Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:
 "Highlights:

   - Integrity: add local fs integrity verification to detect offline
     attacks
   - Integrity: add digital signature verification
   - Simple stacking of Yama with other LSMs (per LSS discussions)
   - IBM vTPM support on ppc64
   - Add new driver for Infineon I2C TIS TPM
   - Smack: add rule revocation for subject labels"

Fixed conflicts with the user namespace support in kernel/auditsc.c and
security/integrity/ima/ima_policy.c.

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (39 commits)
  Documentation: Update git repository URL for Smack userland tools
  ima: change flags container data type
  Smack: setprocattr memory leak fix
  Smack: implement revoking all rules for a subject label
  Smack: remove task_wait() hook.
  ima: audit log hashes
  ima: generic IMA action flag handling
  ima: rename ima_must_appraise_or_measure
  audit: export audit_log_task_info
  tpm: fix tpm_acpi sparse warning on different address spaces
  samples/seccomp: fix 31 bit build on s390
  ima: digital signature verification support
  ima: add support for different security.ima data types
  ima: add ima_inode_setxattr/removexattr function and calls
  ima: add inode_post_setattr call
  ima: replace iint spinblock with rwlock/read_lock
  ima: allocating iint improvements
  ima: add appraise action keywords and default rules
  ima: integrity appraisal extension
  vfs: move ima_file_free before releasing the file
  ...

17 files changed, 793 insertions, 228 deletions

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 8901501425f4..eb5484504f50 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -34,6 +34,9 @@ char *evm_config_xattrnames[] = {
 #ifdef CONFIG_SECURITY_SMACK
         XATTR_NAME_SMACK,
 #endif
+#ifdef CONFIG_IMA_APPRAISE
+        XATTR_NAME_IMA,
+#endif
         XATTR_NAME_CAPS,
         NULL
 };
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 399641c3e846..d82a5a13d855 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -22,7 +22,7 @@
 #include "integrity.h"
 
 static struct rb_root integrity_iint_tree = RB_ROOT;
-static DEFINE_SPINLOCK(integrity_iint_lock);
+static DEFINE_RWLOCK(integrity_iint_lock);
 static struct kmem_cache *iint_cache __read_mostly;
 
 int iint_initialized;
@@ -35,8 +35,6 @@ static struct integrity_iint_cache *__integrity_iint_find(struct inode *inode)
         struct integrity_iint_cache *iint;
         struct rb_node *n = integrity_iint_tree.rb_node;
 
-        assert_spin_locked(&integrity_iint_lock);
-
         while (n) {
                 iint = rb_entry(n, struct integrity_iint_cache, rb_node);
 
@@ -63,9 +61,9 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode)
         if (!IS_IMA(inode))
                 return NULL;
 
-        spin_lock(&integrity_iint_lock);
+        read_lock(&integrity_iint_lock);
         iint = __integrity_iint_find(inode);
-        spin_unlock(&integrity_iint_lock);
+        read_unlock(&integrity_iint_lock);
 
         return iint;
 }
@@ -74,59 +72,53 @@ static void iint_free(struct integrity_iint_cache *iint)
 {
         iint->version = 0;
         iint->flags = 0UL;
+        iint->ima_status = INTEGRITY_UNKNOWN;
         iint->evm_status = INTEGRITY_UNKNOWN;
         kmem_cache_free(iint_cache, iint);
 }
 
 /**
- * integrity_inode_alloc - allocate an iint associated with an inode
+ * integrity_inode_get - find or allocate an iint associated with an inode
  * @inode: pointer to the inode
+ * @return: allocated iint
+ *
+ * Caller must lock i_mutex
  */
-int integrity_inode_alloc(struct inode *inode)
+struct integrity_iint_cache *integrity_inode_get(struct inode *inode)
 {
         struct rb_node **p;
-        struct rb_node *new_node, *parent = NULL;
-        struct integrity_iint_cache *new_iint, *test_iint;
-        int rc;
+        struct rb_node *node, *parent = NULL;
+        struct integrity_iint_cache *iint, *test_iint;
 
-        new_iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
-        if (!new_iint)
-                return -ENOMEM;
+        iint = integrity_iint_find(inode);
+        if (iint)
+                return iint;
 
-        new_iint->inode = inode;
-        new_node = &new_iint->rb_node;
+        iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
+        if (!iint)
+                return NULL;
 
