 739 new->cap_permitted);
@@ -872,7 +886,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
872 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ 886 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
873 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ 887 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
874 || (cap_capable(current_cred(), 888 || (cap_capable(current_cred(),
875 current_cred()->user->user_ns, CAP_SETPCAP, 889 current_cred()->user_ns, CAP_SETPCAP,
876 SECURITY_CAP_AUDIT) != 0) /*[4]*/ 890 SECURITY_CAP_AUDIT) != 0) /*[4]*/
877 /* 891 /*
878 * [1] no changing of bits that are locked 892 * [1] no changing of bits that are locked
@@ -944,22 +958,15 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
944} 958}
945 959
946/* 960/*
947 * cap_file_mmap - check if able to map given addr 961 * cap_mmap_addr - check if able to map given addr
948 * @file: unused
949 * @reqprot: unused
950 * @prot: unused
951 * @flags: unused
952 * @addr: address attempting to be mapped 962 * @addr: address attempting to be mapped
953 * @addr_only: unused
954 * 963 *
955 * If the process is attempting to map memory below dac_mmap_min_addr they need 964 * If the process is attempting to map memory below dac_mmap_min_addr they need
956 * CAP_SYS_RAWIO. The other parameters to this function are unused by the 965 * CAP_SYS_RAWIO. The other parameters to this function are unused by the
957 * capability security module. Returns 0 if this mapping should be allowed 966 * capability security module. Returns 0 if this mapping should be allowed
958 * -EPERM if not. 967 * -EPERM if not.
959 */ 968 */
960int cap_file_mmap(struct file *file, unsigned long reqprot, 969int cap_mmap_addr(unsigned long addr)
961 unsigned long prot, unsigned long flags,
962 unsigned long addr, unsigned long addr_only)
963{ 970{
964 int ret = 0; 971 int ret = 0;
965 972
@@ -972,3 +979,9 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,
972 } 979 }
973 return ret; 980 return ret;
974} 981}
982
983int cap_mmap_file(struct file *file, unsigned long reqprot,
984 unsigned long prot, unsigned long flags)
985{
986 return 0;
987}
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index c43a3323feea..442204cc22d9 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -447,22 +447,16 @@ static struct cftype dev_cgroup_files[] = {
447 .read_seq_string = devcgroup_seq_read, 447 .read_seq_string = devcgroup_seq_read,
448 .private = DEVCG_LIST, 448 .private = DEVCG_LIST,
449 }, 449 },
450 { } /* terminate */
450}; 451};
451 452
452static int devcgroup_populate(struct cgroup_subsys *ss,
453 struct cgroup *cgroup)
454{
455 return cgroup_add_files(cgroup, ss, dev_cgroup_files,
456 ARRAY_SIZE(dev_cgroup_files));
457}
458
459struct cgroup_subsys devices_subsys = { 453struct cgroup_subsys devices_subsys = {
460 .name = "devices", 454 .name = "devices",
461 .can_attach = devcgroup_can_attach, 455 .can_attach = devcgroup_can_attach,
462 .create = devcgroup_create, 456 .create = devcgroup_create,
463 .destroy = devcgroup_destroy, 457 .destroy = devcgroup_destroy,
464 .populate = devcgroup_populate,
465 .subsys_id = devices_subsys_id, 458 .subsys_id = devices_subsys_id,
459 .base_cftypes = dev_cgroup_files,
466}; 460};
467 461
468int __devcgroup_inode_permission(struct inode *inode, int mask) 462int __devcgroup_inode_permission(struct inode *inode, int mask)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 1eff5cb001e5..b17be79b9cf2 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -194,7 +194,9 @@ int ima_bprm_check(struct linux_binprm *bprm)
194{ 194{
195 int rc; 195 int rc;
196 196
197 rc = process_measurement(bprm->file, bprm->filename, 197 rc = process_measurement(bprm->file,
198 (strcmp(bprm->filename, bprm->interp) == 0) ?
199 bprm->filename : bprm->interp,
198 MAY_EXEC, BPRM_CHECK); 200 MAY_EXEC, BPRM_CHECK);
199 return 0; 201 return 0;
200} 202}
diff --git a/security/keys/Kconfig b/security/keys/Kconfig
new file mode 100644
index 000000000000..a90d6d300dbd
--- /dev/null
+++ b/security/keys/Kconfig
@@ -0,0 +1,71 @@
1#
2# Key management configuration
3#
4
5config KEYS
6 bool "Enable access key retention support"
7 help
8 This option provides support for retaining authentication tokens and
9 access keys in the kernel.
10
11 It also includes provision of methods by which such keys might be
12 associated with a process so that network filesystems, encryption
13 support and the like can find them.
14
15 Furthermore, a special type of key is available that acts as keyring:
16 a searchable sequence of keys. Each process is equipped with access
17 to five standard keyrings: UID-specific, GID-specific, session,
18 process and thread.
19
20 If you are unsure as to whether this is required, answer N.
21
22config TRUSTED_KEYS
23 tristate "TRUSTED KEYS"
24 depends on KEYS && TCG_TPM
25 select CRYPTO
26 select CRYPTO_HMAC
27 select CRYPTO_SHA1
28 help
29 This option provides support for creating, sealing, and unsealing
30 keys in the kernel. Trusted keys are random number symmetric keys,
31 generated and RSA-sealed by the TPM. The TPM only unseals the keys,
32 if the boot PCRs and other criteria match. Userspace will only ever
33 see encrypted blobs.
34
35 If you are unsure as to whether this is required, answer N.
36
37config ENCRYPTED_KEYS
38 tristate "ENCRYPTED KEYS"
39 depends on KEYS
40 select CRYPTO
41 select CRYPTO_HMAC
42 select CRYPTO_AES
43 select CRYPTO_CBC
44 select CRYPTO_SHA256
45 select CRYPTO_RNG
46 help
47 This option provides support for create/encrypting/decrypting keys
48 in the kernel. Encrypted keys are kernel generated random numbers,
49 which are encrypted/decrypted with a 'master' symmetric key. The
50 'master' key can be either a trusted-key or user-key type.
51 Userspace only ever sees/stores encrypted blobs.
52
53 If you are unsure as to whether this is required, answer N.
54
55config KEYS_DEBUG_PROC_KEYS
56 bool "Enable the /proc/keys file by which keys may be viewed"
57 depends on KEYS
58 help
59 This option turns on support for the /proc/keys file - through which
60 can be listed all the keys on the system that are viewable by the
61 reading process.
62
63 The only keys included in the list are those that grant View
64 permission to the reading process whether or not it possesses them.
65 Note that LSM security checks are still performed, and may further
66 filter out keys that the current process is not authorised to view.
67
68 Only key attributes are listed here; key payloads are not included in
69 the resulting table.
70
71 If you are unsure as to whether this is required, answer N.
diff --git a/security/keys/Makefile b/security/keys/Makefile
index a56f1ffdc64d..504aaa008388 100644
--- a/security/keys/Makefile
+++ b/security/keys/Makefile
@@ -2,6 +2,9 @@
2# Makefile for key management 2# Makefile for key management
3# 3#
4 4
5#
6# Core
7#
5obj-y := \ 8obj-y := \
6 gc.o \ 9 gc.o \
7 key.o \ 10 key.o \
@@ -12,9 +15,12 @@ obj-y := \
12 request_key.o \ 15 request_key.o \
13 request_key_auth.o \ 16 request_key_auth.o \
14 user_defined.o 17 user_defined.o
15
16obj-$(CONFIG_TRUSTED_KEYS) += trusted.o
17obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/
18obj-$(CONFIG_KEYS_COMPAT) += compat.o 18obj-$(CONFIG_KEYS_COMPAT) += compat.o
19obj-$(CONFIG_PROC_FS) += proc.o 19obj-$(CONFIG_PROC_FS) += proc.o
20obj-$(CONFIG_SYSCTL) += sysctl.o 20obj-$(CONFIG_SYSCTL) += sysctl.o
21
22#
23# Key types
24#
25obj-$(CONFIG_TRUSTED_KEYS) += trusted.o
26obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/
diff --git a/security/keys/compat.c b/security/keys/compat.c
index 4c48e13448f8..c92d42b021aa 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -38,7 +38,7 @@ long compat_keyctl_instantiate_key_iov(
38 38
39 ret = compat_rw_copy_check_uvector(WRITE, _payload_iov, ioc, 39 ret = compat_rw_copy_check_uvector(WRITE, _payload_iov, ioc,
40 ARRAY_SIZE(iovstack), 40 ARRAY_SIZE(iovstack),
41 iovstack, &iov, 1); 41 iovstack, &iov);
42 if (ret < 0) 42 if (ret < 0)
43 return ret; 43 return ret;
44 if (ret == 0) 44 if (ret == 0)
@@ -135,6 +135,9 @@ asmlinkage long compat_sys_keyctl(u32 option,
135 return compat_keyctl_instantiate_key_iov( 135 return compat_keyctl_instantiate_key_iov(
136 arg2, compat_ptr(arg3), arg4, arg5); 136 arg2, compat_ptr(arg3), arg4, arg5);
137 137
138 case KEYCTL_INVALIDATE:
139 return keyctl_invalidate_key(arg2);
140
138 default: 141 default:
139 return -EOPNOTSUPP; 142 return -EOPNOTSUPP;
140 } 143 }
diff --git a/security/keys/gc.c b/security/keys/gc.c
index a42b45531aac..61ab7c82ebb1 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -72,6 +72,15 @@ void key_schedule_gc(time_t gc_at)
72} 72}
73 73
74/* 74/*
75 * Schedule a dead links collection run.
76 */
77void key_schedule_gc_links(void)
78{
79 set_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags);
80 queue_work(system_nrt_wq, &key_gc_work);
81}
82
83/*
75 * Some key's cleanup time was met after it expired, so we need to get the 84 * Some key's cleanup time was met after it expired, so we need to get the
76 * reaper to go through a cycle finding expired keys. 85 * reaper to go through a cycle finding expired keys.
77 */ 86 */
@@ -79,8 +88,7 @@ static void key_gc_timer_func(unsigned long data)
79{ 88{
80 kenter(""); 89 kenter("");
81 key_gc_next_run = LONG_MAX; 90 key_gc_next_run = LONG_MAX;
82 set_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags); 91 key_schedule_gc_links();
83 queue_work(system_nrt_wq, &key_gc_work);
84} 92}
85 93
86/* 94/*
@@ -131,12 +139,12 @@ void key_gc_keytype(struct key_type *ktype)
131static void key_gc_keyring(struct key *keyring, time_t limit) 139static void key_gc_keyring(struct key *keyring, time_t limit)
132{ 140{
133 struct keyring_list *klist; 141 struct keyring_list *klist;
134 struct key *key;
135 int loop; 142 int loop;
136 143
137 kenter("%x", key_serial(keyring)); 144 kenter("%x", key_serial(keyring));
138 145
139 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 146 if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
147 (1 << KEY_FLAG_REVOKED)))
140 goto dont_gc; 148 goto dont_gc;
141 149
142 /* scan the keyring looking for dead keys */ 150 /* scan the keyring looking for dead keys */
@@ -148,9 +156,8 @@ static void key_gc_keyring(struct key *keyring, time_t limit)
148 loop = klist->nkeys; 156 loop = klist->nkeys;
149 smp_rmb(); 157 smp_rmb();
150 for (loop--; loop >= 0; loop--) { 158 for (loop--; loop >= 0; loop--) {
151 key = klist->keys[loop]; 159 struct key *key = rcu_dereference(klist->keys[loop]);
152 if (test_bit(KEY_FLAG_DEAD, &key->flags) || 160 if (key_is_dead(key, limit))
153 (key->expiry > 0 && key->expiry <= limit))
154 goto do_gc; 161 goto do_gc;
155 } 162 }
156 163
@@ -168,38 +175,45 @@ do_gc:
168} 175}
169 176
170/* 177/*
171 * Garbage collect an unreferenced, detached key 178 * Garbage collect a list of unreferenced, detached keys
172 */ 179 */
173static noinline void key_gc_unused_key(struct key *key) 180static noinline void key_gc_unused_keys(struct list_head *keys)
174{ 181{
175 key_check(key); 182 while (!list_empty(keys)) {
176 183 struct key *key =
177 security_key_free(key); 184 list_entry(keys->next, struct key, graveyard_link);
178 185 list_del(&key->graveyard_link);
179 /* deal with the user's key tracking and quota */ 186
180 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { 187 kdebug("- %u", key->serial);
181 spin_lock(&key->user->lock); 188 key_check(key);
182 key->user->qnkeys--; 189
183 key->user->qnbytes -= key->quotalen; 190 security_key_free(key);
184 spin_unlock(&key->user->lock); 191
185 } 192 /* deal with the user's key tracking and quota */
193 if (test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) {
194 spin_lock(&key->user->lock);
195 key->user->qnkeys--;
196 key->user->qnbytes -= key->quotalen;
197 spin_unlock(&key->user->lock);
198 }
186 199
187 atomic_dec(&key->user->nkeys); 200 atomic_dec(&key->user->nkeys);
188 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) 201 if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
189 atomic_dec(&key->user->nikeys); 202 atomic_dec(&key->user->nikeys);
190 203
191 key_user_put(key->user); 204 key_user_put(key->user);
192 205
193 /* now throw away the key memory */ 206 /* now throw away the key memory */
194 if (key->type->destroy) 207 if (key->type->destroy)
195 key->type->destroy(key); 208 key->type->destroy(key);
196 209
197 kfree(key->description); 210 kfree(key->description);
198 211
199#ifdef KEY_DEBUGGING 212#ifdef KEY_DEBUGGING
200 key->magic = KEY_DEBUG_MAGIC_X; 213 key->magic = KEY_DEBUG_MAGIC_X;
201#endif 214#endif
202 kmem_cache_free(key_jar, key); 215 kmem_cache_free(key_jar, key);
216 }
203} 217}
204 218
205/* 219/*
@@ -211,6 +225,7 @@ static noinline void key_gc_unused_key(struct key *key)
211 */ 225 */
212static void key_garbage_collector(struct work_struct *work) 226static void key_garbage_collector(struct work_struct *work)
213{ 227{
228 static LIST_HEAD(graveyard);
214 static u8 gc_state; /* Internal persistent state */ 229 static u8 gc_state; /* Internal persistent state */
215#define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */ 230#define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */
216#define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */ 231#define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */
@@ -316,15 +331,22 @@ maybe_resched:
316 key_schedule_gc(new_timer); 331 key_schedule_gc(new_timer);
317 } 332 }
318 333
319 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) { 334 if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2) ||
320 /* Make sure everyone revalidates their keys if we marked a 335 !list_empty(&graveyard)) {
321 * bunch as being dead and make sure all keyring ex-payloads 336 /* Make sure that all pending keyring payload destructions are
322 * are destroyed. 337 * fulfilled and that people aren't now looking at dead or
338 * dying keys that they don't have a reference upon or a link
339 * to.
323 */ 340 */
324 kdebug("dead sync"); 341 kdebug("gc sync");
325 synchronize_rcu(); 342 synchronize_rcu();
326 } 343 }
327 344
345 if (!list_empty(&graveyard)) {
346 kdebug("gc keys");
347 key_gc_unused_keys(&graveyard);
348 }
349
328 if (unlikely(gc_state & (KEY_GC_REAPING_DEAD_1 | 350 if (unlikely(gc_state & (KEY_GC_REAPING_DEAD_1 |
329 KEY_GC_REAPING_DEAD_2))) { 351 KEY_GC_REAPING_DEAD_2))) {
330 if (!(gc_state & KEY_GC_FOUND_DEAD_KEY)) { 352 if (!(gc_state & KEY_GC_FOUND_DEAD_KEY)) {
@@ -359,7 +381,7 @@ found_unreferenced_key:
359 rb_erase(&key->serial_node, &key_serial_tree); 381 rb_erase(&key->serial_node, &key_serial_tree);
360 spin_unlock(&key_serial_lock); 382 spin_unlock(&key_serial_lock);
361 383
362 key_gc_unused_key(key); 384 list_add_tail(&key->graveyard_link, &graveyard);
363 gc_state |= KEY_GC_REAP_AGAIN; 385 gc_state |= KEY_GC_REAP_AGAIN;
364 goto maybe_resched; 386 goto maybe_resched;
365 387
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 65647f825584..3dcbf86b0d31 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -14,6 +14,7 @@
14 14
15#include <linux/sched.h> 15#include <linux/sched.h>
16#include <linux/key-type.h> 16#include <linux/key-type.h>
17#include <linux/task_work.h>
17 18
18#ifdef __KDEBUG 19#ifdef __KDEBUG
19#define kenter(FMT, ...) \ 20#define kenter(FMT, ...) \
@@ -148,11 +149,13 @@ extern key_ref_t lookup_user_key(key_serial_t id, unsigned long flags,
148#define KEY_LOOKUP_FOR_UNLINK 0x04 149#define KEY_LOOKUP_FOR_UNLINK 0x04
149 150
150extern long join_session_keyring(const char *name); 151extern long join_session_keyring(const char *name);
152extern void key_change_session_keyring(struct task_work *twork);
151 153
152extern struct work_struct key_gc_work; 154extern struct work_struct key_gc_work;
153extern unsigned key_gc_delay; 155extern unsigned key_gc_delay;
154extern void keyring_gc(struct key *keyring, time_t limit); 156extern void keyring_gc(struct key *keyring, time_t limit);
155extern void key_schedule_gc(time_t expiry_at); 157extern void key_schedule_gc(time_t gc_at);
158extern void key_schedule_gc_links(void);
156extern void key_gc_keytype(struct key_type *ktype); 159extern void key_gc_keytype(struct key_type *ktype);
157 160
158extern int key_task_permission(const key_ref_t key_ref, 161extern int key_task_permission(const key_ref_t key_ref,
@@ -197,6 +200,17 @@ extern struct key *request_key_auth_new(struct key *target,
197extern struct key *key_get_instantiation_authkey(key_serial_t target_id); 200extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
198 201
199/* 202/*
203 * Determine whether a key is dead.
204 */
205static inline bool key_is_dead(struct key *key, time_t limit)
206{
207 return
208 key->flags & ((1 << KEY_FLAG_DEAD) |
209 (1 << KEY_FLAG_INVALIDATED)) ||
210 (key->expiry > 0 && key->expiry <= limit);
211}
212
213/*
200 * keyctl() functions 214 * keyctl() functions
201 */ 215 */
202extern long keyctl_get_keyring_ID(key_serial_t, int); 216extern long keyctl_get_keyring_ID(key_serial_t, int);
@@ -225,6 +239,7 @@ extern long keyctl_reject_key(key_serial_t, unsigned, unsigned, key_serial_t);
225extern long keyctl_instantiate_key_iov(key_serial_t, 239extern long keyctl_instantiate_key_iov(key_serial_t,
226 const struct iovec __user *, 240 const struct iovec __user *,
227 unsigned, key_serial_t); 241 unsigned, key_serial_t);
242extern long keyctl_invalidate_key(key_serial_t);
228 243
229extern long keyctl_instantiate_key_common(key_serial_t, 244extern long keyctl_instantiate_key_common(key_serial_t,
230 const struct iovec __user *, 245 const struct iovec __user *,
diff --git a/security/keys/key.c b/security/keys/key.c
index 06783cffb3af..50d96d4e06f2 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -253,7 +253,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
253 quotalen = desclen + type->def_datalen; 253 quotalen = desclen + type->def_datalen;
254 254
255 /* get hold of the key tracking for this user */ 255 /* get hold of the key tracking for this user */
256 user = key_user_lookup(uid, cred->user->user_ns); 256 user = key_user_lookup(uid, cred->user_ns);
257 if (!user) 257 if (!user)
258 goto no_memory_1; 258 goto no_memory_1;
259 259
@@ -955,6 +955,28 @@ void key_revoke(struct key *key)
955EXPORT_SYMBOL(key_revoke); 955EXPORT_SYMBOL(key_revoke);
956 956
957/** 957/**
958 * key_invalidate - Invalidate a key.
959 * @key: The key to be invalidated.
960 *
961 * Mark a key as being invalidated and have it cleaned up immediately. The key
962 * is ignored by all searches and other operations from this point.
963 */
964void key_invalidate(struct key *key)
965{
966 kenter("%d", key_serial(key));
967
968 key_check(key);
969
970 if (!test_bit(KEY_FLAG_INVALIDATED, &key->flags)) {
971 down_write_nested(&key->sem, 1);
972 if (!test_and_set_bit(KEY_FLAG_INVALIDATED, &key->flags))
973 key_schedule_gc_links();
974 up_write(&key->sem);
975 }
976}
977EXPORT_SYMBOL(key_invalidate);
978
979/**
958 * register_key_type - Register a type of key. 980 * register_key_type - Register a type of key.
959 * @ktype: The new key type. 981 * @ktype: The new key type.
960 * 982 *
@@ -980,6 +1002,8 @@ int register_key_type(struct key_type *ktype)
980 1002
981 /* store the type */ 1003 /* store the type */
982 list_add(&ktype->link, &key_types_list); 1004 list_add(&ktype->link, &key_types_list);
1005
1006 pr_notice("Key type %s registered\n", ktype->name);
983 ret = 0; 1007 ret = 0;
984 1008
985out: 1009out:
@@ -1002,6 +1026,7 @@ void unregister_key_type(struct key_type *ktype)
1002 list_del_init(&ktype->link); 1026 list_del_init(&ktype->link);
1003 downgrade_write(&key_types_sem); 1027 downgrade_write(&key_types_sem);
1004 key_gc_keytype(ktype); 1028 key_gc_keytype(ktype);
1029 pr_notice("Key type %s unregistered\n", ktype->name);
1005 up_read(&key_types_sem); 1030 up_read(&key_types_sem);
1006} 1031}
1007EXPORT_SYMBOL(unregister_key_type); 1032EXPORT_SYMBOL(unregister_key_type);
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index fb767c6cd99f..0f5b3f027299 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -84,7 +84,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
84 vm = false; 84 vm = false;
85 if (_payload) { 85 if (_payload) {
86 ret = -ENOMEM; 86 ret = -ENOMEM;
87 payload = kmalloc(plen, GFP_KERNEL); 87 payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN);
88 if (!payload) { 88 if (!payload) {
89 if (plen <= PAGE_SIZE) 89 if (plen <= PAGE_SIZE)
90 goto error2; 90 goto error2;
@@ -375,6 +375,37 @@ error:
375} 375}
376 376
377/* 377/*
378 * Invalidate a key.
379 *
380 * The key must be grant the caller Invalidate permission for this to work.
381 * The key and any links to the key will be automatically garbage collected
382 * immediately.
383 *
384 * If successful, 0 is returned.
385 */
386long keyctl_invalidate_key(key_serial_t id)
387{
388 key_ref_t key_ref;
389 long ret;
390
391 kenter("%d", id);
392
393 key_ref = lookup_user_key(id, 0, KEY_SEARCH);
394 if (IS_ERR(key_ref)) {
395 ret = PTR_ERR(key_ref);
396 goto error;
397 }
398
399 key_invalidate(key_ref_to_ptr(key_ref));
400 ret = 0;
401
402 key_ref_put(key_ref);
403error:
404 kleave(" = %ld", ret);
405 return ret;
406}
407
408/*
378 * Clear the specified keyring, creating an empty process keyring if one of the 409 * Clear the specified keyring, creating an empty process keyring if one of the
379 * special keyring IDs is used. 410 * special keyring IDs is used.
380 * 411 *
@@ -1079,7 +1110,7 @@ long keyctl_instantiate_key_iov(key_serial_t id,
1079 goto no_payload; 1110 goto no_payload;
1080 1111
1081 ret = rw_copy_check_uvector(WRITE, _payload_iov, ioc, 1112 ret = rw_copy_check_uvector(WRITE, _payload_iov, ioc,
1082 ARRAY_SIZE(iovstack), iovstack, &iov, 1); 1113 ARRAY_SIZE(iovstack), iovstack, &iov);
1083 if (ret < 0) 1114 if (ret < 0)
1084 return ret; 1115 return ret;
1085 if (ret == 0) 1116 if (ret == 0)
@@ -1423,50 +1454,57 @@ long keyctl_get_security(key_serial_t keyid,
1423 */ 1454 */
1424long keyctl_session_to_parent(void) 1455long keyctl_session_to_parent(void)
1425{ 1456{
1426#ifdef TIF_NOTIFY_RESUME
1427 struct task_struct *me, *parent; 1457 struct task_struct *me, *parent;
1428 const struct cred *mycred, *pcred; 1458 const struct cred *mycred, *pcred;
1429 struct cred *cred, *oldcred; 1459 struct task_work *newwork, *oldwork;
1430 key_ref_t keyring_r; 1460 key_ref_t keyring_r;
1461 struct cred *cred;
1431 int ret; 1462 int ret;
1432 1463
1433 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_LINK); 1464 keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_LINK);
1434 if (IS_ERR(keyring_r)) 1465 if (IS_ERR(keyring_r))
1435 return PTR_ERR(keyring_r); 1466 return PTR_ERR(keyring_r);
1436 1467
1468 ret = -ENOMEM;
1469 newwork = kmalloc(sizeof(struct task_work), GFP_KERNEL);
1470 if (!newwork)
1471 goto error_keyring;
1472
1437 /* our parent is going to need a new cred struct, a new tgcred struct 1473 /* our parent is going to need a new cred struct, a new tgcred struct
1438 * and new security data, so we allocate them here to prevent ENOMEM in 1474 * and new security data, so we allocate them here to prevent ENOMEM in
1439 * our parent */ 1475 * our parent */
1440 ret = -ENOMEM;
1441 cred = cred_alloc_blank(); 1476 cred = cred_alloc_blank();
1442 if (!cred) 1477 if (!cred)
1443 goto error_keyring; 1478 goto error_newwork;
1444 1479
1445 cred->tgcred->session_keyring = key_ref_to_ptr(keyring_r); 1480 cred->tgcred->session_keyring = key_ref_to_ptr(keyring_r);
1446 keyring_r = NULL; 1481 init_task_work(newwork, key_change_session_keyring, cred);
1447 1482
1448 me = current; 1483 me = current;
1449 rcu_read_lock(); 1484 rcu_read_lock();
1450 write_lock_irq(&tasklist_lock); 1485 write_lock_irq(&tasklist_lock);
1451 1486
1452 parent = me->real_parent;
1453 ret = -EPERM; 1487 ret = -EPERM;
1488 oldwork = NULL;
1489 parent = me->real_parent;
1454 1490
1455 /* the parent mustn't be init and mustn't be a kernel thread */ 1491 /* the parent mustn't be init and mustn't be a kernel thread */
1456 if (parent->pid <= 1 || !parent->mm) 1492 if (parent->pid <= 1 || !parent->mm)
1457 goto not_permitted; 1493 goto unlock;
1458 1494
1459 /* the parent must be single threaded */ 1495 /* the parent must be single threaded */
1460 if (!thread_group_empty(parent)) 1496 if (!thread_group_empty(parent))
1461 goto not_permitted; 1497 goto unlock;
1462 1498
1463 /* the parent and the child must have different session keyrings or 1499 /* the parent and the child must have different session keyrings or
1464 * there's no point */ 1500 * there's no point */
1465 mycred = current_cred(); 1501 mycred = current_cred();
1466 pcred = __task_cred(parent); 1502 pcred = __task_cred(parent);
1467 if (mycred == pcred || 1503 if (mycred == pcred ||
1468 mycred->tgcred->session_keyring == pcred->tgcred->session_keyring) 1504 mycred->tgcred->session_keyring == pcred->tgcred->session_keyring) {
1469 goto already_same; 1505 ret = 0;
1506 goto unlock;
1507 }
1470 1508
1471 /* the parent must have the same effective ownership and mustn't be 1509 /* the parent must have the same effective ownership and mustn't be
1472 * SUID/SGID */ 1510 * SUID/SGID */
@@ -1476,50 +1514,40 @@ long keyctl_session_to_parent(void)
1476 pcred->gid != mycred->egid || 1514 pcred->gid != mycred->egid ||
1477 pcred->egid != mycred->egid || 1515 pcred->egid != mycred->egid ||
1478 pcred->sgid != mycred->egid) 1516 pcred->sgid != mycred->egid)
1479 goto not_permitted; 1517 goto unlock;
1480 1518
1481 /* the keyrings must have the same UID */ 1519 /* the keyrings must have the same UID */
1482 if ((pcred->tgcred->session_keyring && 1520 if ((pcred->tgcred->session_keyring &&
1483 pcred->tgcred->session_keyring->uid != mycred->euid) || 1521 pcred->tgcred->session_keyring->uid != mycred->euid) ||
1484 mycred->tgcred->session_keyring->uid != mycred->euid) 1522 mycred->tgcred->session_keyring->uid != mycred->euid)
1485 goto not_permitted; 1523 goto unlock;
1486 1524
1487 /* if there's an already pending keyring replacement, then we replace 1525 /* cancel an already pending keyring replacement */
1488 * that */ 1526 oldwork = task_work_cancel(parent, key_change_session_keyring);
1489 oldcred = parent->replacement_session_keyring;
1490 1527
1491 /* the replacement session keyring is applied just prior to userspace 1528 /* the replacement session keyring is applied just prior to userspace
1492 * restarting */ 1529 * restarting */
1493 parent->replacement_session_keyring = cred; 1530 ret = task_work_add(parent, newwork, true);
1494 cred = NULL; 1531 if (!ret)
1495 set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME); 1532 newwork = NULL;
1496 1533unlock:
1497 write_unlock_irq(&tasklist_lock);
1498 rcu_read_unlock();
1499 if (oldcred)
1500 put_cred(oldcred);
1501 return 0;
1502
1503already_same:
1504 ret = 0;
1505not_permitted:
1506 write_unlock_irq(&tasklist_lock); 1534 write_unlock_irq(&tasklist_lock);
1507 rcu_read_unlock(); 1535 rcu_read_unlock();
1508 put_cred(cred); 1536 if (oldwork) {
1537 put_cred(oldwork->data);
1538 kfree(oldwork);
1539 }
1540 if (newwork) {
1541 put_cred(newwork->data);
1542 kfree(newwork);
1543 }
1509 return ret; 1544 return ret;
1510 1545
1546error_newwork:
1547 kfree(newwork);
1511error_keyring: 1548error_keyring:
1512 key_ref_put(keyring_r); 1549 key_ref_put(keyring_r);
1513 return ret; 1550 return ret;
1514
1515#else /* !TIF_NOTIFY_RESUME */
1516 /*
1517 * To be removed when TIF_NOTIFY_RESUME has been implemented on
1518 * m68k/xtensa
1519 */
1520#warning TIF_NOTIFY_RESUME not implemented
1521 return -EOPNOTSUPP;
1522#endif /* !TIF_NOTIFY_RESUME */
1523} 1551}
1524 1552
1525/* 1553/*
@@ -1622,6 +1650,9 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
1622 (unsigned) arg4, 1650 (unsigned) arg4,
1623 (key_serial_t) arg5); 1651 (key_serial_t) arg5);
1624 1652
1653 case KEYCTL_INVALIDATE:
1654 return keyctl_invalidate_key((key_serial_t) arg2);
1655
1625 default: 1656 default:
1626 return -EOPNOTSUPP; 1657 return -EOPNOTSUPP;
1627 } 1658 }
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index d605f75292e4..7445875f6818 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -25,6 +25,15 @@
25 (keyring)->payload.subscriptions, \ 25 (keyring)->payload.subscriptions, \
26 rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem))) 26 rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))
27 27
28#define rcu_deref_link_locked(klist, index, keyring) \
29 (rcu_dereference_protected( \
30 (klist)->keys[index], \
31 rwsem_is_locked((struct rw_semaphore *)&(keyring)->sem)))
32
33#define MAX_KEYRING_LINKS \
34 min_t(size_t, USHRT_MAX - 1, \
35 ((PAGE_SIZE - sizeof(struct keyring_list)) / sizeof(struct key *)))
36
28#define KEY_LINK_FIXQUOTA 1UL 37#define KEY_LINK_FIXQUOTA 1UL
29 38
30/* 39/*
@@ -138,6 +147,11 @@ static int keyring_match(const struct key *keyring, const void *description)
138/* 147/*
139 * Clean up a keyring when it is destroyed. Unpublish its name if it had one 148 * Clean up a keyring when it is destroyed. Unpublish its name if it had one
140 * and dispose of its data. 149 * and dispose of its data.
150 *
151 * The garbage collector detects the final key_put(), removes the keyring from
152 * the serial number tree and then does RCU synchronisation before coming here,
153 * so we shouldn't need to worry about code poking around here with the RCU
154 * readlock held by this time.
141 */ 155 */
142static void keyring_destroy(struct key *keyring) 156static void keyring_destroy(struct key *keyring)
143{ 157{
@@ -154,11 +168,10 @@ static void keyring_destroy(struct key *keyring)
154 write_unlock(&keyring_name_lock); 168 write_unlock(&keyring_name_lock);
155 } 169 }
156 170
157 klist = rcu_dereference_check(keyring->payload.subscriptions, 171 klist = rcu_access_pointer(keyring->payload.subscriptions);
158 atomic_read(&keyring->usage) == 0);
159 if (klist) { 172 if (klist) {
160 for (loop = klist->nkeys - 1; loop >= 0; loop--) 173 for (loop = klist->nkeys - 1; loop >= 0; loop--)
161 key_put(klist->keys[loop]); 174 key_put(rcu_access_pointer(klist->keys[loop]));
162 kfree(klist); 175 kfree(klist);
163 } 176 }
164} 177}
@@ -214,7 +227,8 @@ static long keyring_read(const struct key *keyring,
214 ret = -EFAULT; 227 ret = -EFAULT;
215 228
216 for (loop = 0; loop < klist->nkeys; loop++) { 229 for (loop = 0; loop < klist->nkeys; loop++) {
217 key = klist->keys[loop]; 230 key = rcu_deref_link_locked(klist, loop,
231 keyring);
218 232
219 tmp = sizeof(key_serial_t); 233 tmp = sizeof(key_serial_t);
220 if (tmp > buflen) 234 if (tmp > buflen)
@@ -309,6 +323,8 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
309 bool no_state_check) 323 bool no_state_check)
310{ 324{
311 struct { 325 struct {
326 /* Need a separate keylist pointer for RCU purposes */
327 struct key *keyring;
312 struct keyring_list *keylist; 328 struct keyring_list *keylist;
313 int kix; 329 int kix;
314 } stack[KEYRING_SEARCH_MAX_DEPTH]; 330 } stack[KEYRING_SEARCH_MAX_DEPTH];
@@ -366,13 +382,17 @@ key_ref_t keyring_search_aux(key_ref_t keyring_ref,
366 /* otherwise, the top keyring must not be revoked, expired, or 382 /* otherwise, the top keyring must not be revoked, expired, or
367 * negatively instantiated if we are to search it */ 383 * negatively instantiated if we are to search it */
368 key_ref = ERR_PTR(-EAGAIN); 384 key_ref = ERR_PTR(-EAGAIN);
369 if (kflags & ((1 << KEY_FLAG_REVOKED) | (1 << KEY_FLAG_NEGATIVE)) || 385 if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
386 (1 << KEY_FLAG_REVOKED) |
387 (1 << KEY_FLAG_NEGATIVE)) ||
370 (keyring->expiry && now.tv_sec >= keyring->expiry)) 388 (keyring->expiry && now.tv_sec >= keyring->expiry))
371 goto error_2; 389 goto error_2;
372 390
373 /* start processing a new keyring */ 391 /* start processing a new keyring */
374descend: 392descend:
375 if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) 393 kflags = keyring->flags;
394 if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
395 (1 << KEY_FLAG_REVOKED)))
376 goto not_this_keyring; 396 goto not_this_keyring;
377 397
378 keylist = rcu_dereference(keyring->payload.subscriptions); 398 keylist = rcu_dereference(keyring->payload.subscriptions);
@@ -383,16 +403,17 @@ descend:
383 nkeys = keylist->nkeys; 403 nkeys = keylist->nkeys;
384 smp_rmb(); 404 smp_rmb();
385 for (kix = 0; kix < nkeys; kix++) { 405 for (kix = 0; kix < nkeys; kix++) {
386 key = keylist->keys[kix]; 406 key = rcu_dereference(keylist->keys[kix]);
387 kflags = key->flags; 407 kflags = key->flags;
388 408
389 /* ignore keys not of this type */ 409 /* ignore keys not of this type */
390 if (key->type != type) 410 if (key->type != type)
391 continue; 411 continue;
392 412
393 /* skip revoked keys and expired keys */ 413 /* skip invalidated, revoked and expired keys */
394 if (!no_state_check) { 414 if (!no_state_check) {
395 if (kflags & (1 << KEY_FLAG_REVOKED)) 415 if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
416 (1 << KEY_FLAG_REVOKED)))
396 continue; 417 continue;
397 418
398 if (key->expiry && now.tv_sec >= key->expiry) 419 if (key->expiry && now.tv_sec >= key->expiry)
@@ -426,7 +447,7 @@ ascend:
426 nkeys = keylist->nkeys; 447 nkeys = keylist->nkeys;
427 smp_rmb(); 448 smp_rmb();
428 for (; kix < nkeys; kix++) { 449 for (; kix < nkeys; kix++) {
429 key = keylist->keys[kix]; 450 key = rcu_dereference(keylist->keys[kix]);
430 if (key->type != &key_type_keyring) 451 if (key->type != &key_type_keyring)
431 continue; 452 continue;
432 453
@@ -441,6 +462,7 @@ ascend:
441 continue; 462 continue;
442 463
443 /* stack the current position */ 464 /* stack the current position */
465 stack[sp].keyring = keyring;
444 stack[sp].keylist = keylist; 466 stack[sp].keylist = keylist;
445 stack[sp].kix = kix; 467 stack[sp].kix = kix;
446 sp++; 468 sp++;
@@ -456,6 +478,7 @@ not_this_keyring:
456 if (sp > 0) { 478 if (sp > 0) {
457 /* resume the processing of a keyring higher up in the tree */ 479 /* resume the processing of a keyring higher up in the tree */
458 sp--; 480 sp--;
481 keyring = stack[sp].keyring;
459 keylist = stack[sp].keylist; 482 keylist = stack[sp].keylist;
460 kix = stack[sp].kix + 1; 483 kix = stack[sp].kix + 1;
461 goto ascend; 484 goto ascend;
@@ -467,6 +490,10 @@ not_this_keyring:
467 /* we found a viable match */ 490 /* we found a viable match */
468found: 491found:
469 atomic_inc(&key->usage); 492 atomic_inc(&key->usage);
493 key->last_used_at = now.tv_sec;
494 keyring->last_used_at = now.tv_sec;
495 while (sp > 0)
496 stack[--sp].keyring->last_used_at = now.tv_sec;
470 key_check(key); 497 key_check(key);
471 key_ref = make_key_ref(key, possessed); 498 key_ref = make_key_ref(key, possessed);
472error_2: 499error_2:
@@ -531,14 +558,14 @@ key_ref_t __keyring_search_one(key_ref_t keyring_ref,
531 nkeys = klist->nkeys; 558 nkeys = klist->nkeys;
532 smp_rmb(); 559 smp_rmb();
533 for (loop = 0; loop < nkeys ; loop++) { 560 for (loop = 0; loop < nkeys ; loop++) {
534 key = klist->keys[loop]; 561 key = rcu_dereference(klist->keys[loop]);
535
536 if (key->type == ktype && 562 if (key->type == ktype &&
537 (!key->type->match || 563 (!key->type->match ||
538 key->type->match(key, description)) && 564 key->type->match(key, description)) &&
539 key_permission(make_key_ref(key, possessed), 565 key_permission(make_key_ref(key, possessed),
540 perm) == 0 && 566 perm) == 0 &&
541 !test_bit(KEY_FLAG_REVOKED, &key->flags) 567 !(key->flags & ((1 << KEY_FLAG_INVALIDATED) |
568 (1 << KEY_FLAG_REVOKED)))
542 ) 569 )
543 goto found; 570 goto found;
544 } 571 }
@@ -549,6 +576,8 @@ key_ref_t __keyring_search_one(key_ref_t keyring_ref,
549 576
550found: 577found:
551 atomic_inc(&key->usage); 578 atomic_inc(&key->usage);
579 keyring->last_used_at = key->last_used_at =
580 current_kernel_time().tv_sec;
552 rcu_read_unlock(); 581 rcu_read_unlock();
553 return make_key_ref(key, possessed); 582 return make_key_ref(key, possessed);
554} 583}
@@ -602,6 +631,7 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
602 * (ie. it has a zero usage count) */ 631 * (ie. it has a zero usage count) */
603 if (!atomic_inc_not_zero(&keyring->usage)) 632 if (!atomic_inc_not_zero(&keyring->usage))
604 continue; 633 continue;
634 keyring->last_used_at = current_kernel_time().tv_sec;
605 goto out; 635 goto out;
606 } 636 }
607 } 637 }
@@ -654,7 +684,7 @@ ascend:
654 nkeys = keylist->nkeys; 684 nkeys = keylist->nkeys;
655 smp_rmb(); 685 smp_rmb();
656 for (; kix < nkeys; kix++) { 686 for (; kix < nkeys; kix++) {
657 key = keylist->keys[kix]; 687 key = rcu_dereference(keylist->keys[kix]);
658 688
659 if (key == A) 689 if (key == A)
660 goto cycle_detected; 690 goto cycle_detected;
@@ -711,7 +741,7 @@ static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
711 container_of(rcu, struct keyring_list, rcu); 741 container_of(rcu, struct keyring_list, rcu);
712 742
713 if (klist->delkey != USHRT_MAX) 743 if (klist->delkey != USHRT_MAX)
714 key_put(klist->keys[klist->delkey]); 744 key_put(rcu_access_pointer(klist->keys[klist->delkey]));
715 kfree(klist); 745 kfree(klist);
716} 746}
717 747
@@ -725,8 +755,9 @@ int __key_link_begin(struct key *keyring, const struct key_type *type,
725 struct keyring_list *klist, *nklist; 755 struct keyring_list *klist, *nklist;
726 unsigned long prealloc; 756 unsigned long prealloc;
727 unsigned max; 757 unsigned max;
758 time_t lowest_lru;
728 size_t size; 759 size_t size;
729 int loop, ret; 760 int loop, lru, ret;
730 761
731 kenter("%d,%s,%s,", key_serial(keyring), type->name, description); 762 kenter("%d,%s,%s,", key_serial(keyring), type->name, description);
732 763
@@ -747,31 +778,39 @@ int __key_link_begin(struct key *keyring, const struct key_type *type,
747 klist = rcu_dereference_locked_keyring(keyring); 778 klist = rcu_dereference_locked_keyring(keyring);
748 779
749 /* see if there's a matching key we can displace */ 780 /* see if there's a matching key we can displace */
781 lru = -1;
750 if (klist && klist->nkeys > 0) { 782 if (klist && klist->nkeys > 0) {
783 lowest_lru = TIME_T_MAX;
751 for (loop = klist->nkeys - 1; loop >= 0; loop--) { 784 for (loop = klist->nkeys - 1; loop >= 0; loop--) {
752 if (klist->keys[loop]->type == type && 785 struct key *key = rcu_deref_link_locked(klist, loop,
753 strcmp(klist->keys[loop]->description, 786 keyring);
754 description) == 0 787 if (key->type == type &&
755 ) { 788 strcmp(key->description, description) == 0) {
756 /* found a match - we'll replace this one with 789 /* Found a match - we'll replace the link with
757 * the new key */ 790 * one to the new key. We record the slot
758 size = sizeof(struct key *) * klist->maxkeys; 791 * position.
759 size += sizeof(*klist); 792 */
760 BUG_ON(size > PAGE_SIZE); 793 klist->delkey = loop;
761 794 prealloc = 0;
762 ret = -ENOMEM;
763 nklist = kmemdup(klist, size, GFP_KERNEL);
764 if (!nklist)
765 goto error_sem;
766
767 /* note replacement slot */
768 klist->delkey = nklist->delkey = loop;
769 prealloc = (unsigned long)nklist;
770 goto done; 795 goto done;
771 } 796 }
797 if (key->last_used_at < lowest_lru) {
798 lowest_lru = key->last_used_at;
799 lru = loop;
800 }
772 } 801 }
773 } 802 }
774 803
804 /* If the keyring is full then do an LRU discard */
805 if (klist &&
806 klist->nkeys == klist->maxkeys &&
807 klist->maxkeys >= MAX_KEYRING_LINKS) {
808 kdebug("LRU discard %d\n", lru);
809 klist->delkey = lru;
810 prealloc = 0;
811 goto done;
812 }
813
775 /* check that we aren't going to overrun the user's quota */ 814 /* check that we aren't going to overrun the user's quota */
776 ret = key_payload_reserve(keyring, 815 ret = key_payload_reserve(keyring,
777 keyring->datalen + KEYQUOTA_LINK_BYTES); 816 keyring->datalen + KEYQUOTA_LINK_BYTES);
@@ -780,20 +819,19 @@ int __key_link_begin(struct key *keyring, const struct key_type *type,
780 819
781 if (klist && klist->nkeys < klist->maxkeys) { 820 if (klist && klist->nkeys < klist->maxkeys) {
782 /* there's sufficient slack space to append directly */ 821 /* there's sufficient slack space to append directly */
783 nklist = NULL; 822 klist->delkey = klist->nkeys;
784 prealloc = KEY_LINK_FIXQUOTA; 823 prealloc = KEY_LINK_FIXQUOTA;
785 } else { 824 } else {
786 /* grow the key list */ 825 /* grow the key list */
787 max = 4; 826 max = 4;
788 if (klist) 827 if (klist) {
789 max += klist->maxkeys; 828 max += klist->maxkeys;
829 if (max > MAX_KEYRING_LINKS)
830 max = MAX_KEYRING_LINKS;
831 BUG_ON(max <= klist->maxkeys);
832 }
790 833
791 ret = -ENFILE;
792 if (max > USHRT_MAX - 1)
793 goto error_quota;
794 size = sizeof(*klist) + sizeof(struct key *) * max; 834 size = sizeof(*klist) + sizeof(struct key *) * max;
795 if (size > PAGE_SIZE)
796 goto error_quota;
797 835
798 ret = -ENOMEM; 836 ret = -ENOMEM;
799 nklist = kmalloc(size, GFP_KERNEL); 837 nklist = kmalloc(size, GFP_KERNEL);
@@ -813,10 +851,10 @@ int __key_link_begin(struct key *keyring, const struct key_type *type,
813 } 851 }
814 852
815 /* add the key into the new space */ 853 /* add the key into the new space */
816 nklist->keys[nklist->delkey] = NULL; 854 RCU_INIT_POINTER(nklist->keys[nklist->delkey], NULL);
855 prealloc = (unsigned long)nklist | KEY_LINK_FIXQUOTA;
817 } 856 }
818 857
819 prealloc = (unsigned long)nklist | KEY_LINK_FIXQUOTA;
820done: 858done:
821 *_prealloc = prealloc; 859 *_prealloc = prealloc;
822 kleave(" = 0"); 860 kleave(" = 0");
@@ -862,6 +900,7 @@ void __key_link(struct key *keyring, struct key *key,
862 unsigned long *_prealloc) 900 unsigned long *_prealloc)
863{ 901{
864 struct keyring_list *klist, *nklist; 902 struct keyring_list *klist, *nklist;
903 struct key *discard;
865 904
866 nklist = (struct keyring_list *)(*_prealloc & ~KEY_LINK_FIXQUOTA); 905 nklist = (struct keyring_list *)(*_prealloc & ~KEY_LINK_FIXQUOTA);
867 *_prealloc = 0; 906 *_prealloc = 0;
@@ -871,14 +910,16 @@ void __key_link(struct key *keyring, struct key *key,
871 klist = rcu_dereference_locked_keyring(keyring); 910 klist = rcu_dereference_locked_keyring(keyring);
872 911
873 atomic_inc(&key->usage); 912 atomic_inc(&key->usage);
913 keyring->last_used_at = key->last_used_at =
914 current_kernel_time().tv_sec;
874 915
875 /* there's a matching key we can displace or an empty slot in a newly 916 /* there's a matching key we can displace or an empty slot in a newly
876 * allocated list we can fill */ 917 * allocated list we can fill */
877 if (nklist) { 918 if (nklist) {
878 kdebug("replace %hu/%hu/%hu", 919 kdebug("reissue %hu/%hu/%hu",
879 nklist->delkey, nklist->nkeys, nklist->maxkeys); 920 nklist->delkey, nklist->nkeys, nklist->maxkeys);
880 921
881 nklist->keys[nklist->delkey] = key; 922 RCU_INIT_POINTER(nklist->keys[nklist->delkey], key);
882 923
883 rcu_assign_pointer(keyring->payload.subscriptions, nklist); 924 rcu_assign_pointer(keyring->payload.subscriptions, nklist);
884 925
@@ -889,9 +930,23 @@ void __key_link(struct key *keyring, struct key *key,
889 klist->delkey, klist->nkeys, klist->maxkeys); 930 klist->delkey, klist->nkeys, klist->maxkeys);
890 call_rcu(&klist->rcu, keyring_unlink_rcu_disposal); 931 call_rcu(&klist->rcu, keyring_unlink_rcu_disposal);
891 } 932 }
933 } else if (klist->delkey < klist->nkeys) {
934 kdebug("replace %hu/%hu/%hu",
935 klist->delkey, klist->nkeys, klist->maxkeys);
936
937 discard = rcu_dereference_protected(
938 klist->keys[klist->delkey],
939 rwsem_is_locked(&keyring->sem));
940 rcu_assign_pointer(klist->keys[klist->delkey], key);
941 /* The garbage collector will take care of RCU
942 * synchronisation */
943 key_put(discard);
892 } else { 944 } else {
893 /* there's sufficient slack space to append directly */ 945 /* there's sufficient slack space to append directly */
894 klist->keys[klist->nkeys] = key; 946 kdebug("append %hu/%hu/%hu",
947 klist->delkey, klist->nkeys, klist->maxkeys);
948
949 RCU_INIT_POINTER(klist->keys[klist->delkey], key);
895 smp_wmb(); 950 smp_wmb();
896 klist->nkeys++; 951 klist->nkeys++;
897 } 952 }
@@ -998,7 +1053,7 @@ int key_unlink(struct key *keyring, struct key *key)
998 if (klist) { 1053 if (klist) {
999 /* search the keyring for the key */ 1054 /* search the keyring for the key */
1000 for (loop = 0; loop < klist->nkeys; loop++) 1055 for (loop = 0; loop < klist->nkeys; loop++)
1001 if (klist->keys[loop] == key) 1056 if (rcu_access_pointer(klist->keys[loop]) == key)
1002 goto key_is_present; 1057 goto key_is_present;
1003 } 1058 }
1004 1059
@@ -1061,7 +1116,7 @@ static void keyring_clear_rcu_disposal(struct rcu_head *rcu)
1061 klist = container_of(rcu, struct keyring_list, rcu); 1116 klist = container_of(rcu, struct keyring_list, rcu);
1062 1117
1063 for (loop = klist->nkeys - 1; loop >= 0; loop--) 1118 for (loop = klist->nkeys - 1; loop >= 0; loop--)
1064 key_put(klist->keys[loop]); 1119 key_put(rcu_access_pointer(klist->keys[loop]));
1065 1120
1066 kfree(klist); 1121 kfree(klist);
1067} 1122}
@@ -1128,15 +1183,6 @@ static void keyring_revoke(struct key *keyring)
1128} 1183}
1129 1184
1130/* 1185/*
1131 * Determine whether a key is dead.
1132 */
1133static bool key_is_dead(struct key *key, time_t limit)
1134{
1135 return test_bit(KEY_FLAG_DEAD, &key->flags) ||
1136 (key->expiry > 0 && key->expiry <= limit);
1137}
1138
1139/*
1140 * Collect garbage from the contents of a keyring, replacing the old list with 1186 * Collect garbage from the contents of a keyring, replacing the old list with
1141 * a new one with the pointers all shuffled down. 1187 * a new one with the pointers all shuffled down.
1142 * 1188 *
@@ -1161,7 +1207,8 @@ void keyring_gc(struct key *keyring, time_t limit)
1161 /* work out how many subscriptions we're keeping */ 1207 /* work out how many subscriptions we're keeping */
1162 keep = 0; 1208 keep = 0;
1163 for (loop = klist->nkeys - 1; loop >= 0; loop--) 1209 for (loop = klist->nkeys - 1; loop >= 0; loop--)
1164 if (!key_is_dead(klist->keys[loop], limit)) 1210 if (!key_is_dead(rcu_deref_link_locked(klist, loop, keyring),
1211 limit))
1165 keep++; 1212 keep++;
1166 1213
1167 if (keep == klist->nkeys) 1214 if (keep == klist->nkeys)
@@ -1182,11 +1229,11 @@ void keyring_gc(struct key *keyring, time_t limit)
1182 */ 1229 */
1183 keep = 0; 1230 keep = 0;
1184 for (loop = klist->nkeys - 1; loop >= 0; loop--) { 1231 for (loop = klist->nkeys - 1; loop >= 0; loop--) {
1185 key = klist->keys[loop]; 1232 key = rcu_deref_link_locked(klist, loop, keyring);
1186 if (!key_is_dead(key, limit)) { 1233 if (!key_is_dead(key, limit)) {
1187 if (keep >= max) 1234 if (keep >= max)
1188 goto discard_new; 1235 goto discard_new;
1189 new->keys[keep++] = key_get(key); 1236 RCU_INIT_POINTER(new->keys[keep++], key_get(key));
1190 } 1237 }
1191 } 1238 }
1192 new->nkeys = keep; 1239 new->nkeys = keep;
diff --git a/security/keys/permission.c b/security/keys/permission.c
index c35b5229e3cd..0b4d019e027d 100644
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
@@ -36,7 +36,7 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
36 36
37 key = key_ref_to_ptr(key_ref); 37 key = key_ref_to_ptr(key_ref);
38 38
39 if (key->user->user_ns != cred->user->user_ns) 39 if (key->user->user_ns != cred->user_ns)
40 goto use_other_perms; 40 goto use_other_perms;
41 41
42 /* use the second 8-bits of permissions for keys the caller owns */ 42 /* use the second 8-bits of permissions for keys the caller owns */
@@ -53,7 +53,8 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
53 goto use_these_perms; 53 goto use_these_perms;
54 } 54 }
55 55
56 ret = groups_search(cred->group_info, key->gid); 56 ret = groups_search(cred->group_info,
57 make_kgid(current_user_ns(), key->gid));
57 if (ret) { 58 if (ret) {
58 kperm = key->perm >> 8; 59 kperm = key->perm >> 8;
59 goto use_these_perms; 60 goto use_these_perms;
@@ -87,32 +88,29 @@ EXPORT_SYMBOL(key_task_permission);
87 * key_validate - Validate a key. 88 * key_validate - Validate a key.
88 * @key: The key to be validated. 89 * @key: The key to be validated.
89 * 90 *
90 * Check that a key is valid, returning 0 if the key is okay, -EKEYREVOKED if 91 * Check that a key is valid, returning 0 if the key is okay, -ENOKEY if the
91 * the key's type has been removed or if the key has been revoked or 92 * key is invalidated, -EKEYREVOKED if the key's type has been removed or if
92 * -EKEYEXPIRED if the key has expired. 93 * the key has been revoked or -EKEYEXPIRED if the key has expired.
93 */ 94 */
94int key_validate(struct key *key) 95int key_validate(const struct key *key)
95{ 96{
96 struct timespec now; 97 unsigned long flags = key->flags;
97 int ret = 0; 98
98 99 if (flags & (1 << KEY_FLAG_INVALIDATED))
99 if (key) { 100 return -ENOKEY;
100 /* check it's still accessible */ 101
101 ret = -EKEYREVOKED; 102 /* check it's still accessible */
102 if (test_bit(KEY_FLAG_REVOKED, &key->flags) || 103 if (flags & ((1 << KEY_FLAG_REVOKED) |
103 test_bit(KEY_FLAG_DEAD, &key->flags)) 104 (1 << KEY_FLAG_DEAD)))
104 goto error; 105 return -EKEYREVOKED;
105 106
106 /* check it hasn't expired */ 107 /* check it hasn't expired */
107 ret = 0; 108 if (key->expiry) {
108 if (key->expiry) { 109 struct timespec now = current_kernel_time();
109 now = current_kernel_time(); 110 if (now.tv_sec >= key->expiry)
110 if (now.tv_sec >= key->expiry) 111 return -EKEYEXPIRED;
111 ret = -EKEYEXPIRED;
112 }
113 } 112 }
114 113
115error: 114 return 0;
116 return ret;
117} 115}
118EXPORT_SYMBOL(key_validate); 116EXPORT_SYMBOL(key_validate);
diff --git a/security/keys/proc.c b/security/keys/proc.c
index 49bbc97943ad..30d1ddfd9cef 100644
--- a/security/keys/proc.c
+++ b/security/keys/proc.c
@@ -242,7 +242,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
242#define showflag(KEY, LETTER, FLAG) \ 242#define showflag(KEY, LETTER, FLAG) \
243 (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-') 243 (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-')
244 244
245 seq_printf(m, "%08x %c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ", 245 seq_printf(m, "%08x %c%c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ",
246 key->serial, 246 key->serial,
247 showflag(key, 'I', KEY_FLAG_INSTANTIATED), 247 showflag(key, 'I', KEY_FLAG_INSTANTIATED),
248 showflag(key, 'R', KEY_FLAG_REVOKED), 248 showflag(key, 'R', KEY_FLAG_REVOKED),
@@ -250,6 +250,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
250 showflag(key, 'Q', KEY_FLAG_IN_QUOTA), 250 showflag(key, 'Q', KEY_FLAG_IN_QUOTA),
251 showflag(key, 'U', KEY_FLAG_USER_CONSTRUCT), 251 showflag(key, 'U', KEY_FLAG_USER_CONSTRUCT),
252 showflag(key, 'N', KEY_FLAG_NEGATIVE), 252 showflag(key, 'N', KEY_FLAG_NEGATIVE),
253 showflag(key, 'i', KEY_FLAG_INVALIDATED),
253 atomic_read(&key->usage), 254 atomic_read(&key->usage),
254 xbuf, 255 xbuf,
255 key->perm, 256 key->perm,
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index be7ecb2018dd..4ad54eea1ea4 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -732,6 +732,8 @@ try_again:
732 if (ret < 0) 732 if (ret < 0)
733 goto invalid_key; 733 goto invalid_key;
734 734
735 key->last_used_at = current_kernel_time().tv_sec;
736
735error: 737error:
736 put_cred(cred); 738 put_cred(cred);
737 return key_ref; 739 return key_ref;
@@ -832,23 +834,17 @@ error:
832 * Replace a process's session keyring on behalf of one of its children when 834 * Replace a process's session keyring on behalf of one of its children when
833 * the target process is about to resume userspace execution. 835 * the target process is about to resume userspace execution.
834 */ 836 */
835void key_replace_session_keyring(void) 837void key_change_session_keyring(struct task_work *twork)
836{ 838{
837 const struct cred *old; 839 const struct cred *old = current_cred();
838 struct cred *new; 840 struct cred *new = twork->data;
839 841
840 if (!current->replacement_session_keyring) 842 kfree(twork);
841 return; 843 if (unlikely(current->flags & PF_EXITING)) {
842 844 put_cred(new);
843 write_lock_irq(&tasklist_lock);
844 new = current->replacement_session_keyring;
845 current->replacement_session_keyring = NULL;
846 write_unlock_irq(&tasklist_lock);
847
848 if (!new)
849 return; 845 return;
846 }
850 847
851 old = current_cred();
852 new-> uid = old-> uid; 848 new-> uid = old-> uid;
853 new-> euid = old-> euid; 849 new-> euid = old-> euid;
854 new-> suid = old-> suid; 850 new-> suid = old-> suid;
@@ -858,7 +854,7 @@ void key_replace_session_keyring(void)
858 new-> sgid = old-> sgid; 854 new-> sgid = old-> sgid;
859 new->fsgid = old->fsgid; 855 new->fsgid = old->fsgid;
860 new->user = get_uid(old->user); 856 new->user = get_uid(old->user);
861 new->user_ns = new->user->user_ns; 857 new->user_ns = get_user_ns(new->user_ns);
862 new->group_info = get_group_info(old->group_info); 858 new->group_info = get_group_info(old->group_info);
863 859
864 new->securebits = old->securebits; 860 new->securebits = old->securebits;
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index cc3790315d2f..000e75017520 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -93,16 +93,9 @@ static void umh_keys_cleanup(struct subprocess_info *info)
93static int call_usermodehelper_keys(char *path, char **argv, char **envp, 93static int call_usermodehelper_keys(char *path, char **argv, char **envp,
94 struct key *session_keyring, int wait) 94 struct key *session_keyring, int wait)
95{ 95{
96 gfp_t gfp_mask = (wait == UMH_NO_WAIT) ? GFP_ATOMIC : GFP_KERNEL; 96 return call_usermodehelper_fns(path, argv, envp, wait,
97 struct subprocess_info *info = 97 umh_keys_init, umh_keys_cleanup,
98 call_usermodehelper_setup(path, argv, envp, gfp_mask); 98 key_get(session_keyring));
99
100 if (!info)
101 return -ENOMEM;
102
103 call_usermodehelper_setfns(info, umh_keys_init, umh_keys_cleanup,
104 key_get(session_keyring));
105 return call_usermodehelper_exec(info, wait);
106} 99}
107 100
108/* 101/*
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 90c129b0102f..8d8d97dbb389 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -213,12 +213,15 @@ static void dump_common_audit_data(struct audit_buffer *ab,
213{ 213{
214 struct task_struct *tsk = current; 214 struct task_struct *tsk = current;
215 215
216 if (a->tsk) 216 /*
217 tsk = a->tsk; 217 * To keep stack sizes in check force programers to notice if they
218 if (tsk && tsk->pid) { 218 * start making this union too large! See struct lsm_network_audit
219 audit_log_format(ab, " pid=%d comm=", tsk->pid); 219 * as an example of how to deal with large data.
220 audit_log_untrustedstring(ab, tsk->comm); 220 */
221 } 221 BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
222
223 audit_log_format(ab, " pid=%d comm=", tsk->pid);
224 audit_log_untrustedstring(ab, tsk->comm);
222 225
223 switch (a->type) { 226 switch (a->type) {
224 case LSM_AUDIT_DATA_NONE: 227 case LSM_AUDIT_DATA_NONE:
diff --git a/security/security.c b/security/security.c
index bf619ffc9a4d..3efc9b12aef4 100644
--- a/security/security.c
+++ b/security/security.c
@@ -20,6 +20,9 @@
20#include <linux/ima.h> 20#include <linux/ima.h>
21#include <linux/evm.h> 21#include <linux/evm.h>
22#include <linux/fsnotify.h> 22#include <linux/fsnotify.h>
23#include <linux/mman.h>
24#include <linux/mount.h>
25#include <linux/personality.h>
23#include <net/flow.h> 26#include <net/flow.h>
24 27
25#define MAX_LSM_EVM_XATTR 2 28#define MAX_LSM_EVM_XATTR 2
@@ -657,18 +660,56 @@ int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
657 return security_ops->file_ioctl(file, cmd, arg); 660 return security_ops->file_ioctl(file, cmd, arg);
658} 661}
659 662
660int security_file_mmap(struct file *file, unsigned long reqprot, 663static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
661 unsigned long prot, unsigned long flags,
662 unsigned long addr, unsigned long addr_only)
663{ 664{
664 int ret; 665 /*
666 * Does we have PROT_READ and does the application expect
667 * it to imply PROT_EXEC? If not, nothing to talk about...
668 */
669 if ((prot & (PROT_READ | PROT_EXEC)) != PROT_READ)
670 return prot;
671 if (!(current->personality & READ_IMPLIES_EXEC))
672 return prot;
673 /*
674 * if that's an anonymous mapping, let it.