-        mutex_lock(&inode->i_mutex);    /* i_flags */
-        spin_lock(&integrity_iint_lock);
+        write_lock(&integrity_iint_lock);
 
         p = &integrity_iint_tree.rb_node;
         while (*p) {
                 parent = *p;
                 test_iint = rb_entry(parent, struct integrity_iint_cache,
                                      rb_node);
-                rc = -EEXIST;
                 if (inode < test_iint->inode)
                         p = &(*p)->rb_left;
-                else if (inode > test_iint->inode)
-                        p = &(*p)->rb_right;
                 else
-                        goto out_err;
+                        p = &(*p)->rb_right;
         }
 
+        iint->inode = inode;
+        node = &iint->rb_node;
         inode->i_flags |= S_IMA;
-        rb_link_node(new_node, parent, p);
-        rb_insert_color(new_node, &integrity_iint_tree);
+        rb_link_node(node, parent, p);
+        rb_insert_color(node, &integrity_iint_tree);
 
-        spin_unlock(&integrity_iint_lock);
-        mutex_unlock(&inode->i_mutex);  /* i_flags */
-
-        return 0;
-out_err:
-        spin_unlock(&integrity_iint_lock);
-        mutex_unlock(&inode->i_mutex);  /* i_flags */
-        iint_free(new_iint);
-
-        return rc;
+        write_unlock(&integrity_iint_lock);
+        return iint;
 }
 
 /**
@@ -142,10 +134,10 @@ void integrity_inode_free(struct inode *inode)
         if (!IS_IMA(inode))
                 return;
 
-        spin_lock(&integrity_iint_lock);
+        write_lock(&integrity_iint_lock);
         iint = __integrity_iint_find(inode);
         rb_erase(&iint->rb_node, &integrity_iint_tree);
-        spin_unlock(&integrity_iint_lock);
+        write_unlock(&integrity_iint_lock);
 
         iint_free(iint);
 }
@@ -157,7 +149,7 @@ static void init_once(void *foo)
         memset(iint, 0, sizeof *iint);
         iint->version = 0;
         iint->flags = 0UL;
-        mutex_init(&iint->mutex);
+        iint->ima_status = INTEGRITY_UNKNOWN;
         iint->evm_status = INTEGRITY_UNKNOWN;
 }
 
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index b9c1219924f1..d232c73647ae 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -11,6 +11,7 @@ config IMA
         select CRYPTO_SHA1
         select TCG_TPM if HAS_IOMEM && !UML
         select TCG_TIS if TCG_TPM && X86
+        select TCG_IBMVTPM if TCG_TPM && PPC64
         help
           The Trusted Computing Group(TCG) runtime Integrity
           Measurement Architecture(IMA) maintains a list of hash
@@ -55,3 +56,18 @@ config IMA_LSM_RULES
         default y
         help
           Disabling this option will disregard LSM based policy rules.
+
+config IMA_APPRAISE
+        bool "Appraise integrity measurements"
+        depends on IMA
+        default n
+        help
+          This option enables local measurement integrity appraisal.
+          It requires the system to be labeled with a security extended
+          attribute containing the file hash measurement.  To protect
+          the security extended attributes from offline attack, enable
+          and configure EVM.
+
+          For more information on integrity appraisal refer to:
+          <http://linux-ima.sourceforge.net>
+          If unsure, say N.
diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
index 5f740f6971e1..3f2ca6bdc384 100644
--- a/security/integrity/ima/Makefile
+++ b/security/integrity/ima/Makefile
@@ -8,3 +8,4 @@ obj-$(CONFIG_IMA) += ima.o
 ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
          ima_policy.o
 ima-$(CONFIG_IMA_AUDIT) += ima_audit.o
+ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index e7c99fd0d223..8180adde10b7 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -40,6 +40,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
 extern int ima_initialized;
 extern int ima_used_chip;
 extern char *ima_hash;
+extern int ima_appraise;
 
 /* IMA inode template definition */
 struct ima_template_data {
@@ -107,11 +108,14 @@ static inline unsigned long ima_hash_key(u8 *digest)
 }
 
 /* LIM API function definitions */
+int ima_get_action(struct inode *inode, int mask, int function);
 int ima_must_measure(struct inode *inode, int mask, int function);
 int ima_collect_measurement(struct integrity_iint_cache *iint,
                             struct file *file);
 void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
                            const unsigned char *filename);
+void ima_audit_measurement(struct integrity_iint_cache *iint,
+                           const unsigned char *filename);
 int ima_store_template(struct ima_template_entry *entry, int violation,
                        struct inode *inode);
 void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show);
@@ -123,14 +127,45 @@ struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
 struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
 
 /* IMA policy related functions */
-enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK };
+enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK, POST_SETATTR };
 
-int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask);
+int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
+                     int flags);
 void ima_init_policy(void);
 void ima_update_policy(void);
 ssize_t ima_parse_add_rule(char *);
 void ima_delete_rules(void);
 
+/* Appraise integrity measurements */
+#define IMA_APPRAISE_ENFORCE    0x01
+#define IMA_APPRAISE_FIX        0x02
+
+#ifdef CONFIG_IMA_APPRAISE
+int ima_appraise_measurement(struct integrity_iint_cache *iint,
+                             struct file *file, const unsigned char *filename);
+int ima_must_appraise(struct inode *inode, enum ima_hooks func, int mask);
+void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
+
+#else
+static inline int ima_appraise_measurement(struct integrity_iint_cache *iint,
+                                           struct file *file,
+                                           const unsigned char *filename)
+{
+        return INTEGRITY_UNKNOWN;
+}
+
+static inline int ima_must_appraise(struct inode *inode,
+                                    enum ima_hooks func, int mask)
+{
+        return 0;
+}
+
+static inline void ima_update_xattr(struct integrity_iint_cache *iint,
+                                    struct file *file)
+{
+}
+#endif
+
 /* LSM based policy rules require audit */
 #ifdef CONFIG_IMA_LSM_RULES
 
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 032ff03ad907..b356884fb3ef 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -9,13 +9,17 @@
  * License.
  *
  * File: ima_api.c
- *      Implements must_measure, collect_measurement, store_measurement,
- *      and store_template.
+ *      Implements must_appraise_or_measure, collect_measurement,
+ *      appraise_measurement, store_measurement and store_template.
  */
 #include <linux/module.h>
 #include <linux/slab.h>
-
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/xattr.h>
+#include <linux/evm.h>
 #include "ima.h"
+
 static const char *IMA_TEMPLATE_NAME = "ima";
 
 /*
@@ -93,7 +97,7 @@ err_out:
 }
 
 /**
- * ima_must_measure - measure decision based on policy.
+ * ima_get_action - appraise & measure decision based on policy.
  * @inode: pointer to inode to measure
  * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
  * @function: calling function (FILE_CHECK, BPRM_CHECK, FILE_MMAP)
@@ -105,15 +109,22 @@ err_out:
  *      mask: contains the permission mask
  *      fsmagic: hex value
  *
- * Return 0 to measure. For matching a DONT_MEASURE policy, no policy,
- * or other error, return an error code.
-*/
-int ima_must_measure(struct inode *inode, int mask, int function)
+ * Returns IMA_MEASURE, IMA_APPRAISE mask.
+ *
+ */
+int ima_get_action(struct inode *inode, int mask, int function)
 {
-        int must_measure;
+        int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE;
+
+        if (!ima_appraise)
+                flags &= ~IMA_APPRAISE;
 
-        must_measure = ima_match_policy(inode, function, mask);
-        return must_measure ? 0 : -EACCES;
+        return ima_match_policy(inode, function, mask, flags);
+}
+
+int ima_must_measure(struct inode *inode, int mask, int function)
+{
+        return ima_match_policy(inode, function, mask, IMA_MEASURE);
 }
 
 /*
@@ -129,16 +140,24 @@ int ima_must_measure(struct inode *inode, int mask, int function)
 int ima_collect_measurement(struct integrity_iint_cache *iint,
                             struct file *file)
 {
-        int result = -EEXIST;
+        struct inode *inode = file->f_dentry->d_inode;
+        const char *filename = file->f_dentry->d_name.name;
+        int result = 0;
 
-        if (!(iint->flags & IMA_MEASURED)) {
+        if (!(iint->flags & IMA_COLLECTED)) {
                 u64 i_version = file->f_dentry->d_inode->i_version;
 
-                memset(iint->digest, 0, IMA_DIGEST_SIZE);
-                result = ima_calc_hash(file, iint->digest);
-                if (!result)
+                iint->ima_xattr.type = IMA_XATTR_DIGEST;
+                result = ima_calc_hash(file, iint->ima_xattr.digest);
+                if (!result) {
                         iint->version = i_version;
+                        iint->flags |= IMA_COLLECTED;
+                }
         }
+        if (result)
+                integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
+                                    filename, "collect_data", "failed",
+                                    result, 0);
         return result;
 }
 