675 */
676 if (!file)
677 return prot | PROT_EXEC;
678 /*
679 * ditto if it's not on noexec mount, except that on !MMU we need
680 * BDI_CAP_EXEC_MMAP (== VM_MAYEXEC) in this case
681 */
682 if (!(file->f_path.mnt->mnt_flags & MNT_NOEXEC)) {
683#ifndef CONFIG_MMU
684 unsigned long caps = 0;
685 struct address_space *mapping = file->f_mapping;
686 if (mapping && mapping->backing_dev_info)
687 caps = mapping->backing_dev_info->capabilities;
688 if (!(caps & BDI_CAP_EXEC_MAP))
689 return prot;
690#endif
691 return prot | PROT_EXEC;
692 }
693 /* anything on noexec mount won't get PROT_EXEC */
694 return prot;
695}
665 696
666 ret = security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only); 697int security_mmap_file(struct file *file, unsigned long prot,
698 unsigned long flags)
699{
700 int ret;
701 ret = security_ops->mmap_file(file, prot,
702 mmap_prot(file, prot), flags);
667 if (ret) 703 if (ret)
668 return ret; 704 return ret;
669 return ima_file_mmap(file, prot); 705 return ima_file_mmap(file, prot);
670} 706}
671 707
708int security_mmap_addr(unsigned long addr)
709{
710 return security_ops->mmap_addr(addr);
711}
712
672int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, 713int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
673 unsigned long prot) 714 unsigned long prot)
674{ 715{
@@ -701,11 +742,11 @@ int security_file_receive(struct file *file)
701 return security_ops->file_receive(file); 742 return security_ops->file_receive(file);
702} 743}
703 744
704int security_dentry_open(struct file *file, const struct cred *cred) 745int security_file_open(struct file *file, const struct cred *cred)
705{ 746{
706 int ret; 747 int ret;
707 748
708 ret = security_ops->dentry_open(file, cred); 749 ret = security_ops->file_open(file, cred);
709 if (ret) 750 if (ret)
710 return ret; 751 return ret;
711 752
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 8ee42b2a5f19..68d82daed257 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -65,14 +65,8 @@ struct avc_cache {
65}; 65};
66 66
67struct avc_callback_node { 67struct avc_callback_node {
68 int (*callback) (u32 event, u32 ssid, u32 tsid, 68 int (*callback) (u32 event);
69 u16 tclass, u32 perms,
70 u32 *out_retained);
71 u32 events; 69 u32 events;
72 u32 ssid;
73 u32 tsid;
74 u16 tclass;
75 u32 perms;
76 struct avc_callback_node *next; 70 struct avc_callback_node *next;
77}; 71};
78 72
@@ -436,9 +430,9 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
436{ 430{
437 struct common_audit_data *ad = a; 431 struct common_audit_data *ad = a;
438 audit_log_format(ab, "avc: %s ", 432 audit_log_format(ab, "avc: %s ",
439 ad->selinux_audit_data->slad->denied ? "denied" : "granted"); 433 ad->selinux_audit_data->denied ? "denied" : "granted");
440 avc_dump_av(ab, ad->selinux_audit_data->slad->tclass, 434 avc_dump_av(ab, ad->selinux_audit_data->tclass,
441 ad->selinux_audit_data->slad->audited); 435 ad->selinux_audit_data->audited);
442 audit_log_format(ab, " for "); 436 audit_log_format(ab, " for ");
443} 437}
444 438
@@ -452,25 +446,23 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
452{ 446{
453 struct common_audit_data *ad = a; 447 struct common_audit_data *ad = a;
454 audit_log_format(ab, " "); 448 audit_log_format(ab, " ");
455 avc_dump_query(ab, ad->selinux_audit_data->slad->ssid, 449 avc_dump_query(ab, ad->selinux_audit_data->ssid,
456 ad->selinux_audit_data->slad->tsid, 450 ad->selinux_audit_data->tsid,
457 ad->selinux_audit_data->slad->tclass); 451 ad->selinux_audit_data->tclass);
458} 452}
459 453
460/* This is the slow part of avc audit with big stack footprint */ 454/* This is the slow part of avc audit with big stack footprint */
461static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, 455noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
462 u32 requested, u32 audited, u32 denied, 456 u32 requested, u32 audited, u32 denied,
463 struct common_audit_data *a, 457 struct common_audit_data *a,
464 unsigned flags) 458 unsigned flags)
465{ 459{
466 struct common_audit_data stack_data; 460 struct common_audit_data stack_data;
467 struct selinux_audit_data sad = {0,}; 461 struct selinux_audit_data sad;
468 struct selinux_late_audit_data slad;
469 462
470 if (!a) { 463 if (!a) {
471 a = &stack_data; 464 a = &stack_data;
472 COMMON_AUDIT_DATA_INIT(a, NONE); 465 a->type = LSM_AUDIT_DATA_NONE;
473 a->selinux_audit_data = &sad;
474 } 466 }
475 467
476 /* 468 /*
@@ -484,104 +476,34 @@ static noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
484 (flags & MAY_NOT_BLOCK)) 476 (flags & MAY_NOT_BLOCK))
485 return -ECHILD; 477 return -ECHILD;
486 478
487 slad.tclass = tclass; 479 sad.tclass = tclass;
488 slad.requested = requested; 480 sad.requested = requested;
489 slad.ssid = ssid; 481 sad.ssid = ssid;
490 slad.tsid = tsid; 482 sad.tsid = tsid;
491 slad.audited = audited; 483 sad.audited = audited;
492 slad.denied = denied; 484 sad.denied = denied;
485
486 a->selinux_audit_data = &sad;
493 487
494 a->selinux_audit_data->slad = &slad;
495 common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback); 488 common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback);
496 return 0; 489 return 0;
497} 490}
498 491
499/** 492/**
500 * avc_audit - Audit the granting or denial of permissions.
501 * @ssid: source security identifier
502 * @tsid: target security identifier
503 * @tclass: target security class
504 * @requested: requested permissions
505 * @avd: access vector decisions
506 * @result: result from avc_has_perm_noaudit
507 * @a: auxiliary audit data
508 * @flags: VFS walk flags
509 *
510 * Audit the granting or denial of permissions in accordance
511 * with the policy. This function is typically called by
512 * avc_has_perm() after a permission check, but can also be
513 * called directly by callers who use avc_has_perm_noaudit()
514 * in order to separate the permission check from the auditing.
515 * For example, this separation is useful when the permission check must
516 * be performed under a lock, to allow the lock to be released
517 * before calling the auditing code.
518 */
519inline int avc_audit(u32 ssid, u32 tsid,
520 u16 tclass, u32 requested,
521 struct av_decision *avd, int result, struct common_audit_data *a,
522 unsigned flags)
523{
524 u32 denied, audited;
525 denied = requested & ~avd->allowed;
526 if (unlikely(denied)) {
527 audited = denied & avd->auditdeny;
528 /*
529 * a->selinux_audit_data->auditdeny is TRICKY! Setting a bit in
530 * this field means that ANY denials should NOT be audited if
531 * the policy contains an explicit dontaudit rule for that
532 * permission. Take notice that this is unrelated to the
533 * actual permissions that were denied. As an example lets
534 * assume:
535 *
536 * denied == READ
537 * avd.auditdeny & ACCESS == 0 (not set means explicit rule)
538 * selinux_audit_data->auditdeny & ACCESS == 1
539 *
540 * We will NOT audit the denial even though the denied
541 * permission was READ and the auditdeny checks were for
542 * ACCESS
543 */
544 if (a &&
545 a->selinux_audit_data->auditdeny &&
546 !(a->selinux_audit_data->auditdeny & avd->auditdeny))
547 audited = 0;
548 } else if (result)
549 audited = denied = requested;
550 else
551 audited = requested & avd->auditallow;
552 if (likely(!audited))
553 return 0;
554
555 return slow_avc_audit(ssid, tsid, tclass,
556 requested, audited, denied,
557 a, flags);
558}
559
560/**
561 * avc_add_callback - Register a callback for security events. 493 * avc_add_callback - Register a callback for security events.
562 * @callback: callback function 494 * @callback: callback function
563 * @events: security events 495 * @events: security events
564 * @ssid: source security identifier or %SECSID_WILD
565 * @tsid: target security identifier or %SECSID_WILD
566 * @tclass: target security class
567 * @perms: permissions
568 * 496 *
569 * Register a callback function for events in the set @events 497 * Register a callback function for events in the set @events.
570 * related to the SID pair (@ssid, @tsid) 498 * Returns %0 on success or -%ENOMEM if insufficient memory
571 * and the permissions @perms, interpreting 499 * exists to add the callback.
572 * @perms based on @tclass. Returns %0 on success or
573 * -%ENOMEM if insufficient memory exists to add the callback.
574 */ 500 */
575int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, 501int __init avc_add_callback(int (*callback)(u32 event), u32 events)
576 u16 tclass, u32 perms,
577 u32 *out_retained),
578 u32 events, u32 ssid, u32 tsid,
579 u16 tclass, u32 perms)
580{ 502{
581 struct avc_callback_node *c; 503 struct avc_callback_node *c;
582 int rc = 0; 504 int rc = 0;
583 505
584 c = kmalloc(sizeof(*c), GFP_ATOMIC); 506 c = kmalloc(sizeof(*c), GFP_KERNEL);
585 if (!c) { 507 if (!c) {
586 rc = -ENOMEM; 508 rc = -ENOMEM;
587 goto out; 509 goto out;
@@ -589,9 +511,6 @@ int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
589 511
590 c->callback = callback; 512 c->callback = callback;
591 c->events = events; 513 c->events = events;
592 c->ssid = ssid;
593 c->tsid = tsid;
594 c->perms = perms;
595 c->next = avc_callbacks; 514 c->next = avc_callbacks;
596 avc_callbacks = c; 515 avc_callbacks = c;
597out: 516out:
@@ -731,8 +650,7 @@ int avc_ss_reset(u32 seqno)
731 650
732 for (c = avc_callbacks; c; c = c->next) { 651 for (c = avc_callbacks; c; c = c->next) {
733 if (c->events & AVC_CALLBACK_RESET) { 652 if (c->events & AVC_CALLBACK_RESET) {
734 tmprc = c->callback(AVC_CALLBACK_RESET, 653 tmprc = c->callback(AVC_CALLBACK_RESET);
735 0, 0, 0, 0, NULL);
736 /* save the first error encountered for the return 654 /* save the first error encountered for the return
737 value and continue processing the callbacks */ 655 value and continue processing the callbacks */
738 if (!rc) 656 if (!rc)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d85b793c9321..372ec6502aa8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1420,16 +1420,13 @@ static int cred_has_capability(const struct cred *cred,
1420 int cap, int audit) 1420 int cap, int audit)
1421{ 1421{
1422 struct common_audit_data ad; 1422 struct common_audit_data ad;
1423 struct selinux_audit_data sad = {0,};
1424 struct av_decision avd; 1423 struct av_decision avd;
1425 u16 sclass; 1424 u16 sclass;
1426 u32 sid = cred_sid(cred); 1425 u32 sid = cred_sid(cred);
1427 u32 av = CAP_TO_MASK(cap); 1426 u32 av = CAP_TO_MASK(cap);
1428 int rc; 1427 int rc;
1429 1428
1430 COMMON_AUDIT_DATA_INIT(&ad, CAP); 1429 ad.type = LSM_AUDIT_DATA_CAP;
1431 ad.selinux_audit_data = &sad;
1432 ad.tsk = current;
1433 ad.u.cap = cap; 1430 ad.u.cap = cap;
1434 1431
1435 switch (CAP_TO_INDEX(cap)) { 1432 switch (CAP_TO_INDEX(cap)) {
@@ -1488,20 +1485,6 @@ static int inode_has_perm(const struct cred *cred,
1488 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags); 1485 return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1489} 1486}
1490 1487
1491static int inode_has_perm_noadp(const struct cred *cred,
1492 struct inode *inode,
1493 u32 perms,
1494 unsigned flags)
1495{
1496 struct common_audit_data ad;
1497 struct selinux_audit_data sad = {0,};
1498
1499 COMMON_AUDIT_DATA_INIT(&ad, INODE);
1500 ad.u.inode = inode;
1501 ad.selinux_audit_data = &sad;
1502 return inode_has_perm(cred, inode, perms, &ad, flags);
1503}
1504
1505/* Same as inode_has_perm, but pass explicit audit data containing 1488/* Same as inode_has_perm, but pass explicit audit data containing
1506 the dentry to help the auditing code to more easily generate the 1489 the dentry to help the auditing code to more easily generate the
1507 pathname if needed. */ 1490 pathname if needed. */
@@ -1511,11 +1494,9 @@ static inline int dentry_has_perm(const struct cred *cred,
1511{ 1494{
1512 struct inode *inode = dentry->d_inode; 1495 struct inode *inode = dentry->d_inode;
1513 struct common_audit_data ad; 1496 struct common_audit_data ad;
1514 struct selinux_audit_data sad = {0,};
1515 1497
1516 COMMON_AUDIT_DATA_INIT(&ad, DENTRY); 1498 ad.type = LSM_AUDIT_DATA_DENTRY;
1517 ad.u.dentry = dentry; 1499 ad.u.dentry = dentry;
1518 ad.selinux_audit_data = &sad;
1519 return inode_has_perm(cred, inode, av, &ad, 0); 1500 return inode_has_perm(cred, inode, av, &ad, 0);
1520} 1501}
1521 1502
@@ -1528,11 +1509,9 @@ static inline int path_has_perm(const struct cred *cred,
1528{ 1509{
1529 struct inode *inode = path->dentry->d_inode; 1510 struct inode *inode = path->dentry->d_inode;
1530 struct common_audit_data ad; 1511 struct common_audit_data ad;
1531 struct selinux_audit_data sad = {0,};
1532 1512
1533 COMMON_AUDIT_DATA_INIT(&ad, PATH); 1513 ad.type = LSM_AUDIT_DATA_PATH;
1534 ad.u.path = *path; 1514 ad.u.path = *path;
1535 ad.selinux_audit_data = &sad;
1536 return inode_has_perm(cred, inode, av, &ad, 0); 1515 return inode_has_perm(cred, inode, av, &ad, 0);
1537} 1516}
1538 1517
@@ -1551,13 +1530,11 @@ static int file_has_perm(const struct cred *cred,
1551 struct file_security_struct *fsec = file->f_security; 1530 struct file_security_struct *fsec = file->f_security;
1552 struct inode *inode = file->f_path.dentry->d_inode; 1531 struct inode *inode = file->f_path.dentry->d_inode;
1553 struct common_audit_data ad; 1532 struct common_audit_data ad;
1554 struct selinux_audit_data sad = {0,};
1555 u32 sid = cred_sid(cred); 1533 u32 sid = cred_sid(cred);
1556 int rc; 1534 int rc;
1557 1535
1558 COMMON_AUDIT_DATA_INIT(&ad, PATH); 1536 ad.type = LSM_AUDIT_DATA_PATH;
1559 ad.u.path = file->f_path; 1537 ad.u.path = file->f_path;
1560 ad.selinux_audit_data = &sad;
1561 1538
1562 if (sid != fsec->sid) { 1539 if (sid != fsec->sid) {
1563 rc = avc_has_perm(sid, fsec->sid, 1540 rc = avc_has_perm(sid, fsec->sid,
@@ -1587,7 +1564,6 @@ static int may_create(struct inode *dir,
1587 struct superblock_security_struct *sbsec; 1564 struct superblock_security_struct *sbsec;
1588 u32 sid, newsid; 1565 u32 sid, newsid;
1589 struct common_audit_data ad; 1566 struct common_audit_data ad;
1590 struct selinux_audit_data sad = {0,};
1591 int rc; 1567 int rc;
1592 1568
1593 dsec = dir->i_security; 1569 dsec = dir->i_security;
@@ -1596,9 +1572,8 @@ static int may_create(struct inode *dir,
1596 sid = tsec->sid; 1572 sid = tsec->sid;
1597 newsid = tsec->create_sid; 1573 newsid = tsec->create_sid;
1598 1574
1599 COMMON_AUDIT_DATA_INIT(&ad, DENTRY); 1575 ad.type = LSM_AUDIT_DATA_DENTRY;
1600 ad.u.dentry = dentry; 1576 ad.u.dentry = dentry;
1601 ad.selinux_audit_data = &sad;
1602 1577
1603 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1578 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1604 DIR__ADD_NAME | DIR__SEARCH, 1579 DIR__ADD_NAME | DIR__SEARCH,
@@ -1643,7 +1618,6 @@ static int may_link(struct inode *dir,
1643{ 1618{
1644 struct inode_security_struct *dsec, *isec; 1619 struct inode_security_struct *dsec, *isec;
1645 struct common_audit_data ad; 1620 struct common_audit_data ad;
1646 struct selinux_audit_data sad = {0,};
1647 u32 sid = current_sid(); 1621 u32 sid = current_sid();
1648 u32 av; 1622 u32 av;
1649 int rc; 1623 int rc;
@@ -1651,9 +1625,8 @@ static int may_link(struct inode *dir,
1651 dsec = dir->i_security; 1625 dsec = dir->i_security;
1652 isec = dentry->d_inode->i_security; 1626 isec = dentry->d_inode->i_security;
1653 1627
1654 COMMON_AUDIT_DATA_INIT(&ad, DENTRY); 1628 ad.type = LSM_AUDIT_DATA_DENTRY;
1655 ad.u.dentry = dentry; 1629 ad.u.dentry = dentry;
1656 ad.selinux_audit_data = &sad;
1657 1630
1658 av = DIR__SEARCH; 1631 av = DIR__SEARCH;
1659 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME); 1632 av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
@@ -1688,7 +1661,6 @@ static inline int may_rename(struct inode *old_dir,
1688{ 1661{
1689 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1662 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1690 struct common_audit_data ad; 1663 struct common_audit_data ad;
1691 struct selinux_audit_data sad = {0,};
1692 u32 sid = current_sid(); 1664 u32 sid = current_sid();
1693 u32 av; 1665 u32 av;
1694 int old_is_dir, new_is_dir; 1666 int old_is_dir, new_is_dir;
@@ -1699,8 +1671,7 @@ static inline int may_rename(struct inode *old_dir,
1699 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1671 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1700 new_dsec = new_dir->i_security; 1672 new_dsec = new_dir->i_security;
1701 1673
1702 COMMON_AUDIT_DATA_INIT(&ad, DENTRY); 1674 ad.type = LSM_AUDIT_DATA_DENTRY;
1703 ad.selinux_audit_data = &sad;
1704 1675
1705 ad.u.dentry = old_dentry; 1676 ad.u.dentry = old_dentry;
1706 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1677 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
@@ -1986,7 +1957,6 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
1986 struct task_security_struct *new_tsec; 1957 struct task_security_struct *new_tsec;
1987 struct inode_security_struct *isec; 1958 struct inode_security_struct *isec;
1988 struct common_audit_data ad; 1959 struct common_audit_data ad;
1989 struct selinux_audit_data sad = {0,};
1990 struct inode *inode = bprm->file->f_path.dentry->d_inode; 1960 struct inode *inode = bprm->file->f_path.dentry->d_inode;
1991 int rc; 1961 int rc;
1992 1962
@@ -2016,6 +1986,13 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2016 new_tsec->sid = old_tsec->exec_sid; 1986 new_tsec->sid = old_tsec->exec_sid;
2017 /* Reset exec SID on execve. */ 1987 /* Reset exec SID on execve. */
2018 new_tsec->exec_sid = 0; 1988 new_tsec->exec_sid = 0;
1989
1990 /*
1991 * Minimize confusion: if no_new_privs and a transition is
1992 * explicitly requested, then fail the exec.
1993 */
1994 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
1995 return -EPERM;
2019 } else { 1996 } else {
2020 /* Check for a default transition on this program. */ 1997 /* Check for a default transition on this program. */
2021 rc = security_transition_sid(old_tsec->sid, isec->sid, 1998 rc = security_transition_sid(old_tsec->sid, isec->sid,
@@ -2025,11 +2002,11 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2025 return rc; 2002 return rc;
2026 } 2003 }
2027 2004
2028 COMMON_AUDIT_DATA_INIT(&ad, PATH); 2005 ad.type = LSM_AUDIT_DATA_PATH;
2029 ad.selinux_audit_data = &sad;
2030 ad.u.path = bprm->file->f_path; 2006 ad.u.path = bprm->file->f_path;
2031 2007
2032 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 2008 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2009 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2033 new_tsec->sid = old_tsec->sid; 2010 new_tsec->sid = old_tsec->sid;
2034 2011
2035 if (new_tsec->sid == old_tsec->sid) { 2012 if (new_tsec->sid == old_tsec->sid) {
@@ -2115,8 +2092,6 @@ static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2115static inline void flush_unauthorized_files(const struct cred *cred, 2092static inline void flush_unauthorized_files(const struct cred *cred,
2116 struct files_struct *files) 2093 struct files_struct *files)
2117{ 2094{
2118 struct common_audit_data ad;
2119 struct selinux_audit_data sad = {0,};
2120 struct file *file, *devnull = NULL; 2095 struct file *file, *devnull = NULL;
2121 struct tty_struct *tty; 2096 struct tty_struct *tty;
2122 struct fdtable *fdt; 2097 struct fdtable *fdt;
@@ -2128,21 +2103,17 @@ static inline void flush_unauthorized_files(const struct cred *cred,
2128 spin_lock(&tty_files_lock); 2103 spin_lock(&tty_files_lock);
2129 if (!list_empty(&tty->tty_files)) { 2104 if (!list_empty(&tty->tty_files)) {
2130 struct tty_file_private *file_priv; 2105 struct tty_file_private *file_priv;
2131 struct inode *inode;
2132 2106
2133 /* Revalidate access to controlling tty. 2107 /* Revalidate access to controlling tty.
2134 Use inode_has_perm on the tty inode directly rather 2108 Use path_has_perm on the tty path directly rather
2135 than using file_has_perm, as this particular open 2109 than using file_has_perm, as this particular open
2136 file may belong to another process and we are only 2110 file may belong to another process and we are only
2137 interested in the inode-based check here. */ 2111 interested in the inode-based check here. */
2138 file_priv = list_first_entry(&tty->tty_files, 2112 file_priv = list_first_entry(&tty->tty_files,
2139 struct tty_file_private, list); 2113 struct tty_file_private, list);
2140 file = file_priv->file; 2114 file = file_priv->file;
2141 inode = file->f_path.dentry->d_inode; 2115 if (path_has_perm(cred, &file->f_path, FILE__READ | FILE__WRITE))
2142 if (inode_has_perm_noadp(cred, inode,
2143 FILE__READ | FILE__WRITE, 0)) {
2144 drop_tty = 1; 2116 drop_tty = 1;
2145 }
2146 } 2117 }
2147 spin_unlock(&tty_files_lock); 2118 spin_unlock(&tty_files_lock);
2148 tty_kref_put(tty); 2119 tty_kref_put(tty);
@@ -2152,10 +2123,6 @@ static inline void flush_unauthorized_files(const struct cred *cred,
2152 no_tty(); 2123 no_tty();
2153 2124
2154 /* Revalidate access to inherited open files. */ 2125 /* Revalidate access to inherited open files. */
2155
2156 COMMON_AUDIT_DATA_INIT(&ad, INODE);
2157 ad.selinux_audit_data = &sad;
2158
2159 spin_lock(&files->file_lock); 2126 spin_lock(&files->file_lock);
2160 for (;;) { 2127 for (;;) {
2161 unsigned long set, i; 2128 unsigned long set, i;
@@ -2492,7 +2459,6 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2492{ 2459{
2493 const struct cred *cred = current_cred(); 2460 const struct cred *cred = current_cred();
2494 struct common_audit_data ad; 2461 struct common_audit_data ad;
2495 struct selinux_audit_data sad = {0,};
2496 int rc; 2462 int rc;
2497 2463
2498 rc = superblock_doinit(sb, data); 2464 rc = superblock_doinit(sb, data);
@@ -2503,8 +2469,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2503 if (flags & MS_KERNMOUNT) 2469 if (flags & MS_KERNMOUNT)
2504 return 0; 2470 return 0;
2505 2471
2506 COMMON_AUDIT_DATA_INIT(&ad, DENTRY); 2472 ad.type = LSM_AUDIT_DATA_DENTRY;
2507 ad.selinux_audit_data = &sad;
2508 ad.u.dentry = sb->s_root; 2473 ad.u.dentry = sb->s_root;
2509 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2474 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2510} 2475}
@@ -2513,10 +2478,8 @@ static int selinux_sb_statfs(struct dentry *dentry)
2513{ 2478{
2514 const struct cred *cred = current_cred(); 2479 const struct cred *cred = current_cred();
2515 struct common_audit_data ad; 2480 struct common_audit_data ad;
2516 struct selinux_audit_data sad = {0,};
2517 2481
2518 COMMON_AUDIT_DATA_INIT(&ad, DENTRY); 2482 ad.type = LSM_AUDIT_DATA_DENTRY;
2519 ad.selinux_audit_data = &sad;
2520 ad.u.dentry = dentry->d_sb->s_root; 2483 ad.u.dentry = dentry->d_sb->s_root;
2521 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2484 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2522} 2485}
@@ -2676,14 +2639,35 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
2676 return dentry_has_perm(cred, dentry, FILE__READ); 2639 return dentry_has_perm(cred, dentry, FILE__READ);
2677} 2640}
2678 2641
2642static noinline int audit_inode_permission(struct inode *inode,
2643 u32 perms, u32 audited, u32 denied,
2644 unsigned flags)
2645{
2646 struct common_audit_data ad;
2647 struct inode_security_struct *isec = inode->i_security;
2648 int rc;
2649
2650 ad.type = LSM_AUDIT_DATA_INODE;
2651 ad.u.inode = inode;
2652
2653 rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2654 audited, denied, &ad, flags);
2655 if (rc)
2656 return rc;
2657 return 0;
2658}
2659
2679static int selinux_inode_permission(struct inode *inode, int mask) 2660static int selinux_inode_permission(struct inode *inode, int mask)
2680{ 2661{
2681 const struct cred *cred = current_cred(); 2662 const struct cred *cred = current_cred();
2682 struct common_audit_data ad;
2683 struct selinux_audit_data sad = {0,};
2684 u32 perms; 2663 u32 perms;
2685 bool from_access; 2664 bool from_access;
2686 unsigned flags = mask & MAY_NOT_BLOCK; 2665 unsigned flags = mask & MAY_NOT_BLOCK;
2666 struct inode_security_struct *isec;
2667 u32 sid;
2668 struct av_decision avd;
2669 int rc, rc2;
2670 u32 audited, denied;
2687 2671
2688 from_access = mask & MAY_ACCESS; 2672 from_access = mask & MAY_ACCESS;
2689 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 2673 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
@@ -2692,22 +2676,34 @@ static int selinux_inode_permission(struct inode *inode, int mask)
2692 if (!mask) 2676 if (!mask)
2693 return 0; 2677 return 0;
2694 2678
2695 COMMON_AUDIT_DATA_INIT(&ad, INODE); 2679 validate_creds(cred);
2696 ad.selinux_audit_data = &sad;
2697 ad.u.inode = inode;
2698 2680
2699 if (from_access) 2681 if (unlikely(IS_PRIVATE(inode)))
2700 ad.selinux_audit_data->auditdeny |= FILE__AUDIT_ACCESS; 2682 return 0;
2701 2683
2702 perms = file_mask_to_av(inode->i_mode, mask); 2684 perms = file_mask_to_av(inode->i_mode, mask);
2703 2685
2704 return inode_has_perm(cred, inode, perms, &ad, flags); 2686 sid = cred_sid(cred);
2687 isec = inode->i_security;
2688
2689 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
2690 audited = avc_audit_required(perms, &avd, rc,
2691 from_access ? FILE__AUDIT_ACCESS : 0,
2692 &denied);
2693 if (likely(!audited))
2694 return rc;
2695
2696 rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2697 if (rc2)
2698 return rc2;
2699 return rc;
2705} 2700}
2706 2701
2707static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2702static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2708{ 2703{
2709 const struct cred *cred = current_cred(); 2704 const struct cred *cred = current_cred();
2710 unsigned int ia_valid = iattr->ia_valid; 2705 unsigned int ia_valid = iattr->ia_valid;
2706 __u32 av = FILE__WRITE;
2711 2707
2712 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */ 2708 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2713 if (ia_valid & ATTR_FORCE) { 2709 if (ia_valid & ATTR_FORCE) {
@@ -2721,7 +2717,10 @@ static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2721 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) 2717 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2722 return dentry_has_perm(cred, dentry, FILE__SETATTR); 2718 return dentry_has_perm(cred, dentry, FILE__SETATTR);
2723 2719
2724 return dentry_has_perm(cred, dentry, FILE__WRITE); 2720 if (ia_valid & ATTR_SIZE)
2721 av |= FILE__OPEN;
2722
2723 return dentry_has_perm(cred, dentry, av);
2725} 2724}
2726 2725
2727static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 2726static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
@@ -2763,7 +2762,6 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2763 struct inode_security_struct *isec = inode->i_security; 2762 struct inode_security_struct *isec = inode->i_security;
2764 struct superblock_security_struct *sbsec; 2763 struct superblock_security_struct *sbsec;
2765 struct common_audit_data ad; 2764 struct common_audit_data ad;
2766 struct selinux_audit_data sad = {0,};
2767 u32 newsid, sid = current_sid(); 2765 u32 newsid, sid = current_sid();
2768 int rc = 0; 2766 int rc = 0;
2769 2767
@@ -2777,8 +2775,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2777 if (!inode_owner_or_capable(inode)) 2775 if (!inode_owner_or_capable(inode))
2778 return -EPERM; 2776 return -EPERM;
2779 2777
2780 COMMON_AUDIT_DATA_INIT(&ad, DENTRY); 2778 ad.type = LSM_AUDIT_DATA_DENTRY;
2781 ad.selinux_audit_data = &sad;
2782 ad.u.dentry = dentry; 2779 ad.u.dentry = dentry;
2783 2780
2784 rc = avc_has_perm(sid, isec->sid, isec->sclass, 2781 rc = avc_has_perm(sid, isec->sid, isec->sclass,
@@ -2788,8 +2785,25 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2788 2785
2789 rc = security_context_to_sid(value, size, &newsid); 2786 rc = security_context_to_sid(value, size, &newsid);
2790 if (rc == -EINVAL) { 2787 if (rc == -EINVAL) {
2791 if (!capable(CAP_MAC_ADMIN)) 2788 if (!capable(CAP_MAC_ADMIN)) {
2789 struct audit_buffer *ab;
2790 size_t audit_size;
2791 const char *str;
2792
2793 /* We strip a nul only if it is at the end, otherwise the
2794 * context contains a nul and we should audit that */
2795 str = value;
2796 if (str[size - 1] == '\0')
2797 audit_size = size - 1;
2798 else
2799 audit_size = size;
2800 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
2801 audit_log_format(ab, "op=setxattr invalid_context=");
2802 audit_log_n_untrustedstring(ab, value, audit_size);
2803 audit_log_end(ab);
2804
2792 return rc; 2805 return rc;
2806 }
2793 rc = security_context_to_sid_force(value, size, &newsid); 2807 rc = security_context_to_sid_force(value, size, &newsid);
2794 } 2808 }
2795 if (rc) 2809 if (rc)
@@ -2969,7 +2983,7 @@ static int selinux_file_permission(struct file *file, int mask)
2969 2983
2970 if (sid == fsec->sid && fsec->isid == isec->sid && 2984 if (sid == fsec->sid && fsec->isid == isec->sid &&
2971 fsec->pseqno == avc_policy_seqno()) 2985 fsec->pseqno == avc_policy_seqno())
2972 /* No change since dentry_open check. */ 2986 /* No change since file_open check. */
2973 return 0; 2987 return 0;
2974 2988
2975 return selinux_revalidate_file_permission(file, mask); 2989 return selinux_revalidate_file_permission(file, mask);
@@ -3069,9 +3083,7 @@ error:
3069 return rc; 3083 return rc;
3070} 3084}
3071 3085
3072static int selinux_file_mmap(struct file *file, unsigned long reqprot, 3086static int selinux_mmap_addr(unsigned long addr)
3073 unsigned long prot, unsigned long flags,
3074 unsigned long addr, unsigned long addr_only)
3075{ 3087{
3076 int rc = 0; 3088 int rc = 0;
3077 u32 sid = current_sid(); 3089 u32 sid = current_sid();
@@ -3090,10 +3102,12 @@ static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3090 } 3102 }
3091 3103
3092 /* do DAC check on address space usage */ 3104 /* do DAC check on address space usage */
3093 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 3105 return cap_mmap_addr(addr);
3094 if (rc || addr_only) 3106}
3095 return rc;
3096 3107
3108static int selinux_mmap_file(struct file *file, unsigned long reqprot,
3109 unsigned long prot, unsigned long flags)
3110{
3097 if (selinux_checkreqprot) 3111 if (selinux_checkreqprot)
3098 prot = reqprot; 3112 prot = reqprot;
3099 3113
@@ -3228,15 +3242,13 @@ static int selinux_file_receive(struct file *file)
3228 return file_has_perm(cred, file, file_to_av(file)); 3242 return file_has_perm(cred, file, file_to_av(file));
3229} 3243}
3230 3244
3231static int selinux_dentry_open(struct file *file, const struct cred *cred) 3245static int selinux_file_open(struct file *file, const struct cred *cred)
3232{ 3246{
3233 struct file_security_struct *fsec; 3247 struct file_security_struct *fsec;
3234 struct inode *inode;
3235 struct inode_security_struct *isec; 3248 struct inode_security_struct *isec;
3236 3249
3237 inode = file->f_path.dentry->d_inode;
3238 fsec = file->f_security; 3250 fsec = file->f_security;
3239 isec = inode->i_security; 3251 isec = file->f_path.dentry->d_inode->i_security;
3240 /* 3252 /*
3241 * Save inode label and policy sequence number 3253 * Save inode label and policy sequence number
3242 * at open-time so that selinux_file_permission 3254 * at open-time so that selinux_file_permission
@@ -3254,7 +3266,7 @@ static int selinux_dentry_open(struct file *file, const struct cred *cred)
3254 * new inode label or new policy. 3266 * new inode label or new policy.