@@ -167,6 +186,9 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
         struct ima_template_entry *entry;
         int violation = 0;
 
+        if (iint->flags & IMA_MEASURED)
+                return;
+
         entry = kmalloc(sizeof(*entry), GFP_KERNEL);
         if (!entry) {
                 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
@@ -174,7 +196,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
                 return;
         }
         memset(&entry->template, 0, sizeof(entry->template));
-        memcpy(entry->template.digest, iint->digest, IMA_DIGEST_SIZE);
+        memcpy(entry->template.digest, iint->ima_xattr.digest, IMA_DIGEST_SIZE);
         strcpy(entry->template.file_name,
                (strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ?
                file->f_dentry->d_name.name : filename);
@@ -185,3 +207,33 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
         if (result < 0)
                 kfree(entry);
 }
+
+void ima_audit_measurement(struct integrity_iint_cache *iint,
+                           const unsigned char *filename)
+{
+        struct audit_buffer *ab;
+        char hash[(IMA_DIGEST_SIZE * 2) + 1];
+        int i;
+
+        if (iint->flags & IMA_AUDITED)
+                return;
+
+        for (i = 0; i < IMA_DIGEST_SIZE; i++)
+                hex_byte_pack(hash + (i * 2), iint->ima_xattr.digest[i]);
+        hash[i * 2] = '\0';
+
+        ab = audit_log_start(current->audit_context, GFP_KERNEL,
+                             AUDIT_INTEGRITY_RULE);
+        if (!ab)
+                return;
+
+        audit_log_format(ab, "file=");
+        audit_log_untrustedstring(ab, filename);
+        audit_log_format(ab, " hash=");
+        audit_log_untrustedstring(ab, hash);
+
+        audit_log_task_info(ab, current);
+        audit_log_end(ab);
+
+        iint->flags |= IMA_AUDITED;
+}
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
new file mode 100644
index 000000000000..0aa43bde441c
--- /dev/null
+++ b/security/integrity/ima/ima_appraise.c
@@ -0,0 +1,263 @@
+/*
+ * Copyright (C) 2011 IBM Corporation
+ *
+ * Author:
+ * Mimi Zohar <zohar@us.ibm.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2 of the License.
+ */
+#include <linux/module.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/xattr.h>
+#include <linux/magic.h>
+#include <linux/ima.h>
+#include <linux/evm.h>
+
+#include "ima.h"
+
+static int __init default_appraise_setup(char *str)
+{
+        if (strncmp(str, "off", 3) == 0)
+                ima_appraise = 0;
+        else if (strncmp(str, "fix", 3) == 0)
+                ima_appraise = IMA_APPRAISE_FIX;
+        return 1;
+}
+
+__setup("ima_appraise=", default_appraise_setup);
+
+/*
+ * ima_must_appraise - set appraise flag
+ *
+ * Return 1 to appraise
+ */
+int ima_must_appraise(struct inode *inode, enum ima_hooks func, int mask)
+{
+        if (!ima_appraise)
+                return 0;
+
+        return ima_match_policy(inode, func, mask, IMA_APPRAISE);
+}
+
+static void ima_fix_xattr(struct dentry *dentry,
+                          struct integrity_iint_cache *iint)
+{
+        iint->ima_xattr.type = IMA_XATTR_DIGEST;
+        __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, (u8 *)&iint->ima_xattr,
+                              sizeof iint->ima_xattr, 0);
+}
+
+/*
+ * ima_appraise_measurement - appraise file measurement
+ *
+ * Call evm_verifyxattr() to verify the integrity of 'security.ima'.
+ * Assuming success, compare the xattr hash with the collected measurement.
+ *
+ * Return 0 on success, error code otherwise
+ */
+int ima_appraise_measurement(struct integrity_iint_cache *iint,
+                             struct file *file, const unsigned char *filename)
+{
+        struct dentry *dentry = file->f_dentry;
+        struct inode *inode = dentry->d_inode;
+        struct evm_ima_xattr_data *xattr_value = NULL;
+        enum integrity_status status = INTEGRITY_UNKNOWN;
+        const char *op = "appraise_data";
+        char *cause = "unknown";
+        int rc;
+
+        if (!ima_appraise)
+                return 0;
+        if (!inode->i_op->getxattr)
+                return INTEGRITY_UNKNOWN;
+
+        if (iint->flags & IMA_APPRAISED)
+                return iint->ima_status;
+
+        rc = vfs_getxattr_alloc(dentry, XATTR_NAME_IMA, (char **)&xattr_value,
+                                0, GFP_NOFS);
+        if (rc <= 0) {
+                if (rc && rc != -ENODATA)
+                        goto out;
+
+                cause = "missing-hash";
+                status =
+                    (inode->i_size == 0) ? INTEGRITY_PASS : INTEGRITY_NOLABEL;
+                goto out;
+        }
+
+        status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
+        if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {
+                if ((status == INTEGRITY_NOLABEL)
+                    || (status == INTEGRITY_NOXATTRS))
+                        cause = "missing-HMAC";
+                else if (status == INTEGRITY_FAIL)
+                        cause = "invalid-HMAC";
+                goto out;
+        }
+
+        switch (xattr_value->type) {
+        case IMA_XATTR_DIGEST:
+                rc = memcmp(xattr_value->digest, iint->ima_xattr.digest,
+                            IMA_DIGEST_SIZE);
+                if (rc) {
+                        cause = "invalid-hash";
+                        status = INTEGRITY_FAIL;
+                        print_hex_dump_bytes("security.ima: ", DUMP_PREFIX_NONE,
+                                             xattr_value, sizeof(*xattr_value));
+                        print_hex_dump_bytes("collected: ", DUMP_PREFIX_NONE,
+                                             (u8 *)&iint->ima_xattr,
+                                             sizeof iint->ima_xattr);
+                        break;
+                }
+                status = INTEGRITY_PASS;
+                break;
+        case EVM_IMA_XATTR_DIGSIG:
+                iint->flags |= IMA_DIGSIG;
+                rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
+                                             xattr_value->digest, rc - 1,
+                                             iint->ima_xattr.digest,
+                                             IMA_DIGEST_SIZE);
+                if (rc == -EOPNOTSUPP) {
+                        status = INTEGRITY_UNKNOWN;
+                } else if (rc) {
+                        cause = "invalid-signature";
+                        status = INTEGRITY_FAIL;
+                } else {
+                        status = INTEGRITY_PASS;
+                }
+                break;
+        default:
+                status = INTEGRITY_UNKNOWN;
+                cause = "unknown-ima-data";
+                break;
+        }
+
+out:
+        if (status != INTEGRITY_PASS) {
+                if ((ima_appraise & IMA_APPRAISE_FIX) &&
+                    (!xattr_value ||
+                     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
+                        ima_fix_xattr(dentry, iint);
+                        status = INTEGRITY_PASS;
+                }
+                integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
+                                    op, cause, rc, 0);
+        } else {
+                iint->flags |= IMA_APPRAISED;
+        }
+        iint->ima_status = status;
+        kfree(xattr_value);
+        return status;
+}
+
+/*
+ * ima_update_xattr - update 'security.ima' hash value
+ */
+void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
+{
+        struct dentry *dentry = file->f_dentry;
+        int rc = 0;
+
+        /* do not collect and update hash for digital signatures */
+        if (iint->flags & IMA_DIGSIG)
+                return;
+
+        rc = ima_collect_measurement(iint, file);
+        if (rc < 0)
+                return;
+
+        ima_fix_xattr(dentry, iint);
+}
+
+/**
+ * ima_inode_post_setattr - reflect file metadata changes
+ * @dentry: pointer to the affected dentry
+ *
+ * Changes to a dentry's metadata might result in needing to appraise.
+ *
+ * This function is called from notify_change(), which expects the caller
+ * to lock the inode's i_mutex.
+ */
+void ima_inode_post_setattr(struct dentry *dentry)
+{
+        struct inode *inode = dentry->d_inode;
+        struct integrity_iint_cache *iint;
+        int must_appraise, rc;
+
+        if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode)
+            || !inode->i_op->removexattr)
+                return;
+
+        must_appraise = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
+        iint = integrity_iint_find(inode);
+        if (iint) {
+                if (must_appraise)
+                        iint->flags |= IMA_APPRAISE;
+                else
+                        iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED);
+        }
+        if (!must_appraise)
+                rc = inode->i_op->removexattr(dentry, XATTR_NAME_IMA);
+        return;
+}
+
+/*
+ * ima_protect_xattr - protect 'security.ima'
+ *
+ * Ensure that not just anyone can modify or remove 'security.ima'.
+ */
+static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
+                             const void *xattr_value, size_t xattr_value_len)
+{
+        if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
+                if (!capable(CAP_SYS_ADMIN))
+                        return -EPERM;
+                return 1;
+        }
+        return 0;
+}
+
+static void ima_reset_appraise_flags(struct inode *inode)
+{
+        struct integrity_iint_cache *iint;
+
+        if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode))
+                return;
+
+        iint = integrity_iint_find(inode);
+        if (!iint)
+                return;
+
+        iint->flags &= ~IMA_DONE_MASK;
+        return;
+}
+
+int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
+                       const void *xattr_value, size_t xattr_value_len)
+{
+        int result;
+
+        result = ima_protect_xattr(dentry, xattr_name, xattr_value,
+                                   xattr_value_len);
+        if (result == 1) {
+                ima_reset_appraise_flags(dentry->d_inode);
+                result = 0;
+        }
+        return result;
+}
+
+int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
+{
+        int result;
+
+        result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
+        if (result == 1) {
+                ima_reset_appraise_flags(dentry->d_inode);
+                result = 0;
+        }
+        return result;
+}
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 9b3ade7468b2..b21ee5b5495a 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -48,7 +48,7 @@ int ima_calc_hash(struct file *file, char *digest)
         struct scatterlist sg[1];
         loff_t i_size, offset = 0;
         char *rbuf;
-        int rc;
+        int rc, read = 0;
 