3255 * This check is not redundant - do not remove. 3267 * This check is not redundant - do not remove.
3256 */ 3268 */
3257 return inode_has_perm_noadp(cred, inode, open_file_to_av(file), 0); 3269 return path_has_perm(cred, &file->f_path, open_file_to_av(file));
3258} 3270}
3259 3271
3260/* task security operations */ 3272/* task security operations */
@@ -3373,12 +3385,10 @@ static int selinux_kernel_module_request(char *kmod_name)
3373{ 3385{
3374 u32 sid; 3386 u32 sid;
3375 struct common_audit_data ad; 3387 struct common_audit_data ad;
3376 struct selinux_audit_data sad = {0,};
3377 3388
3378 sid = task_sid(current); 3389 sid = task_sid(current);
3379 3390
3380 COMMON_AUDIT_DATA_INIT(&ad, KMOD); 3391 ad.type = LSM_AUDIT_DATA_KMOD;
3381 ad.selinux_audit_data = &sad;
3382 ad.u.kmod_name = kmod_name; 3392 ad.u.kmod_name = kmod_name;
3383 3393
3384 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM, 3394 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
@@ -3751,15 +3761,13 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
3751{ 3761{
3752 struct sk_security_struct *sksec = sk->sk_security; 3762 struct sk_security_struct *sksec = sk->sk_security;
3753 struct common_audit_data ad; 3763 struct common_audit_data ad;
3754 struct selinux_audit_data sad = {0,};
3755 struct lsm_network_audit net = {0,}; 3764 struct lsm_network_audit net = {0,};
3756 u32 tsid = task_sid(task); 3765 u32 tsid = task_sid(task);
3757 3766
3758 if (sksec->sid == SECINITSID_KERNEL) 3767 if (sksec->sid == SECINITSID_KERNEL)
3759 return 0; 3768 return 0;
3760 3769
3761 COMMON_AUDIT_DATA_INIT(&ad, NET); 3770 ad.type = LSM_AUDIT_DATA_NET;
3762 ad.selinux_audit_data = &sad;
3763 ad.u.net = &net; 3771 ad.u.net = &net;
3764 ad.u.net->sk = sk; 3772 ad.u.net->sk = sk;
3765 3773
@@ -3839,7 +3847,6 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3839 char *addrp; 3847 char *addrp;
3840 struct sk_security_struct *sksec = sk->sk_security; 3848 struct sk_security_struct *sksec = sk->sk_security;
3841 struct common_audit_data ad; 3849 struct common_audit_data ad;
3842 struct selinux_audit_data sad = {0,};
3843 struct lsm_network_audit net = {0,}; 3850 struct lsm_network_audit net = {0,};
3844 struct sockaddr_in *addr4 = NULL; 3851 struct sockaddr_in *addr4 = NULL;
3845 struct sockaddr_in6 *addr6 = NULL; 3852 struct sockaddr_in6 *addr6 = NULL;
@@ -3866,8 +3873,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3866 snum, &sid); 3873 snum, &sid);
3867 if (err) 3874 if (err)
3868 goto out; 3875 goto out;
3869 COMMON_AUDIT_DATA_INIT(&ad, NET); 3876 ad.type = LSM_AUDIT_DATA_NET;
3870 ad.selinux_audit_data = &sad;
3871 ad.u.net = &net; 3877 ad.u.net = &net;
3872 ad.u.net->sport = htons(snum); 3878 ad.u.net->sport = htons(snum);
3873 ad.u.net->family = family; 3879 ad.u.net->family = family;
@@ -3901,8 +3907,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3901 if (err) 3907 if (err)
3902 goto out; 3908 goto out;
3903 3909
3904 COMMON_AUDIT_DATA_INIT(&ad, NET); 3910 ad.type = LSM_AUDIT_DATA_NET;
3905 ad.selinux_audit_data = &sad;
3906 ad.u.net = &net; 3911 ad.u.net = &net;
3907 ad.u.net->sport = htons(snum); 3912 ad.u.net->sport = htons(snum);
3908 ad.u.net->family = family; 3913 ad.u.net->family = family;
@@ -3937,7 +3942,6 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
3937 if (sksec->sclass == SECCLASS_TCP_SOCKET || 3942 if (sksec->sclass == SECCLASS_TCP_SOCKET ||
3938 sksec->sclass == SECCLASS_DCCP_SOCKET) { 3943 sksec->sclass == SECCLASS_DCCP_SOCKET) {
3939 struct common_audit_data ad; 3944 struct common_audit_data ad;
3940 struct selinux_audit_data sad = {0,};
3941 struct lsm_network_audit net = {0,}; 3945 struct lsm_network_audit net = {0,};
3942 struct sockaddr_in *addr4 = NULL; 3946 struct sockaddr_in *addr4 = NULL;
3943 struct sockaddr_in6 *addr6 = NULL; 3947 struct sockaddr_in6 *addr6 = NULL;
@@ -3963,8 +3967,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
3963 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ? 3967 perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
3964 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3968 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3965 3969
3966 COMMON_AUDIT_DATA_INIT(&ad, NET); 3970 ad.type = LSM_AUDIT_DATA_NET;
3967 ad.selinux_audit_data = &sad;
3968 ad.u.net = &net; 3971 ad.u.net = &net;
3969 ad.u.net->dport = htons(snum); 3972 ad.u.net->dport = htons(snum);
3970 ad.u.net->family = sk->sk_family; 3973 ad.u.net->family = sk->sk_family;
@@ -4056,12 +4059,10 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
4056 struct sk_security_struct *sksec_other = other->sk_security; 4059 struct sk_security_struct *sksec_other = other->sk_security;
4057 struct sk_security_struct *sksec_new = newsk->sk_security; 4060 struct sk_security_struct *sksec_new = newsk->sk_security;
4058 struct common_audit_data ad; 4061 struct common_audit_data ad;
4059 struct selinux_audit_data sad = {0,};
4060 struct lsm_network_audit net = {0,}; 4062 struct lsm_network_audit net = {0,};
4061 int err; 4063 int err;
4062 4064
4063 COMMON_AUDIT_DATA_INIT(&ad, NET); 4065 ad.type = LSM_AUDIT_DATA_NET;
4064 ad.selinux_audit_data = &sad;
4065 ad.u.net = &net; 4066 ad.u.net = &net;
4066 ad.u.net->sk = other; 4067 ad.u.net->sk = other;
4067 4068
@@ -4090,11 +4091,9 @@ static int selinux_socket_unix_may_send(struct socket *sock,
4090 struct sk_security_struct *ssec = sock->sk->sk_security; 4091 struct sk_security_struct *ssec = sock->sk->sk_security;
4091 struct sk_security_struct *osec = other->sk->sk_security; 4092 struct sk_security_struct *osec = other->sk->sk_security;
4092 struct common_audit_data ad; 4093 struct common_audit_data ad;
4093 struct selinux_audit_data sad = {0,};
4094 struct lsm_network_audit net = {0,}; 4094 struct lsm_network_audit net = {0,};
4095 4095
4096 COMMON_AUDIT_DATA_INIT(&ad, NET); 4096 ad.type = LSM_AUDIT_DATA_NET;
4097 ad.selinux_audit_data = &sad;
4098 ad.u.net = &net; 4097 ad.u.net = &net;
4099 ad.u.net->sk = other->sk; 4098 ad.u.net->sk = other->sk;
4100 4099
@@ -4132,12 +4131,10 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4132 struct sk_security_struct *sksec = sk->sk_security; 4131 struct sk_security_struct *sksec = sk->sk_security;
4133 u32 sk_sid = sksec->sid; 4132 u32 sk_sid = sksec->sid;
4134 struct common_audit_data ad; 4133 struct common_audit_data ad;
4135 struct selinux_audit_data sad = {0,};
4136 struct lsm_network_audit net = {0,}; 4134 struct lsm_network_audit net = {0,};
4137 char *addrp; 4135 char *addrp;
4138 4136
4139 COMMON_AUDIT_DATA_INIT(&ad, NET); 4137 ad.type = LSM_AUDIT_DATA_NET;
4140 ad.selinux_audit_data = &sad;
4141 ad.u.net = &net; 4138 ad.u.net = &net;
4142 ad.u.net->netif = skb->skb_iif; 4139 ad.u.net->netif = skb->skb_iif;
4143 ad.u.net->family = family; 4140 ad.u.net->family = family;
@@ -4167,7 +4164,6 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4167 u16 family = sk->sk_family; 4164 u16 family = sk->sk_family;
4168 u32 sk_sid = sksec->sid; 4165 u32 sk_sid = sksec->sid;
4169 struct common_audit_data ad; 4166 struct common_audit_data ad;
4170 struct selinux_audit_data sad = {0,};
4171 struct lsm_network_audit net = {0,}; 4167 struct lsm_network_audit net = {0,};
4172 char *addrp; 4168 char *addrp;
4173 u8 secmark_active; 4169 u8 secmark_active;
@@ -4192,8 +4188,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4192 if (!secmark_active && !peerlbl_active) 4188 if (!secmark_active && !peerlbl_active)
4193 return 0; 4189 return 0;
4194 4190
4195 COMMON_AUDIT_DATA_INIT(&ad, NET); 4191 ad.type = LSM_AUDIT_DATA_NET;
4196 ad.selinux_audit_data = &sad;
4197 ad.u.net = &net; 4192 ad.u.net = &net;
4198 ad.u.net->netif = skb->skb_iif; 4193 ad.u.net->netif = skb->skb_iif;
4199 ad.u.net->family = family; 4194 ad.u.net->family = family;
@@ -4531,7 +4526,6 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4531 char *addrp; 4526 char *addrp;
4532 u32 peer_sid; 4527 u32 peer_sid;
4533 struct common_audit_data ad; 4528 struct common_audit_data ad;
4534 struct selinux_audit_data sad = {0,};
4535 struct lsm_network_audit net = {0,}; 4529 struct lsm_network_audit net = {0,};
4536 u8 secmark_active; 4530 u8 secmark_active;
4537 u8 netlbl_active; 4531 u8 netlbl_active;
@@ -4549,8 +4543,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4549 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 4543 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4550 return NF_DROP; 4544 return NF_DROP;
4551 4545
4552 COMMON_AUDIT_DATA_INIT(&ad, NET); 4546 ad.type = LSM_AUDIT_DATA_NET;
4553 ad.selinux_audit_data = &sad;
4554 ad.u.net = &net; 4547 ad.u.net = &net;
4555 ad.u.net->netif = ifindex; 4548 ad.u.net->netif = ifindex;
4556 ad.u.net->family = family; 4549 ad.u.net->family = family;
@@ -4640,7 +4633,6 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4640 struct sock *sk = skb->sk; 4633 struct sock *sk = skb->sk;
4641 struct sk_security_struct *sksec; 4634 struct sk_security_struct *sksec;
4642 struct common_audit_data ad; 4635 struct common_audit_data ad;
4643 struct selinux_audit_data sad = {0,};
4644 struct lsm_network_audit net = {0,}; 4636 struct lsm_network_audit net = {0,};
4645 char *addrp; 4637 char *addrp;
4646 u8 proto; 4638 u8 proto;
@@ -4649,8 +4641,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4649 return NF_ACCEPT; 4641 return NF_ACCEPT;
4650 sksec = sk->sk_security; 4642 sksec = sk->sk_security;
4651 4643
4652 COMMON_AUDIT_DATA_INIT(&ad, NET); 4644 ad.type = LSM_AUDIT_DATA_NET;
4653 ad.selinux_audit_data = &sad;
4654 ad.u.net = &net; 4645 ad.u.net = &net;
4655 ad.u.net->netif = ifindex; 4646 ad.u.net->netif = ifindex;
4656 ad.u.net->family = family; 4647 ad.u.net->family = family;
@@ -4675,7 +4666,6 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4675 u32 peer_sid; 4666 u32 peer_sid;
4676 struct sock *sk; 4667 struct sock *sk;
4677 struct common_audit_data ad; 4668 struct common_audit_data ad;
4678 struct selinux_audit_data sad = {0,};
4679 struct lsm_network_audit net = {0,}; 4669 struct lsm_network_audit net = {0,};
4680 char *addrp; 4670 char *addrp;
4681 u8 secmark_active; 4671 u8 secmark_active;
@@ -4722,8 +4712,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4722 secmark_perm = PACKET__SEND; 4712 secmark_perm = PACKET__SEND;
4723 } 4713 }
4724 4714
4725 COMMON_AUDIT_DATA_INIT(&ad, NET); 4715 ad.type = LSM_AUDIT_DATA_NET;
4726 ad.selinux_audit_data = &sad;
4727 ad.u.net = &net; 4716 ad.u.net = &net;
4728 ad.u.net->netif = ifindex; 4717 ad.u.net->netif = ifindex;
4729 ad.u.net->family = family; 4718 ad.u.net->family = family;
@@ -4841,13 +4830,11 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4841{ 4830{
4842 struct ipc_security_struct *isec; 4831 struct ipc_security_struct *isec;
4843 struct common_audit_data ad; 4832 struct common_audit_data ad;
4844 struct selinux_audit_data sad = {0,};
4845 u32 sid = current_sid(); 4833 u32 sid = current_sid();
4846 4834
4847 isec = ipc_perms->security; 4835 isec = ipc_perms->security;
4848 4836
4849 COMMON_AUDIT_DATA_INIT(&ad, IPC); 4837 ad.type = LSM_AUDIT_DATA_IPC;
4850 ad.selinux_audit_data = &sad;
4851 ad.u.ipc_id = ipc_perms->key; 4838 ad.u.ipc_id = ipc_perms->key;
4852 4839
4853 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 4840 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
@@ -4868,7 +4855,6 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4868{ 4855{
4869 struct ipc_security_struct *isec; 4856 struct ipc_security_struct *isec;
4870 struct common_audit_data ad; 4857 struct common_audit_data ad;
4871 struct selinux_audit_data sad = {0,};
4872 u32 sid = current_sid(); 4858 u32 sid = current_sid();
4873 int rc; 4859 int rc;
4874 4860
@@ -4878,8 +4864,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4878 4864
4879 isec = msq->q_perm.security; 4865 isec = msq->q_perm.security;
4880 4866
4881 COMMON_AUDIT_DATA_INIT(&ad, IPC); 4867 ad.type = LSM_AUDIT_DATA_IPC;
4882 ad.selinux_audit_data = &sad;
4883 ad.u.ipc_id = msq->q_perm.key; 4868 ad.u.ipc_id = msq->q_perm.key;
4884 4869
4885 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4870 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
@@ -4900,13 +4885,11 @@ static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4900{ 4885{
4901 struct ipc_security_struct *isec; 4886 struct ipc_security_struct *isec;
4902 struct common_audit_data ad; 4887 struct common_audit_data ad;
4903 struct selinux_audit_data sad = {0,};
4904 u32 sid = current_sid(); 4888 u32 sid = current_sid();
4905 4889
4906 isec = msq->q_perm.security; 4890 isec = msq->q_perm.security;
4907 4891
4908 COMMON_AUDIT_DATA_INIT(&ad, IPC); 4892 ad.type = LSM_AUDIT_DATA_IPC;
4909 ad.selinux_audit_data = &sad;
4910 ad.u.ipc_id = msq->q_perm.key; 4893 ad.u.ipc_id = msq->q_perm.key;
4911 4894
4912 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4895 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
@@ -4946,7 +4929,6 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
4946 struct ipc_security_struct *isec; 4929 struct ipc_security_struct *isec;
4947 struct msg_security_struct *msec; 4930 struct msg_security_struct *msec;
4948 struct common_audit_data ad; 4931 struct common_audit_data ad;
4949 struct selinux_audit_data sad = {0,};
4950 u32 sid = current_sid(); 4932 u32 sid = current_sid();
4951 int rc; 4933 int rc;
4952 4934
@@ -4967,8 +4949,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
4967 return rc; 4949 return rc;
4968 } 4950 }
4969 4951
4970 COMMON_AUDIT_DATA_INIT(&ad, IPC); 4952 ad.type = LSM_AUDIT_DATA_IPC;
4971 ad.selinux_audit_data = &sad;
4972 ad.u.ipc_id = msq->q_perm.key; 4953 ad.u.ipc_id = msq->q_perm.key;
4973 4954
4974 /* Can this process write to the queue? */ 4955 /* Can this process write to the queue? */
@@ -4993,15 +4974,13 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4993 struct ipc_security_struct *isec; 4974 struct ipc_security_struct *isec;
4994 struct msg_security_struct *msec; 4975 struct msg_security_struct *msec;
4995 struct common_audit_data ad; 4976 struct common_audit_data ad;
4996 struct selinux_audit_data sad = {0,};
4997 u32 sid = task_sid(target); 4977 u32 sid = task_sid(target);
4998 int rc; 4978 int rc;
4999 4979
5000 isec = msq->q_perm.security; 4980 isec = msq->q_perm.security;
5001 msec = msg->security; 4981 msec = msg->security;
5002 4982
5003 COMMON_AUDIT_DATA_INIT(&ad, IPC); 4983 ad.type = LSM_AUDIT_DATA_IPC;
5004 ad.selinux_audit_data = &sad;
5005 ad.u.ipc_id = msq->q_perm.key; 4984 ad.u.ipc_id = msq->q_perm.key;
5006 4985
5007 rc = avc_has_perm(sid, isec->sid, 4986 rc = avc_has_perm(sid, isec->sid,
@@ -5017,7 +4996,6 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5017{ 4996{
5018 struct ipc_security_struct *isec; 4997 struct ipc_security_struct *isec;
5019 struct common_audit_data ad; 4998 struct common_audit_data ad;
5020 struct selinux_audit_data sad = {0,};
5021 u32 sid = current_sid(); 4999 u32 sid = current_sid();
5022 int rc; 5000 int rc;
5023 5001
@@ -5027,8 +5005,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5027 5005
5028 isec = shp->shm_perm.security; 5006 isec = shp->shm_perm.security;
5029 5007
5030 COMMON_AUDIT_DATA_INIT(&ad, IPC); 5008 ad.type = LSM_AUDIT_DATA_IPC;
5031 ad.selinux_audit_data = &sad;
5032 ad.u.ipc_id = shp->shm_perm.key; 5009 ad.u.ipc_id = shp->shm_perm.key;
5033 5010
5034 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5011 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
@@ -5049,13 +5026,11 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5049{ 5026{
5050 struct ipc_security_struct *isec; 5027 struct ipc_security_struct *isec;
5051 struct common_audit_data ad; 5028 struct common_audit_data ad;
5052 struct selinux_audit_data sad = {0,};
5053 u32 sid = current_sid(); 5029 u32 sid = current_sid();
5054 5030
5055 isec = shp->shm_perm.security; 5031 isec = shp->shm_perm.security;
5056 5032
5057 COMMON_AUDIT_DATA_INIT(&ad, IPC); 5033 ad.type = LSM_AUDIT_DATA_IPC;
5058 ad.selinux_audit_data = &sad;
5059 ad.u.ipc_id = shp->shm_perm.key; 5034 ad.u.ipc_id = shp->shm_perm.key;
5060 5035
5061 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5036 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
@@ -5113,7 +5088,6 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
5113{ 5088{
5114 struct ipc_security_struct *isec; 5089 struct ipc_security_struct *isec;
5115 struct common_audit_data ad; 5090 struct common_audit_data ad;
5116 struct selinux_audit_data sad = {0,};
5117 u32 sid = current_sid(); 5091 u32 sid = current_sid();
5118 int rc; 5092 int rc;
5119 5093
@@ -5123,8 +5097,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
5123 5097
5124 isec = sma->sem_perm.security; 5098 isec = sma->sem_perm.security;
5125 5099
5126 COMMON_AUDIT_DATA_INIT(&ad, IPC); 5100 ad.type = LSM_AUDIT_DATA_IPC;
5127 ad.selinux_audit_data = &sad;
5128 ad.u.ipc_id = sma->sem_perm.key; 5101 ad.u.ipc_id = sma->sem_perm.key;
5129 5102
5130 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5103 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
@@ -5145,13 +5118,11 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg)
5145{ 5118{
5146 struct ipc_security_struct *isec; 5119 struct ipc_security_struct *isec;
5147 struct common_audit_data ad; 5120 struct common_audit_data ad;
5148 struct selinux_audit_data sad = {0,};
5149 u32 sid = current_sid(); 5121 u32 sid = current_sid();
5150 5122
5151 isec = sma->sem_perm.security; 5123 isec = sma->sem_perm.security;
5152 5124
5153 COMMON_AUDIT_DATA_INIT(&ad, IPC); 5125 ad.type = LSM_AUDIT_DATA_IPC;
5154 ad.selinux_audit_data = &sad;
5155 ad.u.ipc_id = sma->sem_perm.key; 5126 ad.u.ipc_id = sma->sem_perm.key;
5156 5127
5157 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5128 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
@@ -5331,8 +5302,23 @@ static int selinux_setprocattr(struct task_struct *p,
5331 } 5302 }
5332 error = security_context_to_sid(value, size, &sid); 5303 error = security_context_to_sid(value, size, &sid);
5333 if (error == -EINVAL && !strcmp(name, "fscreate")) { 5304 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5334 if (!capable(CAP_MAC_ADMIN)) 5305 if (!capable(CAP_MAC_ADMIN)) {
5306 struct audit_buffer *ab;
5307 size_t audit_size;
5308
5309 /* We strip a nul only if it is at the end, otherwise the
5310 * context contains a nul and we should audit that */
5311 if (str[size - 1] == '\0')
5312 audit_size = size - 1;
5313 else
5314 audit_size = size;
5315 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR);
5316 audit_log_format(ab, "op=fscreate invalid_context=");
5317 audit_log_n_untrustedstring(ab, value, audit_size);
5318 audit_log_end(ab);
5319
5335 return error; 5320 return error;
5321 }
5336 error = security_context_to_sid_force(value, size, 5322 error = security_context_to_sid_force(value, size,
5337 &sid); 5323 &sid);
5338 } 5324 }
@@ -5584,7 +5570,8 @@ static struct security_operations selinux_ops = {
5584 .file_alloc_security = selinux_file_alloc_security, 5570 .file_alloc_security = selinux_file_alloc_security,
5585 .file_free_security = selinux_file_free_security, 5571 .file_free_security = selinux_file_free_security,
5586 .file_ioctl = selinux_file_ioctl, 5572 .file_ioctl = selinux_file_ioctl,
5587 .file_mmap = selinux_file_mmap, 5573 .mmap_file = selinux_mmap_file,
5574 .mmap_addr = selinux_mmap_addr,
5588 .file_mprotect = selinux_file_mprotect, 5575 .file_mprotect = selinux_file_mprotect,
5589 .file_lock = selinux_file_lock, 5576 .file_lock = selinux_file_lock,
5590 .file_fcntl = selinux_file_fcntl, 5577 .file_fcntl = selinux_file_fcntl,
@@ -5592,7 +5579,7 @@ static struct security_operations selinux_ops = {
5592 .file_send_sigiotask = selinux_file_send_sigiotask, 5579 .file_send_sigiotask = selinux_file_send_sigiotask,
5593 .file_receive = selinux_file_receive, 5580 .file_receive = selinux_file_receive,
5594 5581
5595 .dentry_open = selinux_dentry_open, 5582 .file_open = selinux_file_open,
5596 5583
5597 .task_create = selinux_task_create, 5584 .task_create = selinux_task_create,
5598 .cred_alloc_blank = selinux_cred_alloc_blank, 5585 .cred_alloc_blank = selinux_cred_alloc_blank,
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 1931370233d7..92d0ab561db8 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -49,7 +49,7 @@ struct avc_cache_stats {
49/* 49/*
50 * We only need this data after we have decided to send an audit message. 50 * We only need this data after we have decided to send an audit message.
51 */ 51 */
52struct selinux_late_audit_data { 52struct selinux_audit_data {
53 u32 ssid; 53 u32 ssid;
54 u32 tsid; 54 u32 tsid;
55 u16 tclass; 55 u16 tclass;
@@ -60,28 +60,86 @@ struct selinux_late_audit_data {
60}; 60};
61 61
62/* 62/*
63 * We collect this at the beginning or during an selinux security operation
64 */
65struct selinux_audit_data {
66 /*
67 * auditdeny is a bit tricky and unintuitive. See the
68 * comments in avc.c for it's meaning and usage.
69 */
70 u32 auditdeny;
71 struct selinux_late_audit_data *slad;
72};
73
74/*
75 * AVC operations 63 * AVC operations
76 */ 64 */
77 65
78void __init avc_init(void); 66void __init avc_init(void);
79 67
80int avc_audit(u32 ssid, u32 tsid, 68static inline u32 avc_audit_required(u32 requested,
81 u16 tclass, u32 requested, 69 struct av_decision *avd,
82 struct av_decision *avd, 70 int result,
83 int result, 71 u32 auditdeny,
84 struct common_audit_data *a, unsigned flags); 72 u32 *deniedp)
73{
74 u32 denied, audited;
75 denied = requested & ~avd->allowed;
76 if (unlikely(denied)) {
77 audited = denied & avd->auditdeny;
78 /*
79 * auditdeny is TRICKY! Setting a bit in
80 * this field means that ANY denials should NOT be audited if
81 * the policy contains an explicit dontaudit rule for that
82 * permission. Take notice that this is unrelated to the
83 * actual permissions that were denied. As an example lets
84 * assume:
85 *
86 * denied == READ
87 * avd.auditdeny & ACCESS == 0 (not set means explicit rule)
88 * auditdeny & ACCESS == 1
89 *
90 * We will NOT audit the denial even though the denied
91 * permission was READ and the auditdeny checks were for
92 * ACCESS
93 */
94 if (auditdeny && !(auditdeny & avd->auditdeny))
95 audited = 0;
96 } else if (result)
97 audited = denied = requested;
98 else
99 audited = requested & avd->auditallow;
100 *deniedp = denied;
101 return audited;
102}
103
104int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
105 u32 requested, u32 audited, u32 denied,
106 struct common_audit_data *a,
107 unsigned flags);
108
109/**
110 * avc_audit - Audit the granting or denial of permissions.
111 * @ssid: source security identifier
112 * @tsid: target security identifier
113 * @tclass: target security class
114 * @requested: requested permissions
115 * @avd: access vector decisions
116 * @result: result from avc_has_perm_noaudit
117 * @a: auxiliary audit data
118 * @flags: VFS walk flags
119 *
120 * Audit the granting or denial of permissions in accordance
121 * with the policy. This function is typically called by
122 * avc_has_perm() after a permission check, but can also be
123 * called directly by callers who use avc_has_perm_noaudit()
124 * in order to separate the permission check from the auditing.
125 * For example, this separation is useful when the permission check must
126 * be performed under a lock, to allow the lock to be released
127 * before calling the auditing code.