         rc = init_desc(&desc);
         if (rc != 0)
@@ -59,6 +59,10 @@ int ima_calc_hash(struct file *file, char *digest)
                 rc = -ENOMEM;
                 goto out;
         }
+        if (!(file->f_mode & FMODE_READ)) {
+                file->f_mode |= FMODE_READ;
+                read = 1;
+        }
         i_size = i_size_read(file->f_dentry->d_inode);
         while (offset < i_size) {
                 int rbuf_len;
@@ -80,6 +84,8 @@ int ima_calc_hash(struct file *file, char *digest)
         kfree(rbuf);
         if (!rc)
                 rc = crypto_hash_final(&desc, digest);
+        if (read)
+                file->f_mode &= ~FMODE_READ;
 out:
         crypto_free_hash(desc.tfm);
         return rc;
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index be8294915cf7..73c9a268253e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -22,12 +22,19 @@
 #include <linux/mount.h>
 #include <linux/mman.h>
 #include <linux/slab.h>
+#include <linux/xattr.h>
 #include <linux/ima.h>
 
 #include "ima.h"
 
 int ima_initialized;
 
+#ifdef CONFIG_IMA_APPRAISE
+int ima_appraise = IMA_APPRAISE_ENFORCE;
+#else
+int ima_appraise;
+#endif
+
 char *ima_hash = "sha1";
 static int __init hash_setup(char *str)
 {
@@ -52,7 +59,7 @@ static void ima_rdwr_violation_check(struct file *file)
         struct dentry *dentry = file->f_path.dentry;
         struct inode *inode = dentry->d_inode;
         fmode_t mode = file->f_mode;
-        int rc;
+        int must_measure;
         bool send_tomtou = false, send_writers = false;
         unsigned char *pathname = NULL, *pathbuf = NULL;
 
@@ -67,8 +74,8 @@ static void ima_rdwr_violation_check(struct file *file)
                 goto out;
         }
 
-        rc = ima_must_measure(inode, MAY_READ, FILE_CHECK);
-        if (rc < 0)
+        must_measure = ima_must_measure(inode, MAY_READ, FILE_CHECK);
+        if (!must_measure)
                 goto out;
 
         if (atomic_read(&inode->i_writecount) > 0)
@@ -100,17 +107,21 @@ out:
 }
 
 static void ima_check_last_writer(struct integrity_iint_cache *iint,
-                                  struct inode *inode,
-                                  struct file *file)
+                                  struct inode *inode, struct file *file)
 {
         fmode_t mode = file->f_mode;
 
-        mutex_lock(&iint->mutex);
-        if (mode & FMODE_WRITE &&
-            atomic_read(&inode->i_writecount) == 1 &&
-            iint->version != inode->i_version)
-                iint->flags &= ~IMA_MEASURED;
-        mutex_unlock(&iint->mutex);
+        if (!(mode & FMODE_WRITE))
+                return;
+
+        mutex_lock(&inode->i_mutex);
+        if (atomic_read(&inode->i_writecount) == 1 &&
+            iint->version != inode->i_version) {
+                iint->flags &= ~IMA_DONE_MASK;
+                if (iint->flags & IMA_APPRAISE)
+                        ima_update_xattr(iint, file);
+        }
+        mutex_unlock(&inode->i_mutex);
 }
 