128 */
129static inline int avc_audit(u32 ssid, u32 tsid,
130 u16 tclass, u32 requested,
131 struct av_decision *avd,
132 int result,
133 struct common_audit_data *a, unsigned flags)
134{
135 u32 audited, denied;
136 audited = avc_audit_required(requested, avd, result, 0, &denied);
137 if (likely(!audited))
138 return 0;
139 return slow_avc_audit(ssid, tsid, tclass,
140 requested, audited, denied,
141 a, flags);
142}
85 143
86#define AVC_STRICT 1 /* Ignore permissive mode. */ 144#define AVC_STRICT 1 /* Ignore permissive mode. */
87int avc_has_perm_noaudit(u32 ssid, u32 tsid, 145int avc_has_perm_noaudit(u32 ssid, u32 tsid,
@@ -112,11 +170,7 @@ u32 avc_policy_seqno(void);
112#define AVC_CALLBACK_AUDITDENY_ENABLE 64 170#define AVC_CALLBACK_AUDITDENY_ENABLE 64
113#define AVC_CALLBACK_AUDITDENY_DISABLE 128 171#define AVC_CALLBACK_AUDITDENY_DISABLE 128
114 172
115int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, 173int avc_add_callback(int (*callback)(u32 event), u32 events);
116 u16 tclass, u32 perms,
117 u32 *out_retained),
118 u32 events, u32 ssid, u32 tsid,
119 u16 tclass, u32 perms);
120 174
121/* Exported to selinuxfs */ 175/* Exported to selinuxfs */
122int avc_get_hash_stats(char *page); 176int avc_get_hash_stats(char *page);
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index d871e8ad2103..dde2005407aa 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -31,13 +31,15 @@
31#define POLICYDB_VERSION_BOUNDARY 24 31#define POLICYDB_VERSION_BOUNDARY 24
32#define POLICYDB_VERSION_FILENAME_TRANS 25 32#define POLICYDB_VERSION_FILENAME_TRANS 25
33#define POLICYDB_VERSION_ROLETRANS 26 33#define POLICYDB_VERSION_ROLETRANS 26
34#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
35#define POLICYDB_VERSION_DEFAULT_TYPE 28
34 36
35/* Range of policy versions we understand*/ 37/* Range of policy versions we understand*/
36#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE 38#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
37#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX 39#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
38#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE 40#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
39#else 41#else
40#define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS 42#define POLICYDB_VERSION_MAX POLICYDB_VERSION_DEFAULT_TYPE
41#endif 43#endif
42 44
43/* Mask for just the mount related flags */ 45/* Mask for just the mount related flags */
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index 326f22cbe405..47a49d1a6f6a 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -252,8 +252,7 @@ static void sel_netif_flush(void)
252 spin_unlock_bh(&sel_netif_lock); 252 spin_unlock_bh(&sel_netif_lock);
253} 253}
254 254
255static int sel_netif_avc_callback(u32 event, u32 ssid, u32 tsid, 255static int sel_netif_avc_callback(u32 event)
256 u16 class, u32 perms, u32 *retained)
257{ 256{
258 if (event == AVC_CALLBACK_RESET) { 257 if (event == AVC_CALLBACK_RESET) {
259 sel_netif_flush(); 258 sel_netif_flush();
@@ -292,8 +291,7 @@ static __init int sel_netif_init(void)
292 291
293 register_netdevice_notifier(&sel_netif_netdev_notifier); 292 register_netdevice_notifier(&sel_netif_netdev_notifier);
294 293
295 err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET, 294 err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET);
296 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
297 if (err) 295 if (err)
298 panic("avc_add_callback() failed, error %d\n", err); 296 panic("avc_add_callback() failed, error %d\n", err);
299 297
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index 86365857c088..28f911cdd7c7 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -297,8 +297,7 @@ static void sel_netnode_flush(void)
297 spin_unlock_bh(&sel_netnode_lock); 297 spin_unlock_bh(&sel_netnode_lock);
298} 298}
299 299
300static int sel_netnode_avc_callback(u32 event, u32 ssid, u32 tsid, 300static int sel_netnode_avc_callback(u32 event)
301 u16 class, u32 perms, u32 *retained)
302{ 301{
303 if (event == AVC_CALLBACK_RESET) { 302 if (event == AVC_CALLBACK_RESET) {
304 sel_netnode_flush(); 303 sel_netnode_flush();
@@ -320,8 +319,7 @@ static __init int sel_netnode_init(void)
320 sel_netnode_hash[iter].size = 0; 319 sel_netnode_hash[iter].size = 0;
321 } 320 }
322 321
323 ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET, 322 ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET);
324 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
325 if (ret != 0) 323 if (ret != 0)
326 panic("avc_add_callback() failed, error %d\n", ret); 324 panic("avc_add_callback() failed, error %d\n", ret);
327 325
diff --git a/security/selinux/netport.c b/security/selinux/netport.c
index 7b9eb1faf68b..d35379781c2c 100644
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@@ -234,8 +234,7 @@ static void sel_netport_flush(void)
234 spin_unlock_bh(&sel_netport_lock); 234 spin_unlock_bh(&sel_netport_lock);
235} 235}
236 236
237static int sel_netport_avc_callback(u32 event, u32 ssid, u32 tsid, 237static int sel_netport_avc_callback(u32 event)
238 u16 class, u32 perms, u32 *retained)
239{ 238{
240 if (event == AVC_CALLBACK_RESET) { 239 if (event == AVC_CALLBACK_RESET) {
241 sel_netport_flush(); 240 sel_netport_flush();
@@ -257,8 +256,7 @@ static __init int sel_netport_init(void)
257 sel_netport_hash[iter].size = 0; 256 sel_netport_hash[iter].size = 0;
258 } 257 }
259 258
260 ret = avc_add_callback(sel_netport_avc_callback, AVC_CALLBACK_RESET, 259 ret = avc_add_callback(sel_netport_avc_callback, AVC_CALLBACK_RESET);
261 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
262 if (ret != 0) 260 if (ret != 0)
263 panic("avc_add_callback() failed, error %d\n", ret); 261 panic("avc_add_callback() failed, error %d\n", ret);
264 262
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 0920ea3bf599..d309e7f472d8 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -14,7 +14,6 @@
14#include <linux/netlink.h> 14#include <linux/netlink.h>
15#include <linux/rtnetlink.h> 15#include <linux/rtnetlink.h>
16#include <linux/if.h> 16#include <linux/if.h>
17#include <linux/netfilter_ipv4/ip_queue.h>
18#include <linux/inet_diag.h> 17#include <linux/inet_diag.h>
19#include <linux/xfrm.h> 18#include <linux/xfrm.h>
20#include <linux/audit.h> 19#include <linux/audit.h>
@@ -70,12 +69,6 @@ static struct nlmsg_perm nlmsg_route_perms[] =
70 { RTM_SETDCB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 69 { RTM_SETDCB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
71}; 70};
72 71
73static struct nlmsg_perm nlmsg_firewall_perms[] =
74{
75 { IPQM_MODE, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE },
76 { IPQM_VERDICT, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE },
77};
78
79static struct nlmsg_perm nlmsg_tcpdiag_perms[] = 72static struct nlmsg_perm nlmsg_tcpdiag_perms[] =
80{ 73{
81 { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, 74 { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
@@ -145,12 +138,6 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
145 sizeof(nlmsg_route_perms)); 138 sizeof(nlmsg_route_perms));
146 break; 139 break;
147 140
148 case SECCLASS_NETLINK_FIREWALL_SOCKET:
149 case SECCLASS_NETLINK_IP6FW_SOCKET:
150 err = nlmsg_perm(nlmsg_type, perm, nlmsg_firewall_perms,
151 sizeof(nlmsg_firewall_perms));
152 break;
153
154 case SECCLASS_NETLINK_TCPDIAG_SOCKET: 141 case SECCLASS_NETLINK_TCPDIAG_SOCKET:
155 err = nlmsg_perm(nlmsg_type, perm, nlmsg_tcpdiag_perms, 142 err = nlmsg_perm(nlmsg_type, perm, nlmsg_tcpdiag_perms,
156 sizeof(nlmsg_tcpdiag_perms)); 143 sizeof(nlmsg_tcpdiag_perms));
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index d7018bfa1f00..3ad290251288 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -496,6 +496,7 @@ static const struct file_operations sel_policy_ops = {
496 .read = sel_read_policy, 496 .read = sel_read_policy,
497 .mmap = sel_mmap_policy, 497 .mmap = sel_mmap_policy,
498 .release = sel_release_policy, 498 .release = sel_release_policy,
499 .llseek = generic_file_llseek,
499}; 500};
500 501
501static ssize_t sel_write_load(struct file *file, const char __user *buf, 502static ssize_t sel_write_load(struct file *file, const char __user *buf,
@@ -1232,6 +1233,7 @@ static int sel_make_bools(void)
1232 kfree(bool_pending_names[i]); 1233 kfree(bool_pending_names[i]);
1233 kfree(bool_pending_names); 1234 kfree(bool_pending_names);
1234 kfree(bool_pending_values); 1235 kfree(bool_pending_values);
1236 bool_num = 0;
1235 bool_pending_names = NULL; 1237 bool_pending_names = NULL;
1236 bool_pending_values = NULL; 1238 bool_pending_values = NULL;
1237 1239
@@ -1257,12 +1259,8 @@ static int sel_make_bools(void)
1257 if (!inode) 1259 if (!inode)
1258 goto out; 1260 goto out;
1259 1261
1260 ret = -EINVAL;
1261 len = snprintf(page, PAGE_SIZE, "/%s/%s", BOOL_DIR_NAME, names[i]);
1262 if (len < 0)
1263 goto out;
1264
1265 ret = -ENAMETOOLONG; 1262 ret = -ENAMETOOLONG;
1263 len = snprintf(page, PAGE_SIZE, "/%s/%s", BOOL_DIR_NAME, names[i]);
1266 if (len >= PAGE_SIZE) 1264 if (len >= PAGE_SIZE)
1267 goto out; 1265 goto out;
1268 1266
@@ -1532,11 +1530,6 @@ static int sel_make_initcon_files(struct dentry *dir)
1532 return 0; 1530 return 0;
1533} 1531}
1534 1532
1535static inline unsigned int sel_div(unsigned long a, unsigned long b)
1536{
1537 return a / b - (a % b < 0);
1538}
1539
1540static inline unsigned long sel_class_to_ino(u16 class) 1533static inline unsigned long sel_class_to_ino(u16 class)
1541{ 1534{
1542 return (class * (SEL_VEC_MAX + 1)) | SEL_CLASS_INO_OFFSET; 1535 return (class * (SEL_VEC_MAX + 1)) | SEL_CLASS_INO_OFFSET;
@@ -1544,7 +1537,7 @@ static inline unsigned long sel_class_to_ino(u16 class)
1544 1537
1545static inline u16 sel_ino_to_class(unsigned long ino) 1538static inline u16 sel_ino_to_class(unsigned long ino)
1546{ 1539{
1547 return sel_div(ino & SEL_INO_MASK, SEL_VEC_MAX + 1); 1540 return (ino & SEL_INO_MASK) / (SEL_VEC_MAX + 1);
1548} 1541}
1549 1542
1550static inline unsigned long sel_perm_to_ino(u16 class, u32 perm) 1543static inline unsigned long sel_perm_to_ino(u16 class, u32 perm)
@@ -1560,19 +1553,10 @@ static inline u32 sel_ino_to_perm(unsigned long ino)
1560static ssize_t sel_read_class(struct file *file, char __user *buf, 1553static ssize_t sel_read_class(struct file *file, char __user *buf,
1561 size_t count, loff_t *ppos) 1554 size_t count, loff_t *ppos)
1562{ 1555{
1563 ssize_t rc, len;
1564 char *page;
1565 unsigned long ino = file->f_path.dentry->d_inode->i_ino; 1556 unsigned long ino = file->f_path.dentry->d_inode->i_ino;
1566 1557 char res[TMPBUFLEN];
1567 page = (char *)__get_free_page(GFP_KERNEL); 1558 ssize_t len = snprintf(res, sizeof(res), "%d", sel_ino_to_class(ino));
1568 if (!page) 1559 return simple_read_from_buffer(buf, count, ppos, res, len);
1569 return -ENOMEM;
1570
1571 len = snprintf(page, PAGE_SIZE, "%d", sel_ino_to_class(ino));
1572 rc = simple_read_from_buffer(buf, count, ppos, page, len);
1573 free_page((unsigned long)page);
1574
1575 return rc;
1576} 1560}
1577 1561
1578static const struct file_operations sel_class_ops = { 1562static const struct file_operations sel_class_ops = {
@@ -1583,19 +1567,10 @@ static const struct file_operations sel_class_ops = {
1583static ssize_t sel_read_perm(struct file *file, char __user *buf, 1567static ssize_t sel_read_perm(struct file *file, char __user *buf,
1584 size_t count, loff_t *ppos) 1568 size_t count, loff_t *ppos)
1585{ 1569{
1586 ssize_t rc, len;
1587 char *page;
1588 unsigned long ino = file->f_path.dentry->d_inode->i_ino; 1570 unsigned long ino = file->f_path.dentry->d_inode->i_ino;
1589 1571 char res[TMPBUFLEN];
1590 page = (char *)__get_free_page(GFP_KERNEL); 1572 ssize_t len = snprintf(res, sizeof(res), "%d", sel_ino_to_perm(ino));
1591 if (!page) 1573 return simple_read_from_buffer(buf, count, ppos, res, len);
1592 return -ENOMEM;
1593
1594 len = snprintf(page, PAGE_SIZE, "%d", sel_ino_to_perm(ino));
1595 rc = simple_read_from_buffer(buf, count, ppos, page, len);
1596 free_page((unsigned long)page);
1597
1598 return rc;
1599} 1574}
1600 1575
1601static const struct file_operations sel_perm_ops = { 1576static const struct file_operations sel_perm_ops = {
@@ -1831,7 +1806,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
1831 [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO}, 1806 [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},
1832 [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO}, 1807 [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},
1833 [SEL_STATUS] = {"status", &sel_handle_status_ops, S_IRUGO}, 1808 [SEL_STATUS] = {"status", &sel_handle_status_ops, S_IRUGO},
1834 [SEL_POLICY] = {"policy", &sel_policy_ops, S_IRUSR}, 1809 [SEL_POLICY] = {"policy", &sel_policy_ops, S_IRUGO},
1835 /* last one */ {""} 1810 /* last one */ {""}
1836 }; 1811 };
1837 ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files); 1812 ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);
diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h
index 45e8fb0515f8..212e3479a0d9 100644
--- a/security/selinux/ss/context.h
+++ b/security/selinux/ss/context.h
@@ -74,6 +74,26 @@ out:
74 return rc; 74 return rc;
75} 75}
76 76
77/*
78 * Sets both levels in the MLS range of 'dst' to the high level of 'src'.
79 */
80static inline int mls_context_cpy_high(struct context *dst, struct context *src)
81{
82 int rc;
83
84 dst->range.level[0].sens = src->range.level[1].sens;
85 rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[1].cat);
86 if (rc)
87 goto out;
88
89 dst->range.level[1].sens = src->range.level[1].sens;
90 rc = ebitmap_cpy(&dst->range.level[1].cat, &src->range.level[1].cat);
91 if (rc)
92 ebitmap_destroy(&dst->range.level[0].cat);
93out:
94 return rc;
95}
96
77static inline int mls_context_cmp(struct context *c1, struct context *c2) 97static inline int mls_context_cmp(struct context *c1, struct context *c2)
78{ 98{
79 return ((c1->range.level[0].sens == c2->range.level[0].sens) && 99 return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index fbf9c5816c71..40de8d3f208e 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -517,6 +517,8 @@ int mls_compute_sid(struct context *scontext,
517{ 517{
518 struct range_trans rtr; 518 struct range_trans rtr;
519 struct mls_range *r; 519 struct mls_range *r;
520 struct class_datum *cladatum;
521 int default_range = 0;
520 522
521 if (!policydb.mls_enabled) 523 if (!policydb.mls_enabled)
522 return 0; 524 return 0;
@@ -530,6 +532,28 @@ int mls_compute_sid(struct context *scontext,
530 r = hashtab_search(policydb.range_tr, &rtr); 532 r = hashtab_search(policydb.range_tr, &rtr);
531 if (r) 533 if (r)
532 return mls_range_set(newcontext, r); 534 return mls_range_set(newcontext, r);
535
536 if (tclass && tclass <= policydb.p_classes.nprim) {
537 cladatum = policydb.class_val_to_struct[tclass - 1];
538 if (cladatum)
539 default_range = cladatum->default_range;
540 }
541
542 switch (default_range) {
543 case DEFAULT_SOURCE_LOW:
544 return mls_context_cpy_low(newcontext, scontext);
545 case DEFAULT_SOURCE_HIGH:
546 return mls_context_cpy_high(newcontext, scontext);
547 case DEFAULT_SOURCE_LOW_HIGH:
548 return mls_context_cpy(newcontext, scontext);
549 case DEFAULT_TARGET_LOW:
550 return mls_context_cpy_low(newcontext, tcontext);
551 case DEFAULT_TARGET_HIGH:
552 return mls_context_cpy_high(newcontext, tcontext);
553 case DEFAULT_TARGET_LOW_HIGH:
554 return mls_context_cpy(newcontext, tcontext);
555 }
556
533 /* Fallthrough */ 557 /* Fallthrough */
534 case AVTAB_CHANGE: 558 case AVTAB_CHANGE:
535 if ((tclass == policydb.process_class) || (sock == true)) 559 if ((tclass == policydb.process_class) || (sock == true))
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index a7f61d52f05c..9cd9b7c661ec 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -133,6 +133,16 @@ static struct policydb_compat_info policydb_compat[] = {
133 .sym_num = SYM_NUM, 133 .sym_num = SYM_NUM,
134 .ocon_num = OCON_NUM, 134 .ocon_num = OCON_NUM,
135 }, 135 },
136 {
137 .version = POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
138 .sym_num = SYM_NUM,
139 .ocon_num = OCON_NUM,
140 },
141 {
142 .version = POLICYDB_VERSION_DEFAULT_TYPE,
143 .sym_num = SYM_NUM,
144 .ocon_num = OCON_NUM,
145 },
136}; 146};
137 147
138static struct policydb_compat_info *policydb_lookup_compat(int version) 148static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -1306,6 +1316,23 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1306 goto bad; 1316 goto bad;
1307 } 1317 }
1308 1318
1319 if (p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) {
1320 rc = next_entry(buf, fp, sizeof(u32) * 3);
1321 if (rc)
1322 goto bad;
1323
1324 cladatum->default_user = le32_to_cpu(buf[0]);
1325 cladatum->default_role = le32_to_cpu(buf[1]);
1326 cladatum->default_range = le32_to_cpu(buf[2]);
1327 }
1328
1329 if (p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) {
1330 rc = next_entry(buf, fp, sizeof(u32) * 1);
1331 if (rc)
1332 goto bad;
1333 cladatum->default_type = le32_to_cpu(buf[0]);
1334 }
1335
1309 rc = hashtab_insert(h, key, cladatum); 1336 rc = hashtab_insert(h, key, cladatum);
1310 if (rc) 1337 if (rc)
1311 goto bad; 1338 goto bad;
@@ -2832,6 +2859,23 @@ static int class_write(void *vkey, void *datum, void *ptr)
2832 if (rc) 2859 if (rc)
2833 return rc; 2860 return rc;
2834 2861
2862 if (p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) {
2863 buf[0] = cpu_to_le32(cladatum->default_user);
2864 buf[1] = cpu_to_le32(cladatum->default_role);
2865 buf[2] = cpu_to_le32(cladatum->default_range);
2866
2867 rc = put_entry(buf, sizeof(uint32_t), 3, fp);
2868 if (rc)
2869 return rc;
2870 }
2871
2872 if (p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) {
2873 buf[0] = cpu_to_le32(cladatum->default_type);
2874 rc = put_entry(buf, sizeof(uint32_t), 1, fp);
2875 if (rc)
2876 return rc;
2877 }
2878
2835 return 0; 2879 return 0;
2836} 2880}
2837 2881
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index b846c0387180..da637471d4ce 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -60,6 +60,20 @@ struct class_datum {
60 struct symtab permissions; /* class-specific permission symbol table */ 60 struct symtab permissions; /* class-specific permission symbol table */
61 struct constraint_node *constraints; /* constraints on class permissions */ 61 struct constraint_node *constraints; /* constraints on class permissions */
62 struct constraint_node *validatetrans; /* special transition rules */ 62 struct constraint_node *validatetrans; /* special transition rules */
63/* Options how a new object user, role, and type should be decided */
64#define DEFAULT_SOURCE 1
65#define DEFAULT_TARGET 2
66 char default_user;
67 char default_role;
68 char default_type;
69/* Options how a new object range should be decided */
70#define DEFAULT_SOURCE_LOW 1
71#define DEFAULT_SOURCE_HIGH 2
72#define DEFAULT_SOURCE_LOW_HIGH 3
73#define DEFAULT_TARGET_LOW 4
74#define DEFAULT_TARGET_HIGH 5
75#define DEFAULT_TARGET_LOW_HIGH 6
76 char default_range;
63}; 77};
64 78
65/* Role attributes */ 79/* Role attributes */
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 185f849a26f6..4321b8fc8863 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1018,9 +1018,11 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
1018 1018
1019 if (context->len) { 1019 if (context->len) {
1020 *scontext_len = context->len; 1020 *scontext_len = context->len;
1021 *scontext = kstrdup(context->str, GFP_ATOMIC); 1021 if (scontext) {
1022 if (!(*scontext)) 1022 *scontext = kstrdup(context->str, GFP_ATOMIC);
1023 return -ENOMEM; 1023 if (!(*scontext))
1024 return -ENOMEM;
1025 }
1024 return 0; 1026 return 0;
1025 } 1027 }
1026 1028
@@ -1389,6 +1391,7 @@ static int security_compute_sid(u32 ssid,
1389 u32 *out_sid, 1391 u32 *out_sid,
1390 bool kern) 1392 bool kern)
1391{ 1393{
1394 struct class_datum *cladatum = NULL;
1392 struct context *scontext = NULL, *tcontext = NULL, newcontext; 1395 struct context *scontext = NULL, *tcontext = NULL, newcontext;
1393 struct role_trans *roletr = NULL; 1396 struct role_trans *roletr = NULL;
1394 struct avtab_key avkey; 1397 struct avtab_key avkey;
@@ -1437,12 +1440,20 @@ static int security_compute_sid(u32 ssid,
1437 goto out_unlock; 1440 goto out_unlock;
1438 } 1441 }
1439 1442
1443 if (tclass && tclass <= policydb.p_classes.nprim)
1444 cladatum = policydb.class_val_to_struct[tclass - 1];
1445
1440 /* Set the user identity. */ 1446 /* Set the user identity. */
1441 switch (specified) { 1447 switch (specified) {
1442 case AVTAB_TRANSITION: 1448 case AVTAB_TRANSITION:
1443 case AVTAB_CHANGE: 1449 case AVTAB_CHANGE:
1444 /* Use the process user identity. */ 1450 if (cladatum && cladatum->default_user == DEFAULT_TARGET) {
1445 newcontext.user = scontext->user; 1451 newcontext.user = tcontext->user;
1452 } else {
1453 /* notice this gets both DEFAULT_SOURCE and unset */
1454 /* Use the process user identity. */
1455 newcontext.user = scontext->user;
1456 }
1446 break; 1457 break;
1447 case AVTAB_MEMBER: 1458 case AVTAB_MEMBER:
1448 /* Use the related object owner. */ 1459 /* Use the related object owner. */
@@ -1450,16 +1461,31 @@ static int security_compute_sid(u32 ssid,
1450 break; 1461 break;
1451 } 1462 }
1452 1463
1453 /* Set the role and type to default values. */ 1464 /* Set the role to default values. */
1454 if ((tclass == policydb.process_class) || (sock == true)) { 1465 if (cladatum && cladatum->default_role == DEFAULT_SOURCE) {
1455 /* Use the current role and type of process. */
1456 newcontext.role = scontext->role; 1466 newcontext.role = scontext->role;
1457 newcontext.type = scontext->type; 1467 } else if (cladatum && cladatum->default_role == DEFAULT_TARGET) {
1468 newcontext.role = tcontext->role;
1458 } else { 1469 } else {
1459 /* Use the well-defined object role. */ 1470 if ((tclass == policydb.process_class) || (sock == true))
1460 newcontext.role = OBJECT_R_VAL; 1471 newcontext.role = scontext->role;
1461 /* Use the type of the related object. */ 1472 else
1473 newcontext.role = OBJECT_R_VAL;
1474 }
1475
1476 /* Set the type to default values. */
1477 if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {
1478 newcontext.type = scontext->type;
1479 } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {
1462 newcontext.type = tcontext->type; 1480 newcontext.type = tcontext->type;
1481 } else {
1482 if ((tclass == policydb.process_class) || (sock == true)) {
1483 /* Use the type of process. */
1484 newcontext.type = scontext->type;
1485 } else {
1486 /* Use the type of the related object. */
1487 newcontext.type = tcontext->type;
1488 }
1463 } 1489 }
1464 1490
1465 /* Look for a type transition/member/change rule. */ 1491 /* Look for a type transition/member/change rule. */
@@ -3018,8 +3044,7 @@ out:
3018 3044
3019static int (*aurule_callback)(void) = audit_update_lsm_rules; 3045static int (*aurule_callback)(void) = audit_update_lsm_rules;
3020 3046
3021static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid, 3047static int aurule_avc_callback(u32 event)
3022 u16 class, u32 perms, u32 *retained)
3023{ 3048{
3024 int err = 0; 3049 int err = 0;
3025 3050
@@ -3032,8 +3057,7 @@ static int __init aurule_init(void)
3032{ 3057{
3033 int err; 3058 int err;
3034 3059
3035 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET, 3060 err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET);
3036 SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
3037 if (err) 3061 if (err)
3038 panic("avc_add_callback() failed, error %d\n", err); 3062 panic("avc_add_callback() failed, error %d\n", err);
3039 3063
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 4ede719922ed..cc361b8f3d13 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -23,13 +23,19 @@
23#include <linux/lsm_audit.h> 23#include <linux/lsm_audit.h>
24 24
25/* 25/*
26 * Smack labels were limited to 23 characters for a long time.
27 */
28#define SMK_LABELLEN 24
29#define SMK_LONGLABEL 256
30
31/*
32 * Maximum number of bytes for the levels in a CIPSO IP option.
26 * Why 23? CIPSO is constrained to 30, so a 32 byte buffer is 33 * Why 23? CIPSO is constrained to 30, so a 32 byte buffer is
27 * bigger than can be used, and 24 is the next lower multiple 34 * bigger than can be used, and 24 is the next lower multiple
28 * of 8, and there are too many issues if there isn't space set 35 * of 8, and there are too many issues if there isn't space set
29 * aside for the terminating null byte. 36 * aside for the terminating null byte.
30 */ 37 */
31#define SMK_MAXLEN 23 38#define SMK_CIPSOLEN 24
32#define SMK_LABELLEN (SMK_MAXLEN+1)
33 39
34struct superblock_smack { 40struct superblock_smack {
35 char *smk_root; 41 char *smk_root;
@@ -66,6 +72,7 @@ struct task_smack {
66 72
67#define SMK_INODE_INSTANT 0x01 /* inode is instantiated */ 73#define SMK_INODE_INSTANT 0x01 /* inode is instantiated */
68#define SMK_INODE_TRANSMUTE 0x02 /* directory is transmuting */ 74#define SMK_INODE_TRANSMUTE 0x02 /* directory is transmuting */
75#define SMK_INODE_CHANGED 0x04 /* smack was transmuted */
69 76
70/* 77/*
71 * A label access rule. 78 * A label access rule.
@@ -78,15 +85,6 @@ struct smack_rule {
78}; 85};
79 86
80/* 87/*
81 * An entry in the table mapping smack values to
82 * CIPSO level/category-set values.
83 */
84struct smack_cipso {
85 int smk_level;
86 char smk_catset[SMK_LABELLEN];
87};
88
89/*
90 * An entry in the table identifying hosts. 88 * An entry in the table identifying hosts.
91 */ 89 */
92struct smk_netlbladdr { 90struct smk_netlbladdr {
@@ -113,22 +111,19 @@ struct smk_netlbladdr {
113 * interfaces don't. The secid should go away when all of 111 * interfaces don't. The secid should go away when all of
114 * these components have been repaired. 112 * these components have been repaired.
115 * 113 *
116 * If there is a cipso value associated with the label it 114 * The cipso value associated with the label gets stored here, too.
117 * gets stored here, too. This will most likely be rare as
118 * the cipso direct mapping in used internally.
119 * 115 *
120 * Keep the access rules for this subject label here so that 116 * Keep the access rules for this subject label here so that
121 * the entire set of rules does not need to be examined every 117 * the entire set of rules does not need to be examined every
122 * time. 118 * time.
123 */ 119 */
124struct smack_known { 120struct smack_known {
125 struct list_head list; 121 struct list_head list;
126 char smk_known[SMK_LABELLEN]; 122 char *smk_known;
127 u32 smk_secid; 123 u32 smk_secid;
128 struct smack_cipso *smk_cipso; 124 struct netlbl_lsm_secattr smk_netlabel; /* on wire labels */
129 spinlock_t smk_cipsolock; /* for changing cipso map */ 125 struct list_head smk_rules; /* access rules */
130 struct list_head smk_rules; /* access rules */ 126 struct mutex smk_rules_lock; /* lock for rules */
131 struct mutex smk_rules_lock; /* lock for the rules */
132}; 127};
133 128
134/* 129/*
@@ -165,6 +160,7 @@ struct smack_known {
165#define SMACK_CIPSO_DOI_DEFAULT 3 /* Historical */ 160#define SMACK_CIPSO_DOI_DEFAULT 3 /* Historical */
166#define SMACK_CIPSO_DOI_INVALID -1 /* Not a DOI */ 161#define SMACK_CIPSO_DOI_INVALID -1 /* Not a DOI */
167#define SMACK_CIPSO_DIRECT_DEFAULT 250 /* Arbitrary */ 162#define SMACK_CIPSO_DIRECT_DEFAULT 250 /* Arbitrary */
163#define SMACK_CIPSO_MAPPED_DEFAULT 251 /* Also arbitrary */
168#define SMACK_CIPSO_MAXCATVAL 63 /* Bigger gets harder */ 164#define SMACK_CIPSO_MAXCATVAL 63 /* Bigger gets harder */
169#define SMACK_CIPSO_MAXLEVEL 255 /* CIPSO 2.2 standard */ 165#define SMACK_CIPSO_MAXLEVEL 255 /* CIPSO 2.2 standard */
170#define SMACK_CIPSO_MAXCATNUM 239 /* CIPSO 2.2 standard */ 166#define SMACK_CIPSO_MAXCATNUM 239 /* CIPSO 2.2 standard */
@@ -215,10 +211,9 @@ struct inode_smack *new_inode_smack(char *);
215int smk_access_entry(char *, char *, struct list_head *); 211int smk_access_entry(char *, char *, struct list_head *);
216int smk_access(char *, char *, int, struct smk_audit_info *); 212int smk_access(char *, char *, int, struct smk_audit_info *);
217int smk_curacc(char *, u32, struct smk_audit_info *); 213int smk_curacc(char *, u32, struct smk_audit_info *);
218int smack_to_cipso(const char *, struct smack_cipso *);
219char *smack_from_cipso(u32, char *);
220char *smack_from_secid(const u32); 214char *smack_from_secid(const u32);
221void smk_parse_smack(const char *string, int len, char *smack); 215char *smk_parse_smack(const char *string, int len);
216int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int);
222char *smk_import(const char *, int); 217char *smk_import(const char *, int);
223struct smack_known *smk_import_entry(const char *, int); 218struct smack_known *smk_import_entry(const char *, int);
224struct smack_known *smk_find_entry(const char *); 219struct smack_known *smk_find_entry(const char *);
@@ -228,6 +223,7 @@ u32 smack_to_secid(const char *);
228 * Shared data. 223 * Shared data.
229 */ 224 */
230extern int smack_cipso_direct; 225extern int smack_cipso_direct;
226extern int smack_cipso_mapped;
231extern char *smack_net_ambient; 227extern char *smack_net_ambient;
232extern char *smack_onlycap; 228extern char *smack_onlycap;
233extern const char *smack_cipso_option; 229extern const char *smack_cipso_option;
@@ -239,24 +235,13 @@ extern struct smack_known smack_known_invalid;
239extern struct smack_known smack_known_star; 235extern struct smack_known smack_known_star;
240extern struct smack_known smack_known_web; 236extern struct smack_known smack_known_web;
241 237
238extern struct mutex smack_known_lock;
242extern struct list_head smack_known_list; 239extern struct list_head smack_known_list;
243extern struct list_head smk_netlbladdr_list; 240extern struct list_head smk_netlbladdr_list;
244 241
245extern struct security_operations smack_ops; 242extern struct security_operations smack_ops;
246 243
247/* 244/*
248 * Stricly for CIPSO level manipulation.
249 * Set the category bit number in a smack label sized buffer.
250 */
251static inline void smack_catset_bit(int cat, char *catsetp)
252{
253 if (cat > SMK_LABELLEN * 8)
254 return;
255
256 catsetp[(cat - 1) / 8] |= 0x80 >> ((cat - 1) % 8);
257}
258
259/*
260 * Is the directory transmuting? 245 * Is the directory transmuting?
261 */ 246 */
262static inline int smk_inode_transmutable(const struct inode *isp) 247static inline int smk_inode_transmutable(const struct inode *isp)
@@ -319,7 +304,7 @@ void smack_log(char *subject_label, char *object_label,
319static inline void smk_ad_init(struct smk_audit_info *a, const char *func, 304static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
320 char type) 305 char type)
321{ 306{
322 memset(a, 0, sizeof(*a)); 307 memset(&a->sad, 0, sizeof(a->sad));
323 a->a.type = type; 308 a->a.type = type;
324 a->a.smack_audit_data = &a->sad; 309 a->a.smack_audit_data = &a->sad;
325 a->a.smack_audit_data->function = func; 310 a->a.smack_audit_data->function = func;
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index c8115f7308f8..9f3705e92712 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -19,37 +19,31 @@
19struct smack_known smack_known_huh = { 19struct smack_known smack_known_huh = {
20 .smk_known = "?", 20 .smk_known = "?",
21 .smk_secid = 2, 21 .smk_secid = 2,
22 .smk_cipso = NULL,
23}; 22};
24 23
25struct smack_known smack_known_hat = { 24struct smack_known smack_known_hat = {
26 .smk_known = "^", 25 .smk_known = "^",
27 .smk_secid = 3, 26 .smk_secid = 3,
28 .smk_cipso = NULL,
29}; 27};
30 28
31struct smack_known smack_known_star = { 29struct smack_known smack_known_star = {
32 .smk_known = "*", 30 .smk_known = "*",
33 .smk_secid = 4, 31 .smk_secid = 4,
34 .smk_cipso = NULL,
35}; 32};
36 33
37struct smack_known smack_known_floor = { 34struct smack_known smack_known_floor = {
38 .smk_known = "_", 35 .smk_known = "_",
39 .smk_secid = 5, 36 .smk_secid = 5,
40 .smk_cipso = NULL,
41}; 37};
42 38
43struct smack_known smack_known_invalid = { 39struct smack_known smack_known_invalid = {
44 .smk_known = "", 40 .smk_known = "",
45 .smk_secid = 6, 41 .smk_secid = 6,
46 .smk_cipso = NULL,
47}; 42};
48 43
49struct smack_known smack_known_web = { 44struct smack_known smack_known_web = {
50 .smk_known = "@", 45 .smk_known = "@",
51 .smk_secid = 7, 46 .smk_secid = 7,
52 .smk_cipso = NULL,
53}; 47};
54 48
55LIST_HEAD(smack_known_list); 49LIST_HEAD(smack_known_list);
@@ -331,7 +325,7 @@ void smack_log(char *subject_label, char *object_label, int request,
331} 325}
332#endif 326#endif
333 327
334static DEFINE_MUTEX(smack_known_lock); 328DEFINE_MUTEX(smack_known_lock);
335 329
336/** 330/**
337 * smk_find_entry - find a label on the list, return the list entry 331 * smk_find_entry - find a label on the list, return the list entry
@@ -345,7 +339,7 @@ struct smack_known *smk_find_entry(const char *string)
345 struct smack_known *skp; 339 struct smack_known *skp;
346 340
347 list_for_each_entry_rcu(skp, &smack_known_list, list) { 341 list_for_each_entry_rcu(skp, &smack_known_list, list) {
348 if (strncmp(skp->smk_known, string, SMK_MAXLEN) == 0) 342 if (strcmp(skp->smk_known, string) == 0)
349 return skp; 343 return skp;
350 } 344 }
351 345
@@ -356,27 +350,76 @@ struct smack_known *smk_find_entry(const char *string)
356 * smk_parse_smack - parse smack label from a text string 350 * smk_parse_smack - parse smack label from a text string
357 * @string: a text string that might contain a Smack label 351 * @string: a text string that might contain a Smack label
358 * @len: the maximum size, or zero if it is NULL terminated. 352 * @len: the maximum size, or zero if it is NULL terminated.