 /**
@@ -140,28 +151,37 @@ static int process_measurement(struct file *file, const unsigned char *filename,
         struct inode *inode = file->f_dentry->d_inode;
         struct integrity_iint_cache *iint;
         unsigned char *pathname = NULL, *pathbuf = NULL;
-        int rc = 0;
+        int rc = -ENOMEM, action, must_appraise;
 
         if (!ima_initialized || !S_ISREG(inode->i_mode))
                 return 0;
 
-        rc = ima_must_measure(inode, mask, function);
-        if (rc != 0)
-                return rc;
-retry:
-        iint = integrity_iint_find(inode);
-        if (!iint) {
-                rc = integrity_inode_alloc(inode);
-                if (!rc || rc == -EEXIST)
-                        goto retry;
-                return rc;
-        }
+        /* Determine if in appraise/audit/measurement policy,
+         * returns IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT bitmask.  */
+        action = ima_get_action(inode, mask, function);
+        if (!action)
+                return 0;
 
-        mutex_lock(&iint->mutex);
+        must_appraise = action & IMA_APPRAISE;
 
-        rc = iint->flags & IMA_MEASURED ? 1 : 0;
-        if (rc != 0)
+        mutex_lock(&inode->i_mutex);
+
+        iint = integrity_inode_get(inode);
+        if (!iint)
+                goto out;
+
+        /* Determine if already appraised/measured based on bitmask
+         * (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED,
+         *  IMA_AUDIT, IMA_AUDITED) */
+        iint->flags |= action;
+        action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
+
+        /* Nothing to do, just return existing appraised status */
+        if (!action) {
+                if (iint->flags & IMA_APPRAISED)
+                        rc = iint->ima_status;
                 goto out;
+        }
 
         rc = ima_collect_measurement(iint, file);
         if (rc != 0)
@@ -177,11 +197,18 @@ retry:
                                 pathname = NULL;
                 }
         }
-        ima_store_measurement(iint, file, !pathname ? filename : pathname);
+        if (action & IMA_MEASURE)
+                ima_store_measurement(iint, file,
+                                      !pathname ? filename : pathname);
+        if (action & IMA_APPRAISE)
+                rc = ima_appraise_measurement(iint, file,
+                                              !pathname ? filename : pathname);
+        if (action & IMA_AUDIT)
+                ima_audit_measurement(iint, !pathname ? filename : pathname);
         kfree(pathbuf);
 out:
-        mutex_unlock(&iint->mutex);
-        return rc;
+        mutex_unlock(&inode->i_mutex);
+        return (rc && must_appraise) ? -EACCES : 0;
 }
 
 /**
@@ -197,14 +224,14 @@ out:
  */
 int ima_file_mmap(struct file *file, unsigned long prot)
 {
-        int rc;
+        int rc = 0;
 
         if (!file)
                 return 0;
         if (prot & PROT_EXEC)
                 rc = process_measurement(file, file->f_dentry->d_name.name,
                                          MAY_EXEC, FILE_MMAP);
-        return 0;
+        return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;
 }
 
 /**
@@ -228,7 +255,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
                                  (strcmp(bprm->filename, bprm->interp) == 0) ?
                                  bprm->filename : bprm->interp,
                                  MAY_EXEC, BPRM_CHECK);
-        return 0;
+        return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;
 }
 
 /**
@@ -249,7 +276,7 @@ int ima_file_check(struct file *file, int mask)
         rc = process_measurement(file, file->f_dentry->d_name.name,
                                  mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
                                  FILE_CHECK);
-        return 0;
+        return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;
 }
 EXPORT_SYMBOL_GPL(ima_file_check);
 
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index c84df05180cb..c7dacd2eab7a 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -24,22 +24,29 @@
 #define IMA_MASK        0x0002
 #define IMA_FSMAGIC     0x0004
 #define IMA_UID         0x0008
+#define IMA_FOWNER      0x0010
 