359 * @smack: parsed smack label, or NULL if parse error 353 *
354 * Returns a pointer to the clean label, or NULL
360 */ 355 */
361void smk_parse_smack(const char *string, int len, char *smack) 356char *smk_parse_smack(const char *string, int len)
362{ 357{
363 int found; 358 char *smack;
364 int i; 359 int i;
365 360
366 if (len <= 0 || len > SMK_MAXLEN) 361 if (len <= 0)
367 len = SMK_MAXLEN; 362 len = strlen(string) + 1;
368 363
369 for (i = 0, found = 0; i < SMK_LABELLEN; i++) { 364 /*
370 if (found) 365 * Reserve a leading '-' as an indicator that
371 smack[i] = '\0'; 366 * this isn't a label, but an option to interfaces
372 else if (i >= len || string[i] > '~' || string[i] <= ' ' || 367 * including /smack/cipso and /smack/cipso2
373 string[i] == '/' || string[i] == '"' || 368 */
374 string[i] == '\\' || string[i] == '\'') { 369 if (string[0] == '-')
375 smack[i] = '\0'; 370 return NULL;
376 found = 1; 371
377 } else 372 for (i = 0; i < len; i++)
378 smack[i] = string[i]; 373 if (string[i] > '~' || string[i] <= ' ' || string[i] == '/' ||
374 string[i] == '"' || string[i] == '\\' || string[i] == '\'')
375 break;
376
377 if (i == 0 || i >= SMK_LONGLABEL)
378 return NULL;
379
380 smack = kzalloc(i + 1, GFP_KERNEL);
381 if (smack != NULL) {
382 strncpy(smack, string, i + 1);
383 smack[i] = '\0';
379 } 384 }
385 return smack;
386}
387
388/**
389 * smk_netlbl_mls - convert a catset to netlabel mls categories
390 * @catset: the Smack categories
391 * @sap: where to put the netlabel categories
392 *
393 * Allocates and fills attr.mls
394 * Returns 0 on success, error code on failure.
395 */
396int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap,
397 int len)
398{
399 unsigned char *cp;
400 unsigned char m;
401 int cat;
402 int rc;
403 int byte;
404
405 sap->flags |= NETLBL_SECATTR_MLS_CAT;
406 sap->attr.mls.lvl = level;
407 sap->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
408 sap->attr.mls.cat->startbit = 0;
409
410 for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++)
411 for (m = 0x80; m != 0; m >>= 1, cat++) {
412 if ((m & *cp) == 0)
413 continue;
414 rc = netlbl_secattr_catmap_setbit(sap->attr.mls.cat,
415 cat, GFP_ATOMIC);
416 if (rc < 0) {
417 netlbl_secattr_catmap_free(sap->attr.mls.cat);
418 return rc;
419 }
420 }
421
422 return 0;
380} 423}
381 424
382/** 425/**
@@ -390,33 +433,59 @@ void smk_parse_smack(const char *string, int len, char *smack)
390struct smack_known *smk_import_entry(const char *string, int len) 433struct smack_known *smk_import_entry(const char *string, int len)
391{ 434{
392 struct smack_known *skp; 435 struct smack_known *skp;
393 char smack[SMK_LABELLEN]; 436 char *smack;
437 int slen;
438 int rc;
394 439
395 smk_parse_smack(string, len, smack); 440 smack = smk_parse_smack(string, len);
396 if (smack[0] == '\0') 441 if (smack == NULL)
397 return NULL; 442 return NULL;
398 443
399 mutex_lock(&smack_known_lock); 444 mutex_lock(&smack_known_lock);
400 445
401 skp = smk_find_entry(smack); 446 skp = smk_find_entry(smack);
447 if (skp != NULL)
448 goto freeout;
402 449
403 if (skp == NULL) { 450 skp = kzalloc(sizeof(*skp), GFP_KERNEL);
404 skp = kzalloc(sizeof(struct smack_known), GFP_KERNEL); 451 if (skp == NULL)
405 if (skp != NULL) { 452 goto freeout;
406 strncpy(skp->smk_known, smack, SMK_MAXLEN);
407 skp->smk_secid = smack_next_secid++;
408 skp->smk_cipso = NULL;
409 INIT_LIST_HEAD(&skp->smk_rules);
410 spin_lock_init(&skp->smk_cipsolock);
411 mutex_init(&skp->smk_rules_lock);
412 /*
413 * Make sure that the entry is actually
414 * filled before putting it on the list.
415 */
416 list_add_rcu(&skp->list, &smack_known_list);
417 }
418 }
419 453
454 skp->smk_known = smack;
455 skp->smk_secid = smack_next_secid++;
456 skp->smk_netlabel.domain = skp->smk_known;
457 skp->smk_netlabel.flags =
458 NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
459 /*
460 * If direct labeling works use it.
461 * Otherwise use mapped labeling.
462 */
463 slen = strlen(smack);
464 if (slen < SMK_CIPSOLEN)
465 rc = smk_netlbl_mls(smack_cipso_direct, skp->smk_known,
466 &skp->smk_netlabel, slen);
467 else
468 rc = smk_netlbl_mls(smack_cipso_mapped, (char *)&skp->smk_secid,
469 &skp->smk_netlabel, sizeof(skp->smk_secid));
470
471 if (rc >= 0) {
472 INIT_LIST_HEAD(&skp->smk_rules);
473 mutex_init(&skp->smk_rules_lock);
474 /*
475 * Make sure that the entry is actually
476 * filled before putting it on the list.
477 */
478 list_add_rcu(&skp->list, &smack_known_list);
479 goto unlockout;
480 }
481 /*
482 * smk_netlbl_mls failed.
483 */
484 kfree(skp);
485 skp = NULL;
486freeout:
487 kfree(smack);
488unlockout:
420 mutex_unlock(&smack_known_lock); 489 mutex_unlock(&smack_known_lock);
421 490
422 return skp; 491 return skp;
@@ -479,79 +548,9 @@ char *smack_from_secid(const u32 secid)
479 */ 548 */
480u32 smack_to_secid(const char *smack) 549u32 smack_to_secid(const char *smack)
481{ 550{
482 struct smack_known *skp; 551 struct smack_known *skp = smk_find_entry(smack);
483 552
484 rcu_read_lock(); 553 if (skp == NULL)
485 list_for_each_entry_rcu(skp, &smack_known_list, list) { 554 return 0;
486 if (strncmp(skp->smk_known, smack, SMK_MAXLEN) == 0) { 555 return skp->smk_secid;
487 rcu_read_unlock();
488 return skp->smk_secid;
489 }
490 }
491 rcu_read_unlock();
492 return 0;
493}
494
495/**
496 * smack_from_cipso - find the Smack label associated with a CIPSO option
497 * @level: Bell & LaPadula level from the network
498 * @cp: Bell & LaPadula categories from the network
499 *
500 * This is a simple lookup in the label table.
501 *
502 * Return the matching label from the label list or NULL.
503 */
504char *smack_from_cipso(u32 level, char *cp)
505{
506 struct smack_known *kp;
507 char *final = NULL;
508
509 rcu_read_lock();
510 list_for_each_entry(kp, &smack_known_list, list) {
511 if (kp->smk_cipso == NULL)
512 continue;
513
514 spin_lock_bh(&kp->smk_cipsolock);
515
516 if (kp->smk_cipso->smk_level == level &&
517 memcmp(kp->smk_cipso->smk_catset, cp, SMK_LABELLEN) == 0)
518 final = kp->smk_known;
519
520 spin_unlock_bh(&kp->smk_cipsolock);
521
522 if (final != NULL)
523 break;
524 }
525 rcu_read_unlock();
526
527 return final;
528}
529
530/**
531 * smack_to_cipso - find the CIPSO option to go with a Smack label
532 * @smack: a pointer to the smack label in question
533 * @cp: where to put the result
534 *
535 * Returns zero if a value is available, non-zero otherwise.
536 */
537int smack_to_cipso(const char *smack, struct smack_cipso *cp)
538{
539 struct smack_known *kp;
540 int found = 0;
541
542 rcu_read_lock();
543 list_for_each_entry_rcu(kp, &smack_known_list, list) {
544 if (kp->smk_known == smack ||
545 strcmp(kp->smk_known, smack) == 0) {
546 found = 1;
547 break;
548 }
549 }
550 rcu_read_unlock();
551
552 if (found == 0 || kp->smk_cipso == NULL)
553 return -ENOENT;
554
555 memcpy(cp, kp->smk_cipso, sizeof(struct smack_cipso));
556 return 0;
557} 556}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 45c32f074166..ee0bb5735f35 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -30,7 +30,6 @@
30#include <linux/slab.h> 30#include <linux/slab.h>
31#include <linux/mutex.h> 31#include <linux/mutex.h>
32#include <linux/pipe_fs_i.h> 32#include <linux/pipe_fs_i.h>
33#include <net/netlabel.h>
34#include <net/cipso_ipv4.h> 33#include <net/cipso_ipv4.h>
35#include <linux/audit.h> 34#include <linux/audit.h>
36#include <linux/magic.h> 35#include <linux/magic.h>
@@ -57,16 +56,23 @@
57static char *smk_fetch(const char *name, struct inode *ip, struct dentry *dp) 56static char *smk_fetch(const char *name, struct inode *ip, struct dentry *dp)
58{ 57{
59 int rc; 58 int rc;
60 char in[SMK_LABELLEN]; 59 char *buffer;
60 char *result = NULL;
61 61
62 if (ip->i_op->getxattr == NULL) 62 if (ip->i_op->getxattr == NULL)
63 return NULL; 63 return NULL;
64 64
65 rc = ip->i_op->getxattr(dp, name, in, SMK_LABELLEN); 65 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL);
66 if (rc < 0) 66 if (buffer == NULL)
67 return NULL; 67 return NULL;
68 68
69 return smk_import(in, rc); 69 rc = ip->i_op->getxattr(dp, name, buffer, SMK_LONGLABEL);
70 if (rc > 0)
71 result = smk_import(buffer, rc);
72
73 kfree(buffer);
74
75 return result;
70} 76}
71 77
72/** 78/**
@@ -79,7 +85,7 @@ struct inode_smack *new_inode_smack(char *smack)
79{ 85{
80 struct inode_smack *isp; 86 struct inode_smack *isp;
81 87
82 isp = kzalloc(sizeof(struct inode_smack), GFP_KERNEL); 88 isp = kzalloc(sizeof(struct inode_smack), GFP_NOFS);
83 if (isp == NULL) 89 if (isp == NULL)
84 return NULL; 90 return NULL;
85 91
@@ -556,13 +562,14 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
556 void **value, size_t *len) 562 void **value, size_t *len)
557{ 563{
558 struct smack_known *skp; 564 struct smack_known *skp;
565 struct inode_smack *issp = inode->i_security;
559 char *csp = smk_of_current(); 566 char *csp = smk_of_current();
560 char *isp = smk_of_inode(inode); 567 char *isp = smk_of_inode(inode);
561 char *dsp = smk_of_inode(dir); 568 char *dsp = smk_of_inode(dir);
562 int may; 569 int may;
563 570
564 if (name) { 571 if (name) {
565 *name = kstrdup(XATTR_SMACK_SUFFIX, GFP_KERNEL); 572 *name = kstrdup(XATTR_SMACK_SUFFIX, GFP_NOFS);
566 if (*name == NULL) 573 if (*name == NULL)
567 return -ENOMEM; 574 return -ENOMEM;
568 } 575 }
@@ -577,12 +584,15 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
577 * If the access rule allows transmutation and 584 * If the access rule allows transmutation and
578 * the directory requests transmutation then 585 * the directory requests transmutation then
579 * by all means transmute. 586 * by all means transmute.
587 * Mark the inode as changed.
580 */ 588 */
581 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 589 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) &&
582 smk_inode_transmutable(dir)) 590 smk_inode_transmutable(dir)) {
583 isp = dsp; 591 isp = dsp;
592 issp->smk_flags |= SMK_INODE_CHANGED;
593 }
584 594
585 *value = kstrdup(isp, GFP_KERNEL); 595 *value = kstrdup(isp, GFP_NOFS);
586 if (*value == NULL) 596 if (*value == NULL)
587 return -ENOMEM; 597 return -ENOMEM;
588 } 598 }
@@ -821,7 +831,7 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
821 * check label validity here so import wont fail on 831 * check label validity here so import wont fail on
822 * post_setxattr 832 * post_setxattr
823 */ 833 */
824 if (size == 0 || size >= SMK_LABELLEN || 834 if (size == 0 || size >= SMK_LONGLABEL ||
825 smk_import(value, size) == NULL) 835 smk_import(value, size) == NULL)
826 rc = -EINVAL; 836 rc = -EINVAL;
827 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 837 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
@@ -1161,7 +1171,7 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
1161} 1171}
1162 1172
1163/** 1173/**
1164 * smack_file_mmap : 1174 * smack_mmap_file :
1165 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1175 * Check permissions for a mmap operation. The @file may be NULL, e.g.
1166 * if mapping anonymous memory. 1176 * if mapping anonymous memory.
1167 * @file contains the file structure for file to map (may be NULL). 1177 * @file contains the file structure for file to map (may be NULL).
@@ -1170,10 +1180,9 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
1170 * @flags contains the operational flags. 1180 * @flags contains the operational flags.
1171 * Return 0 if permission is granted. 1181 * Return 0 if permission is granted.
1172 */ 1182 */
1173static int smack_file_mmap(struct file *file, 1183static int smack_mmap_file(struct file *file,
1174 unsigned long reqprot, unsigned long prot, 1184 unsigned long reqprot, unsigned long prot,
1175 unsigned long flags, unsigned long addr, 1185 unsigned long flags)
1176 unsigned long addr_only)
1177{ 1186{
1178 struct smack_known *skp; 1187 struct smack_known *skp;
1179 struct smack_rule *srp; 1188 struct smack_rule *srp;
@@ -1188,11 +1197,6 @@ static int smack_file_mmap(struct file *file,
1188 int tmay; 1197 int tmay;
1189 int rc; 1198 int rc;
1190 1199
1191 /* do DAC check on address space usage */
1192 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
1193 if (rc || addr_only)
1194 return rc;
1195
1196 if (file == NULL || file->f_dentry == NULL) 1200 if (file == NULL || file->f_dentry == NULL)
1197 return 0; 1201 return 0;
1198 1202
@@ -1349,7 +1353,7 @@ static int smack_file_receive(struct file *file)
1349} 1353}
1350 1354
1351/** 1355/**
1352 * smack_dentry_open - Smack dentry open processing 1356 * smack_file_open - Smack dentry open processing
1353 * @file: the object 1357 * @file: the object
1354 * @cred: unused 1358 * @cred: unused
1355 * 1359 *
@@ -1357,7 +1361,7 @@ static int smack_file_receive(struct file *file)
1357 * 1361 *
1358 * Returns 0 1362 * Returns 0
1359 */ 1363 */
1360static int smack_dentry_open(struct file *file, const struct cred *cred) 1364static int smack_file_open(struct file *file, const struct cred *cred)
1361{ 1365{
1362 struct inode_smack *isp = file->f_path.dentry->d_inode->i_security; 1366 struct inode_smack *isp = file->f_path.dentry->d_inode->i_security;
1363 1367
@@ -1820,65 +1824,6 @@ static char *smack_host_label(struct sockaddr_in *sip)
1820} 1824}
1821 1825
1822/** 1826/**
1823 * smack_set_catset - convert a capset to netlabel mls categories
1824 * @catset: the Smack categories
1825 * @sap: where to put the netlabel categories
1826 *
1827 * Allocates and fills attr.mls.cat
1828 */
1829static void smack_set_catset(char *catset, struct netlbl_lsm_secattr *sap)
1830{
1831 unsigned char *cp;
1832 unsigned char m;
1833 int cat;
1834 int rc;
1835 int byte;
1836
1837 if (!catset)
1838 return;
1839
1840 sap->flags |= NETLBL_SECATTR_MLS_CAT;
1841 sap->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC);
1842 sap->attr.mls.cat->startbit = 0;
1843
1844 for (cat = 1, cp = catset, byte = 0; byte < SMK_LABELLEN; cp++, byte++)
1845 for (m = 0x80; m != 0; m >>= 1, cat++) {
1846 if ((m & *cp) == 0)
1847 continue;
1848 rc = netlbl_secattr_catmap_setbit(sap->attr.mls.cat,
1849 cat, GFP_ATOMIC);
1850 }
1851}
1852
1853/**
1854 * smack_to_secattr - fill a secattr from a smack value
1855 * @smack: the smack value
1856 * @nlsp: where the result goes
1857 *
1858 * Casey says that CIPSO is good enough for now.
1859 * It can be used to effect.
1860 * It can also be abused to effect when necessary.
1861 * Apologies to the TSIG group in general and GW in particular.
1862 */
1863static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp)
1864{
1865 struct smack_cipso cipso;
1866 int rc;
1867
1868 nlsp->domain = smack;
1869 nlsp->flags = NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
1870
1871 rc = smack_to_cipso(smack, &cipso);
1872 if (rc == 0) {
1873 nlsp->attr.mls.lvl = cipso.smk_level;
1874 smack_set_catset(cipso.smk_catset, nlsp);
1875 } else {
1876 nlsp->attr.mls.lvl = smack_cipso_direct;
1877 smack_set_catset(smack, nlsp);
1878 }
1879}
1880
1881/**
1882 * smack_netlabel - Set the secattr on a socket 1827 * smack_netlabel - Set the secattr on a socket
1883 * @sk: the socket 1828 * @sk: the socket
1884 * @labeled: socket label scheme 1829 * @labeled: socket label scheme
@@ -1890,8 +1835,8 @@ static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp)
1890 */ 1835 */
1891static int smack_netlabel(struct sock *sk, int labeled) 1836static int smack_netlabel(struct sock *sk, int labeled)
1892{ 1837{
1838 struct smack_known *skp;
1893 struct socket_smack *ssp = sk->sk_security; 1839 struct socket_smack *ssp = sk->sk_security;
1894 struct netlbl_lsm_secattr secattr;
1895 int rc = 0; 1840 int rc = 0;
1896 1841
1897 /* 1842 /*
@@ -1909,10 +1854,8 @@ static int smack_netlabel(struct sock *sk, int labeled)
1909 labeled == SMACK_UNLABELED_SOCKET) 1854 labeled == SMACK_UNLABELED_SOCKET)
1910 netlbl_sock_delattr(sk); 1855 netlbl_sock_delattr(sk);
1911 else { 1856 else {
1912 netlbl_secattr_init(&secattr); 1857 skp = smk_find_entry(ssp->smk_out);
1913 smack_to_secattr(ssp->smk_out, &secattr); 1858 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel);
1914 rc = netlbl_sock_setattr(sk, sk->sk_family, &secattr);
1915 netlbl_secattr_destroy(&secattr);
1916 } 1859 }
1917 1860
1918 bh_unlock_sock(sk); 1861 bh_unlock_sock(sk);
@@ -1985,7 +1928,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
1985 struct socket *sock; 1928 struct socket *sock;
1986 int rc = 0; 1929 int rc = 0;
1987 1930
1988 if (value == NULL || size > SMK_LABELLEN || size == 0) 1931 if (value == NULL || size > SMK_LONGLABEL || size == 0)
1989 return -EACCES; 1932 return -EACCES;
1990 1933
1991 sp = smk_import(value, size); 1934 sp = smk_import(value, size);
@@ -2552,6 +2495,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
2552 char *final; 2495 char *final;
2553 char trattr[TRANS_TRUE_SIZE]; 2496 char trattr[TRANS_TRUE_SIZE];
2554 int transflag = 0; 2497 int transflag = 0;
2498 int rc;
2555 struct dentry *dp; 2499 struct dentry *dp;
2556 2500
2557 if (inode == NULL) 2501 if (inode == NULL)
@@ -2670,17 +2614,38 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
2670 */ 2614 */
2671 dp = dget(opt_dentry); 2615 dp = dget(opt_dentry);
2672 fetched = smk_fetch(XATTR_NAME_SMACK, inode, dp); 2616 fetched = smk_fetch(XATTR_NAME_SMACK, inode, dp);
2673 if (fetched != NULL) { 2617 if (fetched != NULL)
2674 final = fetched; 2618 final = fetched;
2675 if (S_ISDIR(inode->i_mode)) { 2619
2676 trattr[0] = '\0'; 2620 /*
2677 inode->i_op->getxattr(dp, 2621 * Transmuting directory
2622 */
2623 if (S_ISDIR(inode->i_mode)) {
2624 /*
2625 * If this is a new directory and the label was
2626 * transmuted when the inode was initialized
2627 * set the transmute attribute on the directory
2628 * and mark the inode.
2629 *
2630 * If there is a transmute attribute on the
2631 * directory mark the inode.
2632 */
2633 if (isp->smk_flags & SMK_INODE_CHANGED) {
2634 isp->smk_flags &= ~SMK_INODE_CHANGED;
2635 rc = inode->i_op->setxattr(dp,
2678 XATTR_NAME_SMACKTRANSMUTE, 2636 XATTR_NAME_SMACKTRANSMUTE,
2679 trattr, TRANS_TRUE_SIZE); 2637 TRANS_TRUE, TRANS_TRUE_SIZE,
2680 if (strncmp(trattr, TRANS_TRUE, 2638 0);
2681 TRANS_TRUE_SIZE) == 0) 2639 } else {
2682 transflag = SMK_INODE_TRANSMUTE; 2640 rc = inode->i_op->getxattr(dp,
2641 XATTR_NAME_SMACKTRANSMUTE, trattr,
2642 TRANS_TRUE_SIZE);
2643 if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
2644 TRANS_TRUE_SIZE) != 0)
2645 rc = -EINVAL;
2683 } 2646 }
2647 if (rc >= 0)
2648 transflag = SMK_INODE_TRANSMUTE;
2684 } 2649 }
2685 isp->smk_task = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 2650 isp->smk_task = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
2686 isp->smk_mmap = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 2651 isp->smk_mmap = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
@@ -2759,7 +2724,7 @@ static int smack_setprocattr(struct task_struct *p, char *name,
2759 if (!capable(CAP_MAC_ADMIN)) 2724 if (!capable(CAP_MAC_ADMIN))
2760 return -EPERM; 2725 return -EPERM;
2761 2726
2762 if (value == NULL || size == 0 || size >= SMK_LABELLEN) 2727 if (value == NULL || size == 0 || size >= SMK_LONGLABEL)
2763 return -EINVAL; 2728 return -EINVAL;
2764 2729
2765 if (strcmp(name, "current") != 0) 2730 if (strcmp(name, "current") != 0)
@@ -2895,10 +2860,9 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
2895static char *smack_from_secattr(struct netlbl_lsm_secattr *sap, 2860static char *smack_from_secattr(struct netlbl_lsm_secattr *sap,
2896 struct socket_smack *ssp) 2861 struct socket_smack *ssp)
2897{ 2862{
2898 struct smack_known *skp; 2863 struct smack_known *kp;
2899 char smack[SMK_LABELLEN];
2900 char *sp; 2864 char *sp;
2901 int pcat; 2865 int found = 0;
2902 2866
2903 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 2867 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) {
2904 /* 2868 /*
@@ -2906,59 +2870,27 @@ static char *smack_from_secattr(struct netlbl_lsm_secattr *sap,
2906 * If there are flags but no level netlabel isn't 2870 * If there are flags but no level netlabel isn't
2907 * behaving the way we expect it to. 2871 * behaving the way we expect it to.
2908 * 2872 *
2909 * Get the categories, if any 2873 * Look it up in the label table
2910 * Without guidance regarding the smack value 2874 * Without guidance regarding the smack value
2911 * for the packet fall back on the network 2875 * for the packet fall back on the network
2912 * ambient value. 2876 * ambient value.
2913 */ 2877 */
2914 memset(smack, '\0', SMK_LABELLEN); 2878 rcu_read_lock();
2915 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) != 0) 2879 list_for_each_entry(kp, &smack_known_list, list) {
2916 for (pcat = -1;;) { 2880 if (sap->attr.mls.lvl != kp->smk_netlabel.attr.mls.lvl)
2917 pcat = netlbl_secattr_catmap_walk( 2881 continue;
2918 sap->attr.mls.cat, pcat + 1); 2882 if (memcmp(sap->attr.mls.cat,
2919 if (pcat < 0) 2883 kp->smk_netlabel.attr.mls.cat,
2920 break; 2884 SMK_CIPSOLEN) != 0)
2921 smack_catset_bit(pcat, smack); 2885 continue;
2922 } 2886 found = 1;
2923 /* 2887 break;
2924 * If it is CIPSO using smack direct mapping
2925 * we are already done. WeeHee.
2926 */
2927 if (sap->attr.mls.lvl == smack_cipso_direct) {
2928 /*
2929 * The label sent is usually on the label list.
2930 *
2931 * If it is not we may still want to allow the
2932 * delivery.
2933 *
2934 * If the recipient is accepting all packets
2935 * because it is using the star ("*") label
2936 * for SMACK64IPIN provide the web ("@") label
2937 * so that a directed response will succeed.
2938 * This is not very correct from a MAC point
2939 * of view, but gets around the problem that
2940 * locking prevents adding the newly discovered
2941 * label to the list.
2942 * The case where the recipient is not using
2943 * the star label should obviously fail.
2944 * The easy way to do this is to provide the
2945 * star label as the subject label.
2946 */
2947 skp = smk_find_entry(smack);
2948 if (skp != NULL)
2949 return skp->smk_known;
2950 if (ssp != NULL &&
2951 ssp->smk_in == smack_known_star.smk_known)
2952 return smack_known_web.smk_known;
2953 return smack_known_star.smk_known;
2954 } 2888 }
2955 /* 2889 rcu_read_unlock();
2956 * Look it up in the supplied table if it is not 2890
2957 * a direct mapping. 2891 if (found)
2958 */ 2892 return kp->smk_known;
2959 sp = smack_from_cipso(sap->attr.mls.lvl, smack); 2893
2960 if (sp != NULL)
2961 return sp;
2962 if (ssp != NULL && ssp->smk_in == smack_known_star.smk_known) 2894 if (ssp != NULL && ssp->smk_in == smack_known_star.smk_known)
2963 return smack_known_web.smk_known; 2895 return smack_known_web.smk_known;
2964 return smack_known_star.smk_known; 2896 return smack_known_star.smk_known;
@@ -3158,11 +3090,13 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3158 struct request_sock *req) 3090 struct request_sock *req)
3159{ 3091{
3160 u16 family = sk->sk_family; 3092 u16 family = sk->sk_family;
3093 struct smack_known *skp;
3161 struct socket_smack *ssp = sk->sk_security; 3094 struct socket_smack *ssp = sk->sk_security;
3162 struct netlbl_lsm_secattr secattr; 3095 struct netlbl_lsm_secattr secattr;
3163 struct sockaddr_in addr; 3096 struct sockaddr_in addr;
3164 struct iphdr *hdr; 3097 struct iphdr *hdr;
3165 char *sp; 3098 char *sp;
3099 char *hsp;
3166 int rc; 3100 int rc;
3167 struct smk_audit_info ad; 3101 struct smk_audit_info ad;
3168#ifdef CONFIG_AUDIT 3102#ifdef CONFIG_AUDIT
@@ -3209,16 +3143,14 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3209 hdr = ip_hdr(skb); 3143 hdr = ip_hdr(skb);
3210 addr.sin_addr.s_addr = hdr->saddr; 3144 addr.sin_addr.s_addr = hdr->saddr;
3211 rcu_read_lock(); 3145 rcu_read_lock();
3212 if (smack_host_label(&addr) == NULL) { 3146 hsp = smack_host_label(&addr);
3213 rcu_read_unlock(); 3147 rcu_read_unlock();
3214 netlbl_secattr_init(&secattr); 3148
3215 smack_to_secattr(sp, &secattr); 3149 if (hsp == NULL) {
3216 rc = netlbl_req_setattr(req, &secattr); 3150 skp = smk_find_entry(sp);
3217 netlbl_secattr_destroy(&secattr); 3151 rc = netlbl_req_setattr(req, &skp->smk_netlabel);
3218 } else { 3152 } else
3219 rcu_read_unlock();
3220 netlbl_req_delattr(req); 3153 netlbl_req_delattr(req);
3221 }
3222 3154
3223 return rc; 3155 return rc;
3224} 3156}
@@ -3400,7 +3332,7 @@ static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule,
3400 char *rule = vrule; 3332 char *rule = vrule;
3401 3333
3402 if (!rule) { 3334 if (!rule) {
3403 audit_log(actx, GFP_KERNEL, AUDIT_SELINUX_ERR, 3335 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
3404 "Smack: missing rule\n"); 3336 "Smack: missing rule\n");
3405 return -ENOENT; 3337 return -ENOENT;
3406 } 3338 }
@@ -3544,12 +3476,13 @@ struct security_operations smack_ops = {
3544 .file_ioctl = smack_file_ioctl, 3476 .file_ioctl = smack_file_ioctl,
3545 .file_lock = smack_file_lock, 3477 .file_lock = smack_file_lock,
3546 .file_fcntl = smack_file_fcntl, 3478 .file_fcntl = smack_file_fcntl,
3547 .file_mmap = smack_file_mmap, 3479 .mmap_file = smack_mmap_file,
3480 .mmap_addr = cap_mmap_addr,
3548 .file_set_fowner = smack_file_set_fowner, 3481 .file_set_fowner = smack_file_set_fowner,
3549 .file_send_sigiotask = smack_file_send_sigiotask, 3482 .file_send_sigiotask = smack_file_send_sigiotask,
3550 .file_receive = smack_file_receive, 3483 .file_receive = smack_file_receive,
3551 3484
3552 .dentry_open = smack_dentry_open, 3485 .file_open = smack_file_open,
3553 3486
3554 .cred_alloc_blank = smack_cred_alloc_blank, 3487 .cred_alloc_blank = smack_cred_alloc_blank,
3555 .cred_free = smack_cred_free, 3488 .cred_free = smack_cred_free,
@@ -3643,15 +3576,6 @@ struct security_operations smack_ops = {
3643static __init void init_smack_known_list(void) 3576static __init void init_smack_known_list(void)
3644{ 3577{
3645 /* 3578 /*
3646 * Initialize CIPSO locks
3647 */
3648 spin_lock_init(&smack_known_huh.smk_cipsolock);
3649 spin_lock_init(&smack_known_hat.smk_cipsolock);
3650 spin_lock_init(&smack_known_star.smk_cipsolock);
3651 spin_lock_init(&smack_known_floor.smk_cipsolock);
3652 spin_lock_init(&smack_known_invalid.smk_cipsolock);
3653 spin_lock_init(&smack_known_web.smk_cipsolock);
3654 /*
3655 * Initialize rule list locks 3579 * Initialize rule list locks
3656 */ 3580 */
3657 mutex_init(&smack_known_huh.smk_rules_lock); 3581 mutex_init(&smack_known_huh.smk_rules_lock);
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 038811cb7e62..1810c9a4ed48 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -22,7 +22,6 @@
22#include <linux/mutex.h> 22#include <linux/mutex.h>
23#include <linux/slab.h> 23#include <linux/slab.h>
24#include <net/net_namespace.h> 24#include <net/net_namespace.h>
25#include <net/netlabel.h>
26#include <net/cipso_ipv4.h> 25#include <net/cipso_ipv4.h>
27#include <linux/seq_file.h> 26#include <linux/seq_file.h>
28#include <linux/ctype.h> 27#include <linux/ctype.h>
@@ -45,6 +44,11 @@ enum smk_inos {
45 SMK_LOGGING = 10, /* logging */ 44 SMK_LOGGING = 10, /* logging */
46 SMK_LOAD_SELF = 11, /* task specific rules */ 45 SMK_LOAD_SELF = 11, /* task specific rules */
47 SMK_ACCESSES = 12, /* access policy */ 46 SMK_ACCESSES = 12, /* access policy */
47 SMK_MAPPED = 13, /* CIPSO level indicating mapped label */
48 SMK_LOAD2 = 14, /* load policy with long labels */
49 SMK_LOAD_SELF2 = 15, /* load task specific rules with long labels */
50 SMK_ACCESS2 = 16, /* make an access check with long labels */
51 SMK_CIPSO2 = 17, /* load long label -> CIPSO mapping */
48}; 52};
49 53
50/* 54/*
@@ -60,7 +64,7 @@ static DEFINE_MUTEX(smk_netlbladdr_lock);
60 * If it isn't somehow marked, use this. 64 * If it isn't somehow marked, use this.
61 * It can be reset via smackfs/ambient 65 * It can be reset via smackfs/ambient
62 */ 66 */
63char *smack_net_ambient = smack_known_floor.smk_known; 67char *smack_net_ambient;
64 68
65/* 69/*
66 * This is the level in a CIPSO header that indicates a 70 * This is the level in a CIPSO header that indicates a
@@ -70,6 +74,13 @@ char *smack_net_ambient = smack_known_floor.smk_known;
70int smack_cipso_direct = SMACK_CIPSO_DIRECT_DEFAULT; 74int smack_cipso_direct = SMACK_CIPSO_DIRECT_DEFAULT;
71 75
72/* 76/*
77 * This is the level in a CIPSO header that indicates a
78 * secid is contained directly in the category set.
79 * It can be reset via smackfs/mapped
80 */
81int smack_cipso_mapped = SMACK_CIPSO_MAPPED_DEFAULT;
82
83/*
73 * Unless a process is running with this label even 84 * Unless a process is running with this label even
74 * having CAP_MAC_OVERRIDE isn't enough to grant 85 * having CAP_MAC_OVERRIDE isn't enough to grant
75 * privilege to violate MAC policy. If no label is 86 * privilege to violate MAC policy. If no label is
@@ -89,7 +100,7 @@ LIST_HEAD(smk_netlbladdr_list);
89 100
90/* 101/*
91 * Rule lists are maintained for each label. 102 * Rule lists are maintained for each label.
92 * This master list is just for reading /smack/load. 103 * This master list is just for reading /smack/load and /smack/load2.
93 */ 104 */
94struct smack_master_list { 105struct smack_master_list {
95 struct list_head list; 106 struct list_head list;
@@ -125,6 +136,18 @@ const char *smack_cipso_option = SMACK_CIPSO_OPTION;
125#define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN) 136#define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN)
126#define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN) 137#define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN)
127 138
139/*
140 * Stricly for CIPSO level manipulation.
141 * Set the category bit number in a smack label sized buffer.
142 */
143static inline void smack_catset_bit(unsigned int cat, char *catsetp)
144{
145 if (cat == 0 || cat > (SMK_CIPSOLEN * 8))
146 return;
147
148 catsetp[(cat - 1) / 8] |= 0x80 >> ((cat - 1) % 8);
149}
150
128/** 151/**
129 * smk_netlabel_audit_set - fill a netlbl_audit struct 152 * smk_netlabel_audit_set - fill a netlbl_audit struct
130 * @nap: structure to fill 153 * @nap: structure to fill
@@ -137,12 +160,10 @@ static void smk_netlabel_audit_set(struct netlbl_audit *nap)
137} 160}
138 161
139/* 162/*
140 * Values for parsing single label host rules 163 * Value for parsing single label host rules
141 * "1.2.3.4 X" 164 * "1.2.3.4 X"
142 * "192.168.138.129/32 abcdefghijklmnopqrstuvw"
143 */ 165 */
144#define SMK_NETLBLADDRMIN 9 166#define SMK_NETLBLADDRMIN 9
145#define SMK_NETLBLADDRMAX 42
146 167
147/** 168/**
148 * smk_set_access - add a rule to the rule list 169 * smk_set_access - add a rule to the rule list
@@ -188,33 +209,47 @@ static int smk_set_access(struct smack_rule *srp, struct list_head *rule_list,
188} 209}
189 210
190/** 211/**
191 * smk_parse_rule - parse Smack rule from load string 212 * smk_fill_rule - Fill Smack rule from strings
192 * @data: string to be parsed whose size is SMK_LOADLEN 213 * @subject: subject label string
214 * @object: object label string
215 * @access: access string
193 * @rule: Smack rule 216 * @rule: Smack rule
194 * @import: if non-zero, import labels 217 * @import: if non-zero, import labels
218 *
219 * Returns 0 on success, -1 on failure
195 */ 220 */
196static int smk_parse_rule(const char *data, struct smack_rule *rule, int import) 221static int smk_fill_rule(const char *subject, const char *object,
222 const char *access, struct smack_rule *rule,
223 int import)
197{ 224{
198 char smack[SMK_LABELLEN]; 225 int rc = -1;
226 int done;
227 const char *cp;
199 struct smack_known *skp; 228 struct smack_known *skp;
200 229
201 if (import) { 230 if (import) {
202 rule->smk_subject = smk_import(data, 0); 231 rule->smk_subject = smk_import(subject, 0);
203 if (rule->smk_subject == NULL) 232 if (rule->smk_subject == NULL)
204 return -1; 233 return -1;
205 234
206 rule->smk_object = smk_import(data + SMK_LABELLEN, 0); 235 rule->smk_object = smk_import(object, 0);
207 if (rule->smk_object == NULL) 236 if (rule->smk_object == NULL)
208 return -1; 237 return -1;
209 } else { 238 } else {
210 smk_parse_smack(data, 0, smack); 239 cp = smk_parse_smack(subject, 0);
211 skp = smk_find_entry(smack); 240 if (cp == NULL)
241 return -1;
242 skp = smk_find_entry(cp);
243 kfree(cp);
212 if (skp == NULL) 244 if (skp == NULL)
213 return -1; 245 return -1;
214 rule->smk_subject = skp->smk_known; 246 rule->smk_subject = skp->smk_known;
215 247
216 smk_parse_smack(data + SMK_LABELLEN, 0, smack); 248 cp = smk_parse_smack(object, 0);
217 skp = smk_find_entry(smack); 249 if (cp == NULL)
250 return -1;
251 skp = smk_find_entry(cp);
252 kfree(cp);
218 if (skp == NULL) 253 if (skp == NULL)
219 return -1; 254 return -1;
220 rule->smk_object = skp->smk_known; 255 rule->smk_object = skp->smk_known;
@@ -222,90 +257,127 @@ static int smk_parse_rule(const char *data, struct smack_rule *rule, int import)
222 257
223 rule->smk_access = 0; 258 rule->smk_access = 0;
224 259
225 switch (data[SMK_LABELLEN + SMK_LABELLEN]) { 260 for (cp = access, done = 0; *cp && !done; cp++) {
226 case '-': 261 switch (*cp) {
227 break; 262 case '-':
228 case 'r': 263 break;
229 case 'R': 264 case 'r':
230 rule->smk_access |= MAY_READ; 265 case 'R':
231 break; 266 rule->smk_access |= MAY_READ;
232 default: 267 break;
233 return -1; 268 case 'w':
269 case 'W':
270 rule->smk_access |= MAY_WRITE;
271 break;
272 case 'x':
273 case 'X':
274 rule->smk_access |= MAY_EXEC;
275 break;
276 case 'a':
277 case 'A':
278 rule->smk_access |= MAY_APPEND;
279 break;
280 case 't':
281 case 'T':
282 rule->smk_access |= MAY_TRANSMUTE;
283 break;
284 default:
285 done = 1;
286 break;
287 }
234 } 288 }
289 rc = 0;
235 290
236 switch (data[SMK_LABELLEN + SMK_LABELLEN + 1]) { 291 return rc;
237 case '-': 292}
238 break;
239 case 'w':
240 case 'W':
241 rule->smk_access |= MAY_WRITE;
242 break;
243 default:
244 return -1;
245 }
246 293
247 switch (data[SMK_LABELLEN + SMK_LABELLEN + 2]) { 294/**
248 case '-': 295 * smk_parse_rule - parse Smack rule from load string
249 break; 296 * @data: string to be parsed whose size is SMK_LOADLEN
250 case 'x': 297 * @rule: Smack rule
251 case 'X': 298 * @import: if non-zero, import labels
252 rule->smk_access |= MAY_EXEC; 299 *
253 break; 300 * Returns 0 on success, -1 on errors.
254 default: 301 */
255 return -1; 302static int smk_parse_rule(const char *data, struct smack_rule *rule, int import)
256 } 303{
304 int rc;
257 305
258 switch (data[SMK_LABELLEN + SMK_LABELLEN + 3]) { 306 rc = smk_fill_rule(data, data + SMK_LABELLEN,
259 case '-': 307 data + SMK_LABELLEN + SMK_LABELLEN, rule, import);
260 break; 308 return rc;
261 case 'a': 309}
262 case 'A':
263 rule->smk_access |= MAY_APPEND;
264 break;
265 default:
266 return -1;
267 }
268 310
269 switch (data[SMK_LABELLEN + SMK_LABELLEN + 4]) { 311/**
270 case '-': 312 * smk_parse_long_rule - parse Smack rule from rule string
271 break; 313 * @data: string to be parsed, null terminated
272 case 't': 314 * @rule: Smack rule
273 case 'T': 315 * @import: if non-zero, import labels
274 rule->smk_access |= MAY_TRANSMUTE; 316 *
275 break; 317 * Returns 0 on success, -1 on failure
276 default: 318 */
277 return -1; 319static int smk_parse_long_rule(const char *data, struct smack_rule *rule,
278 } 320 int import)
321{
322 char *subject;
323 char *object;
324 char *access;
325 int datalen;
326 int rc = -1;
279 327
280 return 0; 328 /*
329 * This is probably inefficient, but safe.
330 */
331 datalen = strlen(data);
332 subject = kzalloc(datalen, GFP_KERNEL);
333 if (subject == NULL)
334 return -1;
335 object = kzalloc(datalen, GFP_KERNEL);
336 if (object == NULL)
337 goto free_out_s;
338 access = kzalloc(datalen, GFP_KERNEL);
339 if (access == NULL)
340 goto free_out_o;
341
342 if (sscanf(data, "%s %s %s", subject, object, access) == 3)
343 rc = smk_fill_rule(subject, object, access, rule, import);
344
345 kfree(access);
346free_out_o:
347 kfree(object);
348free_out_s:
349 kfree(subject);
350 return rc;
281} 351}
282 352
353#define SMK_FIXED24_FMT 0 /* Fixed 24byte label format */
354#define SMK_LONG_FMT 1 /* Variable long label format */
283/** 355/**
284 * smk_write_load_list - write() for any /smack/load 356 * smk_write_rules_list - write() for any /smack rule file
285 * @file: file pointer, not actually used 357 * @file: file pointer, not actually used
286 * @buf: where to get the data from 358 * @buf: where to get the data from
287 * @count: bytes sent 359 * @count: bytes sent
288 * @ppos: where to start - must be 0 360 * @ppos: where to start - must be 0
289 * @rule_list: the list of rules to write to 361 * @rule_list: the list of rules to write to
290 * @rule_lock: lock for the rule list 362 * @rule_lock: lock for the rule list
363 * @format: /smack/load or /smack/load2 format.
291 * 364 *
292 * Get one smack access rule from above. 365 * Get one smack access rule from above.
293 * The format is exactly: 366 * The format for SMK_LONG_FMT is:
294 * char subject[SMK_LABELLEN] 367 * "subject<whitespace>object<whitespace>access[<whitespace>...]"
295 * char object[SMK_LABELLEN] 368 * The format for SMK_FIXED24_FMT is exactly:
296 * char access[SMK_ACCESSLEN] 369 * "subject object rwxat"
297 *
298 * writes must be SMK_LABELLEN+SMK_LABELLEN+SMK_ACCESSLEN bytes.
299 */ 370 */
300static ssize_t smk_write_load_list(struct file *file, const char __user *buf, 371static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
301 size_t count, loff_t *ppos, 372 size_t count, loff_t *ppos,
302 struct list_head *rule_list, 373 struct list_head *rule_list,
303 struct mutex *rule_lock) 374 struct mutex *rule_lock, int format)
304{ 375{
305 struct smack_master_list *smlp; 376 struct smack_master_list *smlp;
306 struct smack_known *skp; 377 struct smack_known *skp;
307 struct smack_rule *rule; 378 struct smack_rule *rule;
308 char *data; 379 char *data;
380 int datalen;
309 int rc = -EINVAL; 381 int rc = -EINVAL;
310 int load = 0; 382 int load = 0;
311 383
@@ -315,13 +387,18 @@ static ssize_t smk_write_load_list(struct file *file, const char __user *buf,
315 */ 387 */
316 if (*ppos != 0) 388 if (*ppos != 0)
317 return -EINVAL; 389 return -EINVAL;
318 /*
319 * Minor hack for backward compatibility
320 */
321 if (count < (SMK_OLOADLEN) || count > SMK_LOADLEN)
322 return -EINVAL;
323 390
324 data = kzalloc(SMK_LOADLEN, GFP_KERNEL); 391 if (format == SMK_FIXED24_FMT) {
392 /*
393 * Minor hack for backward compatibility
394 */
395 if (count != SMK_OLOADLEN && count != SMK_LOADLEN)
396 return -EINVAL;
397 datalen = SMK_LOADLEN;
398 } else
399 datalen = count + 1;
400
401 data = kzalloc(datalen, GFP_KERNEL);
325 if (data == NULL) 402 if (data == NULL)
326 return -ENOMEM; 403 return -ENOMEM;
327 404
@@ -330,20 +407,29 @@ static ssize_t smk_write_load_list(struct file *file, const char __user *buf,
330 goto out; 407 goto out;
331 } 408 }
332 409
333 /*
334 * More on the minor hack for backward compatibility
335 */
336 if (count == (SMK_OLOADLEN))
337 data[SMK_OLOADLEN] = '-';
338
339 rule = kzalloc(sizeof(*rule), GFP_KERNEL); 410 rule = kzalloc(sizeof(*rule), GFP_KERNEL);
340 if (rule == NULL) { 411 if (rule == NULL) {
341 rc = -ENOMEM; 412 rc = -ENOMEM;
342 goto out; 413 goto out;
343 } 414 }
344 415
345 if (smk_parse_rule(data, rule, 1)) 416 if (format == SMK_LONG_FMT) {
346 goto out_free_rule; 417 /*
418 * Be sure the data string is terminated.
419 */
420 data[count] = '\0';
421 if (smk_parse_long_rule(data, rule, 1))
422 goto out_free_rule;
423 } else {
424 /*
425 * More on the minor hack for backward compatibility
426 */
427 if (count == (SMK_OLOADLEN))
428 data[SMK_OLOADLEN] = '-';
429 if (smk_parse_rule(data, rule, 1))
430 goto out_free_rule;
431 }
432
347 433
348 if (rule_list == NULL) { 434 if (rule_list == NULL) {
349 load = 1; 435 load = 1;
@@ -354,18 +440,20 @@ static ssize_t smk_write_load_list(struct file *file, const char __user *buf,
354 440
355 rc = count; 441 rc = count;
356 /* 442 /*
357 * If this is "load" as opposed to "load-self" and a new rule 443 * If this is a global as opposed to self and a new rule
358 * it needs to get added for reporting. 444 * it needs to get added for reporting.
359 * smk_set_access returns true if there was already a rule 445 * smk_set_access returns true if there was already a rule
360 * for the subject/object pair, and false if it was new. 446 * for the subject/object pair, and false if it was new.
361 */ 447 */
362 if (load && !smk_set_access(rule, rule_list, rule_lock)) { 448 if (!smk_set_access(rule, rule_list, rule_lock)) {
363 smlp = kzalloc(sizeof(*smlp), GFP_KERNEL); 449 if (load) {
364 if (smlp != NULL) { 450 smlp = kzalloc(sizeof(*smlp), GFP_KERNEL);
365 smlp->smk_rule = rule; 451 if (smlp != NULL) {
366 list_add_rcu(&smlp->list, &smack_rule_list); 452 smlp->smk_rule = rule;
367 } else 453 list_add_rcu(&smlp->list, &smack_rule_list);
368 rc = -ENOMEM; 454 } else
455 rc = -ENOMEM;
456 }
369 goto out; 457 goto out;
370 } 458 }
371 459
@@ -421,29 +509,18 @@ static void smk_seq_stop(struct seq_file *s, void *v)
421 /* No-op */ 509 /* No-op */
422} 510}
423 511
424/* 512static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
425 * Seq_file read operations for /smack/load
426 */
427
428static void *load_seq_start(struct seq_file *s, loff_t *pos)
429{
430 return smk_seq_start(s, pos, &smack_rule_list);
431}
432
433static void *load_seq_next(struct seq_file *s, void *v, loff_t *pos)
434{ 513{
435 return smk_seq_next(s, v, pos, &smack_rule_list); 514 /*
436} 515 * Don't show any rules with label names too long for
437 516 * interface file (/smack/load or /smack/load2)
438static int load_seq_show(struct seq_file *s, void *v) 517 * because you should expect to be able to write
439{ 518 * anything you read back.
440 struct list_head *list = v; 519 */
441 struct smack_master_list *smlp = 520 if (strlen(srp->smk_subject) >= max || strlen(srp->smk_object) >= max)
442 list_entry(list, struct smack_master_list, list); 521 return;
443 struct smack_rule *srp = smlp->smk_rule;
444 522
445 seq_printf(s, "%s %s", (char *)srp->smk_subject, 523 seq_printf(s, "%s %s", srp->smk_subject, srp->smk_object);
446 (char *)srp->smk_object);
447 524
448 seq_putc(s, ' '); 525 seq_putc(s, ' ');
449 526
@@ -461,13 +538,36 @@ static int load_seq_show(struct seq_file *s, void *v)
461 seq_putc(s, '-'); 538 seq_putc(s, '-');
462 539
463 seq_putc(s, '\n'); 540 seq_putc(s, '\n');
541}
542
543/*
544 * Seq_file read operations for /smack/load
545 */
546
547static void *load2_seq_start(struct seq_file *s, loff_t *pos)
548{
549 return smk_seq_start(s, pos, &smack_rule_list);
550}
551
552static void *load2_seq_next(struct seq_file *s, void *v, loff_t *pos)
553{
554 return smk_seq_next(s, v, pos, &smack_rule_list);
555}
556
557static int load_seq_show(struct seq_file *s, void *v)
558{
559 struct list_head *list = v;
560 struct smack_master_list *smlp =
561 list_entry(list, struct smack_master_list, list);
562
563 smk_rule_show(s, smlp->smk_rule, SMK_LABELLEN);
464 564
465 return 0; 565 return 0;
466} 566}
467 567
468static const struct seq_operations load_seq_ops = { 568static const struct seq_operations load_seq_ops = {
469 .start = load_seq_start, 569 .start = load2_seq_start,
470 .next = load_seq_next, 570 .next = load2_seq_next,
471 .show = load_seq_show, 571 .show = load_seq_show,
472 .stop = smk_seq_stop, 572 .stop = smk_seq_stop,
473}; 573};
@@ -504,7 +604,8 @@ static ssize_t smk_write_load(struct file *file, const char __user *buf,
504 if (!capable(CAP_MAC_ADMIN)) 604 if (!capable(CAP_MAC_ADMIN))
505 return -EPERM; 605 return -EPERM;
506 606
507 return smk_write_load_list(file, buf, count, ppos, NULL, NULL); 607 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
608 SMK_FIXED24_FMT);
508} 609}
509 610
510static const struct file_operations smk_load_ops = { 611static const struct file_operations smk_load_ops = {
@@ -574,6 +675,8 @@ static void smk_unlbl_ambient(char *oldambient)
574 printk(KERN_WARNING "%s:%d remove rc = %d\n", 675 printk(KERN_WARNING "%s:%d remove rc = %d\n",
575 __func__, __LINE__, rc); 676 __func__, __LINE__, rc);
576 } 677 }
678 if (smack_net_ambient == NULL)
679 smack_net_ambient = smack_known_floor.smk_known;
577 680
578 rc = netlbl_cfg_unlbl_map_add(smack_net_ambient, PF_INET, 681 rc = netlbl_cfg_unlbl_map_add(smack_net_ambient, PF_INET,
579 NULL, NULL, &nai); 682 NULL, NULL, &nai);
@@ -605,27 +708,28 @@ static int cipso_seq_show(struct seq_file *s, void *v)
605 struct list_head *list = v; 708 struct list_head *list = v;
606 struct smack_known *skp = 709 struct smack_known *skp =
607 list_entry(list, struct smack_known, list); 710 list_entry(list, struct smack_known, list);
608 struct smack_cipso *scp = skp->smk_cipso; 711 struct netlbl_lsm_secattr_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
609 char *cbp;
610 char sep = '/'; 712 char sep = '/';
611 int cat = 1;
612 int i; 713 int i;
613 unsigned char m;
614 714
615 if (scp == NULL) 715 /*
716 * Don't show a label that could not have been set using
717 * /smack/cipso. This is in support of the notion that
718 * anything read from /smack/cipso ought to be writeable
719 * to /smack/cipso.
720 *
721 * /smack/cipso2 should be used instead.
722 */
723 if (strlen(skp->smk_known) >= SMK_LABELLEN)
616 return 0; 724 return 0;
617 725
618 seq_printf(s, "%s %3d", (char *)&skp->smk_known, scp->smk_level); 726 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
619 727
620 cbp = scp->smk_catset; 728 for (i = netlbl_secattr_catmap_walk(cmp, 0); i >= 0;
621 for (i = 0; i < SMK_LABELLEN; i++) 729 i = netlbl_secattr_catmap_walk(cmp, i + 1)) {
622 for (m = 0x80; m != 0; m >>= 1) { 730 seq_printf(s, "%c%d", sep, i);
623 if (m & cbp[i]) { 731 sep = ',';
624 seq_printf(s, "%c%d", sep, cat); 732 }
625 sep = ',';
626 }
627 cat++;
628 }
629 733
630 seq_putc(s, '\n'); 734 seq_putc(s, '\n');
631 735
@@ -653,23 +757,24 @@ static int smk_open_cipso(struct inode *inode, struct file *file)
653} 757}
654 758
655/** 759/**
656 * smk_write_cipso - write() for /smack/cipso 760 * smk_set_cipso - do the work for write() for cipso and cipso2
657 * @file: file pointer, not actually used 761 * @file: file pointer, not actually used
658 * @buf: where to get the data from 762 * @buf: where to get the data from
659 * @count: bytes sent 763 * @count: bytes sent
660 * @ppos: where to start 764 * @ppos: where to start
765 * @format: /smack/cipso or /smack/cipso2
661 * 766 *
662 * Accepts only one cipso rule per write call. 767 * Accepts only one cipso rule per write call.
663 * Returns number of bytes written or error code, as appropriate 768 * Returns number of bytes written or error code, as appropriate
664 */ 769 */
665static ssize_t smk_write_cipso(struct file *file, const char __user *buf, 770static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
666 size_t count, loff_t *ppos) 771 size_t count, loff_t *ppos, int format)
667{ 772{
668 struct smack_known *skp; 773 struct smack_known *skp;
669 struct smack_cipso *scp = NULL; 774 struct netlbl_lsm_secattr ncats;
670 char mapcatset[SMK_LABELLEN]; 775 char mapcatset[SMK_CIPSOLEN];
671 int maplevel; 776 int maplevel;
672 int cat; 777 unsigned int cat;
673 int catlen; 778 int catlen;
674 ssize_t rc = -EINVAL; 779 ssize_t rc = -EINVAL;
675 char *data = NULL; 780 char *data = NULL;
@@ -686,7 +791,8 @@ static ssize_t smk_write_cipso(struct file *file, const char __user *buf,
686 return -EPERM; 791 return -EPERM;
687 if (*ppos != 0) 792 if (*ppos != 0)
688 return -EINVAL; 793 return -EINVAL;
689 if (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX) 794 if (format == SMK_FIXED24_FMT &&
795 (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX))
690 return -EINVAL; 796 return -EINVAL;
691 797
692 data = kzalloc(count + 1, GFP_KERNEL); 798 data = kzalloc(count + 1, GFP_KERNEL);
@@ -698,11 +804,6 @@ static ssize_t smk_write_cipso(struct file *file, const char __user *buf,
698 goto unlockedout; 804 goto unlockedout;
699 } 805 }
700 806
701 /* labels cannot begin with a '-' */
702 if (data[0] == '-') {
703 rc = -EINVAL;
704 goto unlockedout;
705 }
706 data[count] = '\0'; 807 data[count] = '\0';
707 rule = data; 808 rule = data;
708 /* 809 /*
@@ -715,7 +816,11 @@ static ssize_t smk_write_cipso(struct file *file, const char __user *buf,
715 if (skp == NULL) 816 if (skp == NULL)
716 goto out; 817 goto out;
717 818
718 rule += SMK_LABELLEN; 819 if (format == SMK_FIXED24_FMT)
820 rule += SMK_LABELLEN;
821 else
822 rule += strlen(skp->smk_known);
823
719 ret = sscanf(rule, "%d", &maplevel); 824 ret = sscanf(rule, "%d", &maplevel);
720 if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) 825 if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL)
721 goto out; 826 goto out;
@@ -725,41 +830,29 @@ static ssize_t smk_write_cipso(struct file *file, const char __user *buf,
725 if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM) 830 if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM)
726 goto out; 831 goto out;
727 832
728 if (count != (SMK_CIPSOMIN + catlen * SMK_DIGITLEN)) 833 if (format == SMK_FIXED24_FMT &&
834 count != (SMK_CIPSOMIN + catlen * SMK_DIGITLEN))
729 goto out; 835 goto out;
730 836
731 memset(mapcatset, 0, sizeof(mapcatset)); 837 memset(mapcatset, 0, sizeof(mapcatset));
732 838
733 for (i = 0; i < catlen; i++) { 839 for (i = 0; i < catlen; i++) {
734 rule += SMK_DIGITLEN; 840 rule += SMK_DIGITLEN;
735 ret = sscanf(rule, "%d", &cat); 841 ret = sscanf(rule, "%u", &cat);
736 if (ret != 1 || cat > SMACK_CIPSO_MAXCATVAL) 842 if (ret != 1 || cat > SMACK_CIPSO_MAXCATVAL)
737 goto out; 843 goto out;
738 844
739 smack_catset_bit(cat, mapcatset); 845 smack_catset_bit(cat, mapcatset);
740 } 846 }
741 847
742 if (skp->smk_cipso == NULL) { 848 rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN);
743 scp = kzalloc(sizeof(struct smack_cipso), GFP_KERNEL); 849 if (rc >= 0) {
744 if (scp == NULL) { 850 netlbl_secattr_catmap_free(skp->smk_netlabel.attr.mls.cat);
745 rc = -ENOMEM; 851 skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
746 goto out; 852 skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
747 } 853 rc = count;
748 } 854 }
749 855
750 spin_lock_bh(&skp->smk_cipsolock);
751
752 if (scp == NULL)
753 scp = skp->smk_cipso;
754 else
755 skp->smk_cipso = scp;
756
757 scp->smk_level = maplevel;
758 memcpy(scp->smk_catset, mapcatset, sizeof(mapcatset));
759
760 spin_unlock_bh(&skp->smk_cipsolock);
761
762 rc = count;
763out: 856out:
764 mutex_unlock(&smack_cipso_lock); 857 mutex_unlock(&smack_cipso_lock);
765unlockedout: 858unlockedout:
@@ -767,6 +860,22 @@ unlockedout:
767 return rc; 860 return rc;
768} 861}
769 862
863/**
864 * smk_write_cipso - write() for /smack/cipso
865 * @file: file pointer, not actually used
866 * @buf: where to get the data from
867 * @count: bytes sent
868 * @ppos: where to start
869 *
870 * Accepts only one cipso rule per write call.
871 * Returns number of bytes written or error code, as appropriate
872 */
873static ssize_t smk_write_cipso(struct file *file, const char __user *buf,
874 size_t count, loff_t *ppos)
875{
876 return smk_set_cipso(file, buf, count, ppos, SMK_FIXED24_FMT);
877}
878
770static const struct file_operations smk_cipso_ops = { 879static const struct file_operations smk_cipso_ops = {
771 .open = smk_open_cipso, 880 .open = smk_open_cipso,
772 .read = seq_read, 881 .read = seq_read,
@@ -776,6 +885,80 @@ static const struct file_operations smk_cipso_ops = {
776}; 885};
777 886
778/* 887/*
888 * Seq_file read operations for /smack/cipso2
889 */
890
891/*
892 * Print cipso labels in format:
893 * label level[/cat[,cat]]
894 */
895static int cipso2_seq_show(struct seq_file *s, void *v)
896{
897 struct list_head *list = v;
898 struct smack_known *skp =
899 list_entry(list, struct smack_known, list);
900 struct netlbl_lsm_secattr_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
901 char sep = '/';
902 int i;
903
904 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
905
906 for (i = netlbl_secattr_catmap_walk(cmp, 0); i >= 0;
907 i = netlbl_secattr_catmap_walk(cmp, i + 1)) {
908 seq_printf(s, "%c%d", sep, i);
909 sep = ',';
910 }
911
912 seq_putc(s, '\n');
913
914 return 0;
915}
916
917static const struct seq_operations cipso2_seq_ops = {
918 .start = cipso_seq_start,
919 .next = cipso_seq_next,
920 .show = cipso2_seq_show,
921 .stop = smk_seq_stop,
922};
923
924/**
925 * smk_open_cipso2 - open() for /smack/cipso2
926 * @inode: inode structure representing file
927 * @file: "cipso2" file pointer
928 *
929 * Connect our cipso_seq_* operations with /smack/cipso2
930 * file_operations
931 */
932static int smk_open_cipso2(struct inode *inode, struct file *file)
933{
934 return seq_open(file, &cipso2_seq_ops);
935}
936
937/**
938 * smk_write_cipso2 - write() for /smack/cipso2
939 * @file: file pointer, not actually used
940 * @buf: where to get the data from
941 * @count: bytes sent
942 * @ppos: where to start
943 *
944 * Accepts only one cipso rule per write call.
945 * Returns number of bytes written or error code, as appropriate
946 */
947static ssize_t smk_write_cipso2(struct file *file, const char __user *buf,
948 size_t count, loff_t *ppos)
949{
950 return smk_set_cipso(file, buf, count, ppos, SMK_LONG_FMT);
951}
952
953static const struct file_operations smk_cipso2_ops = {
954 .open = smk_open_cipso2,
955 .read = seq_read,
956 .llseek = seq_lseek,
957 .write = smk_write_cipso2,
958 .release = seq_release,
959};
960
961/*
779 * Seq_file read operations for /smack/netlabel 962 * Seq_file read operations for /smack/netlabel
780 */ 963 */
781 964
@@ -887,9 +1070,9 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
887{ 1070{
888 struct smk_netlbladdr *skp; 1071 struct smk_netlbladdr *skp;
889 struct sockaddr_in newname; 1072 struct sockaddr_in newname;
890 char smack[SMK_LABELLEN]; 1073 char *smack;
891 char *sp; 1074 char *sp;
892 char data[SMK_NETLBLADDRMAX + 1]; 1075 char *data;
893 char *host = (char *)&newname.sin_addr.s_addr; 1076 char *host = (char *)&newname.sin_addr.s_addr;
894 int rc; 1077 int rc;
895 struct netlbl_audit audit_info; 1078 struct netlbl_audit audit_info;
@@ -911,10 +1094,23 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
911 return -EPERM; 1094 return -EPERM;
912 if (*ppos != 0) 1095 if (*ppos != 0)
913 return -EINVAL; 1096 return -EINVAL;
914 if (count < SMK_NETLBLADDRMIN || count > SMK_NETLBLADDRMAX) 1097 if (count < SMK_NETLBLADDRMIN)
915 return -EINVAL; 1098 return -EINVAL;
916 if (copy_from_user(data, buf, count) != 0) 1099
917 return -EFAULT; 1100 data = kzalloc(count + 1, GFP_KERNEL);
1101 if (data == NULL)
1102 return -ENOMEM;
1103
1104 if (copy_from_user(data, buf, count) != 0) {
1105 rc = -EFAULT;
1106 goto free_data_out;
1107 }
1108
1109 smack = kzalloc(count + 1, GFP_KERNEL);
1110 if (smack == NULL) {
1111 rc = -ENOMEM;
1112 goto free_data_out;
1113 }
918 1114
919 data[count] = '\0'; 1115 data[count] = '\0';
920 1116
@@ -923,24 +1119,34 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
923 if (rc != 6) { 1119 if (rc != 6) {
924 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s", 1120 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s",
925 &host[0], &host[1], &host[2], &host[3], smack); 1121 &host[0], &host[1], &host[2], &host[3], smack);
926 if (rc != 5) 1122 if (rc != 5) {
927 return -EINVAL; 1123 rc = -EINVAL;
1124 goto free_out;
1125 }
928 m = BEBITS; 1126 m = BEBITS;
929 } 1127 }
930 if (m > BEBITS) 1128 if (m > BEBITS) {
931 return -EINVAL; 1129 rc = -EINVAL;
1130 goto free_out;
1131 }
932 1132
933 /* if smack begins with '-', its an option, don't import it */ 1133 /*
1134 * If smack begins with '-', it is an option, don't import it
1135 */
934 if (smack[0] != '-') { 1136 if (smack[0] != '-') {
935 sp = smk_import(smack, 0); 1137 sp = smk_import(smack, 0);
936 if (sp == NULL) 1138 if (sp == NULL) {
937 return -EINVAL; 1139 rc = -EINVAL;
1140 goto free_out;
1141 }
938 } else { 1142 } else {
939 /* check known options */ 1143 /* check known options */
940 if (strcmp(smack, smack_cipso_option) == 0) 1144 if (strcmp(smack, smack_cipso_option) == 0)
941 sp = (char *)smack_cipso_option; 1145 sp = (char *)smack_cipso_option;
942 else 1146 else {
943 return -EINVAL; 1147 rc = -EINVAL;
1148 goto free_out;
1149 }
944 } 1150 }
945 1151
946 for (temp_mask = 0; m > 0; m--) { 1152 for (temp_mask = 0; m > 0; m--) {
@@ -1006,6 +1212,11 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
1006 1212
1007 mutex_unlock(&smk_netlbladdr_lock); 1213 mutex_unlock(&smk_netlbladdr_lock);
1008 1214
1215free_out:
1216 kfree(smack);
1217free_data_out:
1218 kfree(data);
1219
1009 return rc; 1220 return rc;
1010} 1221}
1011 1222
@@ -1119,6 +1330,7 @@ static ssize_t smk_read_direct(struct file *filp, char __user *buf,
1119static ssize_t smk_write_direct(struct file *file, const char __user *buf, 1330static ssize_t smk_write_direct(struct file *file, const char __user *buf,
1120 size_t count, loff_t *ppos) 1331 size_t count, loff_t *ppos)
1121{ 1332{
1333 struct smack_known *skp;
1122 char temp[80]; 1334 char temp[80];
1123 int i; 1335 int i;
1124 1336
@@ -1136,7 +1348,20 @@ static ssize_t smk_write_direct(struct file *file, const char __user *buf,
1136 if (sscanf(temp, "%d", &i) != 1) 1348 if (sscanf(temp, "%d", &i) != 1)
1137 return -EINVAL; 1349 return -EINVAL;
1138 1350
1139 smack_cipso_direct = i; 1351 /*
1352 * Don't do anything if the value hasn't actually changed.
1353 * If it is changing reset the level on entries that were
1354 * set up to be direct when they were created.
1355 */
1356 if (smack_cipso_direct != i) {
1357 mutex_lock(&smack_known_lock);
1358 list_for_each_entry_rcu(skp, &smack_known_list, list)
1359 if (skp->smk_netlabel.attr.mls.lvl ==
1360 smack_cipso_direct)
1361 skp->smk_netlabel.attr.mls.lvl = i;
1362 smack_cipso_direct = i;
1363 mutex_unlock(&smack_known_lock);
1364 }
1140 1365
1141 return count; 1366 return count;
1142} 1367}
@@ -1148,6 +1373,84 @@ static const struct file_operations smk_direct_ops = {
1148}; 1373};
1149 1374
1150/** 1375/**
1376 * smk_read_mapped - read() for /smack/mapped
1377 * @filp: file pointer, not actually used
1378 * @buf: where to put the result
1379 * @count: maximum to send along
1380 * @ppos: where to start
1381 *
1382 * Returns number of bytes read or error code, as appropriate
1383 */
1384static ssize_t smk_read_mapped(struct file *filp, char __user *buf,
1385 size_t count, loff_t *ppos)
1386{
1387 char temp[80];
1388 ssize_t rc;
1389
1390 if (*ppos != 0)
1391 return 0;
1392
1393 sprintf(temp, "%d", smack_cipso_mapped);
1394 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1395
1396 return rc;
1397}
1398
1399/**
1400 * smk_write_mapped - write() for /smack/mapped
1401 * @file: file pointer, not actually used
1402 * @buf: where to get the data from
1403 * @count: bytes sent
1404 * @ppos: where to start
1405 *
1406 * Returns number of bytes written or error code, as appropriate
1407 */
1408static ssize_t smk_write_mapped(struct file *file, const char __user *buf,
1409 size_t count, loff_t *ppos)
1410{
1411 struct smack_known *skp;
1412 char temp[80];
1413 int i;
1414
1415 if (!capable(CAP_MAC_ADMIN))
1416 return -EPERM;
1417
1418 if (count >= sizeof(temp) || count == 0)
1419 return -EINVAL;
1420
1421 if (copy_from_user(temp, buf, count) != 0)
1422 return -EFAULT;
1423
1424 temp[count] = '\0';
1425
1426 if (sscanf(temp, "%d", &i) != 1)
1427 return -EINVAL;
1428
1429 /*
1430 * Don't do anything if the value hasn't actually changed.
1431 * If it is changing reset the level on entries that were
1432 * set up to be mapped when they were created.
1433 */
1434 if (smack_cipso_mapped != i) {
1435 mutex_lock(&smack_known_lock);
1436 list_for_each_entry_rcu(skp, &smack_known_list, list)
1437 if (skp->smk_netlabel.attr.mls.lvl ==
1438 smack_cipso_mapped)
1439 skp->smk_netlabel.attr.mls.lvl = i;
1440 smack_cipso_mapped = i;
1441 mutex_unlock(&smack_known_lock);
1442 }
1443
1444 return count;
1445}
1446
1447static const struct file_operations smk_mapped_ops = {
1448 .read = smk_read_mapped,
1449 .write = smk_write_mapped,
1450 .llseek = default_llseek,
1451};
1452
1453/**
1151 * smk_read_ambient - read() for /smack/ambient 1454 * smk_read_ambient - read() for /smack/ambient
1152 * @filp: file pointer, not actually used 1455 * @filp: file pointer, not actually used
1153 * @buf: where to put the result 1456 * @buf: where to put the result
@@ -1195,22 +1498,28 @@ static ssize_t smk_read_ambient(struct file *filp, char __user *buf,
1195static ssize_t smk_write_ambient(struct file *file, const char __user *buf, 1498static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
1196 size_t count, loff_t *ppos) 1499 size_t count, loff_t *ppos)
1197{ 1500{
1198 char in[SMK_LABELLEN];
1199 char *oldambient; 1501 char *oldambient;
1200 char *smack; 1502 char *smack = NULL;
1503 char *data;
1504 int rc = count;
1201 1505
1202 if (!capable(CAP_MAC_ADMIN)) 1506 if (!capable(CAP_MAC_ADMIN))
1203 return -EPERM; 1507 return -EPERM;
1204 1508
1205 if (count >= SMK_LABELLEN) 1509 data = kzalloc(count + 1, GFP_KERNEL);
1206 return -EINVAL; 1510 if (data == NULL)
1511 return -ENOMEM;
1207 1512
1208 if (copy_from_user(in, buf, count) != 0) 1513 if (copy_from_user(data, buf, count) != 0) {
1209 return -EFAULT; 1514 rc = -EFAULT;
1515 goto out;
1516 }
1210 1517
1211 smack = smk_import(in, count); 1518 smack = smk_import(data, count);
1212 if (smack == NULL) 1519 if (smack == NULL) {
1213 return -EINVAL; 1520 rc = -EINVAL;
1521 goto out;
1522 }
1214 1523
1215 mutex_lock(&smack_ambient_lock); 1524 mutex_lock(&smack_ambient_lock);
1216 1525
@@ -1220,7 +1529,9 @@ static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
1220 1529
1221 mutex_unlock(&smack_ambient_lock); 1530 mutex_unlock(&smack_ambient_lock);
1222 1531
1223 return count; 1532out:
1533 kfree(data);
1534 return rc;
1224} 1535}
1225 1536
1226static const struct file_operations smk_ambient_ops = { 1537static const struct file_operations smk_ambient_ops = {
@@ -1271,8 +1582,9 @@ static ssize_t smk_read_onlycap(struct file *filp, char __user *buf,
1271static ssize_t smk_write_onlycap(struct file *file, const char __user *buf, 1582static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
1272 size_t count, loff_t *ppos) 1583 size_t count, loff_t *ppos)
1273{ 1584{
1274 char in[SMK_LABELLEN]; 1585 char *data;
1275 char *sp = smk_of_task(current->cred->security); 1586 char *sp = smk_of_task(current->cred->security);
1587 int rc = count;
1276 1588
1277 if (!capable(CAP_MAC_ADMIN)) 1589 if (!capable(CAP_MAC_ADMIN))
1278 return -EPERM; 1590 return -EPERM;
@@ -1285,11 +1597,9 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
1285 if (smack_onlycap != NULL && smack_onlycap != sp) 1597 if (smack_onlycap != NULL && smack_onlycap != sp)
1286 return -EPERM; 1598 return -EPERM;
1287 1599
1288 if (count >= SMK_LABELLEN) 1600 data = kzalloc(count, GFP_KERNEL);
1289 return -EINVAL; 1601 if (data == NULL)
1290 1602 return -ENOMEM;
1291 if (copy_from_user(in, buf, count) != 0)
1292 return -EFAULT;
1293 1603
1294 /* 1604 /*
1295 * Should the null string be passed in unset the onlycap value. 1605 * Should the null string be passed in unset the onlycap value.
@@ -1297,10 +1607,17 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
1297 * smk_import only expects to return NULL for errors. It 1607 * smk_import only expects to return NULL for errors. It
1298 * is usually the case that a nullstring or "\n" would be 1608 * is usually the case that a nullstring or "\n" would be
1299 * bad to pass to smk_import but in fact this is useful here. 1609 * bad to pass to smk_import but in fact this is useful here.
1610 *
1611 * smk_import will also reject a label beginning with '-',
1612 * so "-usecapabilities" will also work.
1300 */ 1613 */
1301 smack_onlycap = smk_import(in, count); 1614 if (copy_from_user(data, buf, count) != 0)
1615 rc = -EFAULT;
1616 else
1617 smack_onlycap = smk_import(data, count);
1302 1618
1303 return count; 1619 kfree(data);
1620 return rc;
1304} 1621}
1305 1622
1306static const struct file_operations smk_onlycap_ops = { 1623static const struct file_operations smk_onlycap_ops = {
@@ -1398,25 +1715,7 @@ static int load_self_seq_show(struct seq_file *s, void *v)
1398 struct smack_rule *srp = 1715 struct smack_rule *srp =
1399 list_entry(list, struct smack_rule, list); 1716 list_entry(list, struct smack_rule, list);
1400 1717
1401 seq_printf(s, "%s %s", (char *)srp->smk_subject, 1718 smk_rule_show(s, srp, SMK_LABELLEN);
1402 (char *)srp->smk_object);
1403
1404 seq_putc(s, ' ');
1405
1406 if (srp->smk_access & MAY_READ)
1407 seq_putc(s, 'r');
1408 if (srp->smk_access & MAY_WRITE)
1409 seq_putc(s, 'w');
1410 if (srp->smk_access & MAY_EXEC)
1411 seq_putc(s, 'x');
1412 if (srp->smk_access & MAY_APPEND)
1413 seq_putc(s, 'a');
1414 if (srp->smk_access & MAY_TRANSMUTE)
1415 seq_putc(s, 't');
1416 if (srp->smk_access == 0)
1417 seq_putc(s, '-');
1418
1419 seq_putc(s, '\n');
1420 1719
1421 return 0; 1720 return 0;
1422} 1721}
@@ -1430,7 +1729,7 @@ static const struct seq_operations load_self_seq_ops = {
1430 1729
1431 1730
1432/** 1731/**
1433 * smk_open_load_self - open() for /smack/load-self 1732 * smk_open_load_self - open() for /smack/load-self2
1434 * @inode: inode structure representing file 1733 * @inode: inode structure representing file
1435 * @file: "load" file pointer 1734 * @file: "load" file pointer
1436 * 1735 *
@@ -1454,8 +1753,8 @@ static ssize_t smk_write_load_self(struct file *file, const char __user *buf,
1454{ 1753{
1455 struct task_smack *tsp = current_security(); 1754 struct task_smack *tsp = current_security();
1456 1755
1457 return smk_write_load_list(file, buf, count, ppos, &tsp->smk_rules, 1756 return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
1458 &tsp->smk_rules_lock); 1757 &tsp->smk_rules_lock, SMK_FIXED24_FMT);
1459} 1758}
1460 1759
1461static const struct file_operations smk_load_self_ops = { 1760static const struct file_operations smk_load_self_ops = {
@@ -1467,24 +1766,42 @@ static const struct file_operations smk_load_self_ops = {
1467}; 1766};
1468 1767
1469/** 1768/**
1470 * smk_write_access - handle access check transaction 1769 * smk_user_access - handle access check transaction
1471 * @file: file pointer 1770 * @file: file pointer
1472 * @buf: data from user space 1771 * @buf: data from user space
1473 * @count: bytes sent 1772 * @count: bytes sent
1474 * @ppos: where to start - must be 0 1773 * @ppos: where to start - must be 0
1475 */ 1774 */
1476static ssize_t smk_write_access(struct file *file, const char __user *buf, 1775static ssize_t smk_user_access(struct file *file, const char __user *buf,
1477 size_t count, loff_t *ppos) 1776 size_t count, loff_t *ppos, int format)
1478{ 1777{
1479 struct smack_rule rule; 1778 struct smack_rule rule;
1480 char *data; 1779 char *data;
1780 char *cod;
1481 int res; 1781 int res;
1482 1782
1483 data = simple_transaction_get(file, buf, count); 1783 data = simple_transaction_get(file, buf, count);
1484 if (IS_ERR(data)) 1784 if (IS_ERR(data))
1485 return PTR_ERR(data); 1785 return PTR_ERR(data);
1486 1786
1487 if (count < SMK_LOADLEN || smk_parse_rule(data, &rule, 0)) 1787 if (format == SMK_FIXED24_FMT) {
1788 if (count < SMK_LOADLEN)
1789 return -EINVAL;
1790 res = smk_parse_rule(data, &rule, 0);
1791 } else {
1792 /*
1793 * Copy the data to make sure the string is terminated.
1794 */
1795 cod = kzalloc(count + 1, GFP_KERNEL);
1796 if (cod == NULL)
1797 return -ENOMEM;
1798 memcpy(cod, data, count);
1799 cod[count] = '\0';
1800 res = smk_parse_long_rule(cod, &rule, 0);
1801 kfree(cod);
1802 }
1803
1804 if (res)
1488 return -EINVAL; 1805 return -EINVAL;
1489 1806
1490 res = smk_access(rule.smk_subject, rule.smk_object, rule.smk_access, 1807 res = smk_access(rule.smk_subject, rule.smk_object, rule.smk_access,
@@ -1493,7 +1810,23 @@ static ssize_t smk_write_access(struct file *file, const char __user *buf,
1493 data[1] = '\0'; 1810 data[1] = '\0';
1494 1811
1495 simple_transaction_set(file, 2); 1812 simple_transaction_set(file, 2);
1496 return SMK_LOADLEN; 1813
1814 if (format == SMK_FIXED24_FMT)
1815 return SMK_LOADLEN;
1816 return count;
1817}
1818
1819/**
1820 * smk_write_access - handle access check transaction
1821 * @file: file pointer
1822 * @buf: data from user space
1823 * @count: bytes sent
1824 * @ppos: where to start - must be 0
1825 */
1826static ssize_t smk_write_access(struct file *file, const char __user *buf,
1827 size_t count, loff_t *ppos)
1828{
1829 return smk_user_access(file, buf, count, ppos, SMK_FIXED24_FMT);
1497} 1830}
1498 1831
1499static const struct file_operations smk_access_ops = { 1832static const struct file_operations smk_access_ops = {
@@ -1503,6 +1836,163 @@ static const struct file_operations smk_access_ops = {
1503 .llseek = generic_file_llseek, 1836 .llseek = generic_file_llseek,
1504}; 1837};
1505 1838
1839
1840/*
1841 * Seq_file read operations for /smack/load2
1842 */
1843
1844static int load2_seq_show(struct seq_file *s, void *v)
1845{
1846 struct list_head *list = v;
1847 struct smack_master_list *smlp =
1848 list_entry(list, struct smack_master_list, list);
1849
1850 smk_rule_show(s, smlp->smk_rule, SMK_LONGLABEL);
1851
1852 return 0;
1853}
1854
1855static const struct seq_operations load2_seq_ops = {
1856 .start = load2_seq_start,
1857 .next = load2_seq_next,
1858 .show = load2_seq_show,
1859 .stop = smk_seq_stop,
1860};
1861
1862/**
1863 * smk_open_load2 - open() for /smack/load2
1864 * @inode: inode structure representing file
1865 * @file: "load2" file pointer
1866 *
1867 * For reading, use load2_seq_* seq_file reading operations.
1868 */
1869static int smk_open_load2(struct inode *inode, struct file *file)
1870{
1871 return seq_open(file, &load2_seq_ops);
1872}
1873
1874/**
1875 * smk_write_load2 - write() for /smack/load2
1876 * @file: file pointer, not actually used
1877 * @buf: where to get the data from
1878 * @count: bytes sent
1879 * @ppos: where to start - must be 0
1880 *
1881 */
1882static ssize_t smk_write_load2(struct file *file, const char __user *buf,
1883 size_t count, loff_t *ppos)
1884{
1885 /*
1886 * Must have privilege.
1887 */
1888 if (!capable(CAP_MAC_ADMIN))
1889 return -EPERM;
1890
1891 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
1892 SMK_LONG_FMT);
1893}
1894
1895static const struct file_operations smk_load2_ops = {
1896 .open = smk_open_load2,
1897 .read = seq_read,
1898 .llseek = seq_lseek,
1899 .write = smk_write_load2,
1900 .release = seq_release,
1901};
1902
1903/*
1904 * Seq_file read operations for /smack/load-self2
1905 */
1906
1907static void *load_self2_seq_start(struct seq_file *s, loff_t *pos)
1908{
1909 struct task_smack *tsp = current_security();
1910
1911 return smk_seq_start(s, pos, &tsp->smk_rules);
1912}
1913
1914static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos)
1915{
1916 struct task_smack *tsp = current_security();
1917
1918 return smk_seq_next(s, v, pos, &tsp->smk_rules);
1919}
1920
1921static int load_self2_seq_show(struct seq_file *s, void *v)
1922{
1923 struct list_head *list = v;
1924 struct smack_rule *srp =
1925 list_entry(list, struct smack_rule, list);
1926
1927 smk_rule_show(s, srp, SMK_LONGLABEL);
1928
1929 return 0;
1930}
1931
1932static const struct seq_operations load_self2_seq_ops = {
1933 .start = load_self2_seq_start,
1934 .next = load_self2_seq_next,
1935 .show = load_self2_seq_show,
1936 .stop = smk_seq_stop,
1937};
1938
1939/**
1940 * smk_open_load_self2 - open() for /smack/load-self2
1941 * @inode: inode structure representing file
1942 * @file: "load" file pointer
1943 *
1944 * For reading, use load_seq_* seq_file reading operations.
1945 */
1946static int smk_open_load_self2(struct inode *inode, struct file *file)
1947{
1948 return seq_open(file, &load_self2_seq_ops);
1949}
1950
1951/**
1952 * smk_write_load_self2 - write() for /smack/load-self2
1953 * @file: file pointer, not actually used
1954 * @buf: where to get the data from
1955 * @count: bytes sent
1956 * @ppos: where to start - must be 0
1957 *
1958 */
1959static ssize_t smk_write_load_self2(struct file *file, const char __user *buf,
1960 size_t count, loff_t *ppos)
1961{
1962 struct task_smack *tsp = current_security();
1963
1964 return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
1965 &tsp->smk_rules_lock, SMK_LONG_FMT);
1966}
1967
1968static const struct file_operations smk_load_self2_ops = {
1969 .open = smk_open_load_self2,
1970 .read = seq_read,
1971 .llseek = seq_lseek,
1972 .write = smk_write_load_self2,
1973 .release = seq_release,
1974};
1975
1976/**
1977 * smk_write_access2 - handle access check transaction
1978 * @file: file pointer
1979 * @buf: data from user space
1980 * @count: bytes sent
1981 * @ppos: where to start - must be 0
1982 */
1983static ssize_t smk_write_access2(struct file *file, const char __user *buf,
1984 size_t count, loff_t *ppos)
1985{
1986 return smk_user_access(file, buf, count, ppos, SMK_LONG_FMT);
1987}
1988
1989static const struct file_operations smk_access2_ops = {
1990 .write = smk_write_access2,
1991 .read = simple_transaction_read,
1992 .release = simple_transaction_release,
1993 .llseek = generic_file_llseek,
1994};
1995
1506/** 1996/**
1507 * smk_fill_super - fill the /smackfs superblock 1997 * smk_fill_super - fill the /smackfs superblock
1508 * @sb: the empty superblock 1998 * @sb: the empty superblock
@@ -1539,6 +2029,16 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
1539 "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO}, 2029 "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO},
1540 [SMK_ACCESSES] = { 2030 [SMK_ACCESSES] = {
1541 "access", &smk_access_ops, S_IRUGO|S_IWUGO}, 2031 "access", &smk_access_ops, S_IRUGO|S_IWUGO},
2032 [SMK_MAPPED] = {
2033 "mapped", &smk_mapped_ops, S_IRUGO|S_IWUSR},
2034 [SMK_LOAD2] = {
2035 "load2", &smk_load2_ops, S_IRUGO|S_IWUSR},
2036 [SMK_LOAD_SELF2] = {
2037 "load-self2", &smk_load_self2_ops, S_IRUGO|S_IWUGO},
2038 [SMK_ACCESS2] = {
2039 "access2", &smk_access2_ops, S_IRUGO|S_IWUGO},
2040 [SMK_CIPSO2] = {
2041 "cipso2", &smk_cipso2_ops, S_IRUGO|S_IWUSR},
1542 /* last one */ 2042 /* last one */
1543 {""} 2043 {""}
1544 }; 2044 };
@@ -1581,6 +2081,15 @@ static struct file_system_type smk_fs_type = {
1581 2081
1582static struct vfsmount *smackfs_mount; 2082static struct vfsmount *smackfs_mount;
1583 2083
2084static int __init smk_preset_netlabel(struct smack_known *skp)
2085{
2086 skp->smk_netlabel.domain = skp->smk_known;
2087 skp->smk_netlabel.flags =
2088 NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
2089 return smk_netlbl_mls(smack_cipso_direct, skp->smk_known,
2090 &skp->smk_netlabel, strlen(skp->smk_known));
2091}
2092
1584/** 2093/**
1585 * init_smk_fs - get the smackfs superblock 2094 * init_smk_fs - get the smackfs superblock
1586 * 2095 *
@@ -1597,6 +2106,7 @@ static struct vfsmount *smackfs_mount;
1597static int __init init_smk_fs(void) 2106static int __init init_smk_fs(void)
1598{ 2107{
1599 int err; 2108 int err;
2109 int rc;
1600 2110
1601 if (!security_module_enable(&smack_ops)) 2111 if (!security_module_enable(&smack_ops))
1602 return 0; 2112 return 0;
@@ -1614,6 +2124,25 @@ static int __init init_smk_fs(void)
1614 smk_cipso_doi(); 2124 smk_cipso_doi();
1615 smk_unlbl_ambient(NULL); 2125 smk_unlbl_ambient(NULL);
1616 2126
2127 rc = smk_preset_netlabel(&smack_known_floor);
2128 if (err == 0 && rc < 0)
2129 err = rc;
2130 rc = smk_preset_netlabel(&smack_known_hat);
2131 if (err == 0 && rc < 0)
2132 err = rc;
2133 rc = smk_preset_netlabel(&smack_known_huh);
2134 if (err == 0 && rc < 0)
2135 err = rc;
2136 rc = smk_preset_netlabel(&smack_known_invalid);
2137 if (err == 0 && rc < 0)
2138 err = rc;
2139 rc = smk_preset_netlabel(&smack_known_star);
2140 if (err == 0 && rc < 0)
2141 err = rc;
2142 rc = smk_preset_netlabel(&smack_known_web);
2143 if (err == 0 && rc < 0)
2144 err = rc;
2145
1617 return err; 2146 return err;
1618} 2147}
1619 2148
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 8656b16eef7b..2e0f12c62938 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -850,14 +850,9 @@ static int tomoyo_update_manager_entry(const char *manager,
850 policy_list[TOMOYO_ID_MANAGER], 850 policy_list[TOMOYO_ID_MANAGER],
851 }; 851 };
852 int error = is_delete ? -ENOENT : -ENOMEM; 852 int error = is_delete ? -ENOENT : -ENOMEM;
853 if (tomoyo_domain_def(manager)) { 853 if (!tomoyo_correct_domain(manager) &&
854 if (!tomoyo_correct_domain(manager)) 854 !tomoyo_correct_word(manager))
855 return -EINVAL; 855 return -EINVAL;
856 e.is_domain = true;
857 } else {
858 if (!tomoyo_correct_path(manager))
859 return -EINVAL;
860 }
861 e.manager = tomoyo_get_name(manager); 856 e.manager = tomoyo_get_name(manager);
862 if (e.manager) { 857 if (e.manager) {
863 error = tomoyo_update_policy(&e.head, sizeof(e), &param, 858 error = tomoyo_update_policy(&e.head, sizeof(e), &param,
@@ -932,23 +927,14 @@ static bool tomoyo_manager(void)
932 return true; 927 return true;
933 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) 928 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
934 return false; 929 return false;
935 list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace.
936 policy_list[TOMOYO_ID_MANAGER], head.list) {
937 if (!ptr->head.is_deleted && ptr->is_domain
938 && !tomoyo_pathcmp(domainname, ptr->manager)) {
939 found = true;
940 break;
941 }
942 }
943 if (found)
944 return true;
945 exe = tomoyo_get_exe(); 930 exe = tomoyo_get_exe();
946 if (!exe) 931 if (!exe)
947 return false; 932 return false;
948 list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace. 933 list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace.
949 policy_list[TOMOYO_ID_MANAGER], head.list) { 934 policy_list[TOMOYO_ID_MANAGER], head.list) {
950 if (!ptr->head.is_deleted && !ptr->is_domain 935 if (!ptr->head.is_deleted &&
951 && !strcmp(exe, ptr->manager->name)) { 936 (!tomoyo_pathcmp(domainname, ptr->manager) ||
937 !strcmp(exe, ptr->manager->name))) {
952 found = true; 938 found = true;
953 break; 939 break;
954 } 940 }
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 30fd98369700..75e4dc1c02a0 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -860,7 +860,6 @@ struct tomoyo_aggregator {
860/* Structure for policy manager. */ 860/* Structure for policy manager. */
861struct tomoyo_manager { 861struct tomoyo_manager {
862 struct tomoyo_acl_head head; 862 struct tomoyo_acl_head head;
863 bool is_domain; /* True if manager is a domainname. */
864 /* A path to program or a domainname. */ 863 /* A path to program or a domainname. */
865 const struct tomoyo_path_info *manager; 864 const struct tomoyo_path_info *manager;
866}; 865};
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 620d37c159a3..c2d04a50f76a 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -319,14 +319,14 @@ static int tomoyo_file_fcntl(struct file *file, unsigned int cmd,
319} 319}
320 320
321/** 321/**
322 * tomoyo_dentry_open - Target for security_dentry_open(). 322 * tomoyo_file_open - Target for security_file_open().
323 * 323 *
324 * @f: Pointer to "struct file". 324 * @f: Pointer to "struct file".
325 * @cred: Pointer to "struct cred". 325 * @cred: Pointer to "struct cred".
326 * 326 *
327 * Returns 0 on success, negative value otherwise. 327 * Returns 0 on success, negative value otherwise.
328 */ 328 */
329static int tomoyo_dentry_open(struct file *f, const struct cred *cred) 329static int tomoyo_file_open(struct file *f, const struct cred *cred)
330{ 330{
331 int flags = f->f_flags; 331 int flags = f->f_flags;
332 /* Don't check read permission here if called from do_execve(). */ 332 /* Don't check read permission here if called from do_execve(). */
@@ -510,7 +510,7 @@ static struct security_operations tomoyo_security_ops = {
510 .bprm_set_creds = tomoyo_bprm_set_creds, 510 .bprm_set_creds = tomoyo_bprm_set_creds,
511 .bprm_check_security = tomoyo_bprm_check_security, 511 .bprm_check_security = tomoyo_bprm_check_security,
512 .file_fcntl = tomoyo_file_fcntl, 512 .file_fcntl = tomoyo_file_fcntl,
513 .dentry_open = tomoyo_dentry_open, 513 .file_open = tomoyo_file_open,
514 .path_truncate = tomoyo_path_truncate, 514 .path_truncate = tomoyo_path_truncate,
515 .path_unlink = tomoyo_path_unlink, 515 .path_unlink = tomoyo_path_unlink,
516 .path_mkdir = tomoyo_path_mkdir, 516 .path_mkdir = tomoyo_path_mkdir,
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 573723843a04..83554ee8a587 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -18,7 +18,12 @@
18#include <linux/prctl.h> 18#include <linux/prctl.h>
19#include <linux/ratelimit.h> 19#include <linux/ratelimit.h>
20 20
21static int ptrace_scope = 1; 21#define YAMA_SCOPE_DISABLED 0
22#define YAMA_SCOPE_RELATIONAL 1
23#define YAMA_SCOPE_CAPABILITY 2
24#define YAMA_SCOPE_NO_ATTACH 3
25
26static int ptrace_scope = YAMA_SCOPE_RELATIONAL;
22 27
23/* describe a ptrace relationship for potential exception */ 28/* describe a ptrace relationship for potential exception */
24struct ptrace_relation { 29struct ptrace_relation {
@@ -251,17 +256,32 @@ static int yama_ptrace_access_check(struct task_struct *child,
251 return rc; 256 return rc;
252 257
253 /* require ptrace target be a child of ptracer on attach */ 258 /* require ptrace target be a child of ptracer on attach */
254 if (mode == PTRACE_MODE_ATTACH && 259 if (mode == PTRACE_MODE_ATTACH) {
255 ptrace_scope && 260 switch (ptrace_scope) {
256 !task_is_descendant(current, child) && 261 case YAMA_SCOPE_DISABLED:
257 !ptracer_exception_found(current, child) && 262 /* No additional restrictions. */
258 !capable(CAP_SYS_PTRACE)) 263 break;
259 rc = -EPERM; 264 case YAMA_SCOPE_RELATIONAL:
265 if (!task_is_descendant(current, child) &&
266 !ptracer_exception_found(current, child) &&
267 !ns_capable(task_user_ns(child), CAP_SYS_PTRACE))
268 rc = -EPERM;
269 break;
270 case YAMA_SCOPE_CAPABILITY:
271 if (!ns_capable(task_user_ns(child), CAP_SYS_PTRACE))
272 rc = -EPERM;
273 break;
274 case YAMA_SCOPE_NO_ATTACH:
275 default:
276 rc = -EPERM;
277 break;
278 }
279 }
260 280
261 if (rc) { 281 if (rc) {
262 char name[sizeof(current->comm)]; 282 char name[sizeof(current->comm)];
263 printk_ratelimited(KERN_NOTICE "ptrace of non-child" 283 printk_ratelimited(KERN_NOTICE
264 " pid %d was attempted by: %s (pid %d)\n", 284 "ptrace of pid %d was attempted by: %s (pid %d)\n",
265 child->pid, 285 child->pid,
266 get_task_comm(name, current), 286 get_task_comm(name, current),
267 current->pid); 287 current->pid);
@@ -279,8 +299,27 @@ static struct security_operations yama_ops = {
279}; 299};
280 300
281#ifdef CONFIG_SYSCTL 301#ifdef CONFIG_SYSCTL
302static int yama_dointvec_minmax(struct ctl_table *table, int write,
303 void __user *buffer, size_t *lenp, loff_t *ppos)
304{
305 int rc;
306
307 if (write && !capable(CAP_SYS_PTRACE))
308 return -EPERM;
309
310 rc = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
311 if (rc)
312 return rc;
313
314 /* Lock the max value if it ever gets set. */
315 if (write && *(int *)table->data == *(int *)table->extra2)
316 table->extra1 = table->extra2;
317
318 return rc;
319}
320
282static int zero; 321static int zero;
283static int one = 1; 322static int max_scope = YAMA_SCOPE_NO_ATTACH;
284 323
285struct ctl_path yama_sysctl_path[] = { 324struct ctl_path yama_sysctl_path[] = {
286 { .procname = "kernel", }, 325 { .procname = "kernel", },
@@ -294,9 +333,9 @@ static struct ctl_table yama_sysctl_table[] = {
294 .data = &ptrace_scope, 333 .data = &ptrace_scope,
295 .maxlen = sizeof(int), 334 .maxlen = sizeof(int),
296 .mode = 0644, 335 .mode = 0644,
297 .proc_handler = proc_dointvec_minmax, 336 .proc_handler = yama_dointvec_minmax,
298 .extra1 = &zero, 337 .extra1 = &zero,
299 .extra2 = &one, 338 .extra2 = &max_scope,
300 }, 339 },
301 { } 340 { }
302}; 341};