-enum ima_action { UNKNOWN = -1, DONT_MEASURE = 0, MEASURE };
+#define UNKNOWN         0
+#define MEASURE         0x0001  /* same as IMA_MEASURE */
+#define DONT_MEASURE    0x0002
+#define APPRAISE        0x0004  /* same as IMA_APPRAISE */
+#define DONT_APPRAISE   0x0008
+#define AUDIT           0x0040
 
 #define MAX_LSM_RULES 6
 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
         LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
 };
 
-struct ima_measure_rule_entry {
+struct ima_rule_entry {
         struct list_head list;
-        enum ima_action action;
+        int action;
         unsigned int flags;
         enum ima_hooks func;
         int mask;
         unsigned long fsmagic;
         kuid_t uid;
+        kuid_t fowner;
         struct {
                 void *rule;     /* LSM file metadata specific */
                 int type;       /* audit type */
@@ -48,7 +55,7 @@ struct ima_measure_rule_entry {
 
 /*
  * Without LSM specific knowledge, the default policy can only be
- * written in terms of .action, .func, .mask, .fsmagic, and .uid
+ * written in terms of .action, .func, .mask, .fsmagic, .uid, and .fowner
  */
 
 /*
@@ -57,7 +64,7 @@ struct ima_measure_rule_entry {
  * normal users can easily run the machine out of memory simply building
  * and running executables.
  */
-static struct ima_measure_rule_entry default_rules[] = {
+static struct ima_rule_entry default_rules[] = {
         {.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},
         {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
         {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
@@ -75,19 +82,41 @@ static struct ima_measure_rule_entry default_rules[] = {
          .flags = IMA_FUNC | IMA_MASK | IMA_UID},
 };
 
-static LIST_HEAD(measure_default_rules);
-static LIST_HEAD(measure_policy_rules);
-static struct list_head *ima_measure;
+static struct ima_rule_entry default_appraise_rules[] = {
+        {.action = DONT_APPRAISE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_APPRAISE,.fsmagic = CGROUP_SUPER_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = APPRAISE,.fowner = GLOBAL_ROOT_UID,.flags = IMA_FOWNER},
+};
+
+static LIST_HEAD(ima_default_rules);
+static LIST_HEAD(ima_policy_rules);
+static struct list_head *ima_rules;
 
-static DEFINE_MUTEX(ima_measure_mutex);
+static DEFINE_MUTEX(ima_rules_mutex);
 
 static bool ima_use_tcb __initdata;
-static int __init default_policy_setup(char *str)
+static int __init default_measure_policy_setup(char *str)
 {
         ima_use_tcb = 1;
         return 1;
 }
-__setup("ima_tcb", default_policy_setup);
+__setup("ima_tcb", default_measure_policy_setup);
+
+static bool ima_use_appraise_tcb __initdata;
+static int __init default_appraise_policy_setup(char *str)
+{
+        ima_use_appraise_tcb = 1;
+        return 1;
+}
+__setup("ima_appraise_tcb", default_appraise_policy_setup);
 
 /**
  * ima_match_rules - determine whether an inode matches the measure rule.
@@ -98,7 +127,7 @@ __setup("ima_tcb", default_policy_setup);
  *
  * Returns true on rule match, false on failure.
  */
-static bool ima_match_rules(struct ima_measure_rule_entry *rule,
+static bool ima_match_rules(struct ima_rule_entry *rule,
                             struct inode *inode, enum ima_hooks func, int mask)
 {
         struct task_struct *tsk = current;
@@ -114,6 +143,8 @@ static bool ima_match_rules(struct ima_measure_rule_entry *rule,
                 return false;
         if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
                 return false;
+        if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
+                return false;
         for (i = 0; i < MAX_LSM_RULES; i++) {
                 int rc = 0;
                 u32 osid, sid;
@@ -163,39 +194,61 @@ static bool ima_match_rules(struct ima_measure_rule_entry *rule,
  * as elements in the list are never deleted, nor does the list
  * change.)
  */
-int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask)
+int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
+                     int flags)
 {
-        struct ima_measure_rule_entry *entry;
+        struct ima_rule_entry *entry;
+        int action = 0, actmask = flags | (flags << 1);
+
+        list_for_each_entry(entry, ima_rules, list) {
+
+                if (!(entry->action & actmask))
+                        continue;
+
+                if (!ima_match_rules(entry, inode, func, mask))
+                        continue;
 
-        list_for_each_entry(entry, ima_measure, list) {
-                bool rc;
+                action |= entry->action & IMA_DO_MASK;
+                if (entry->action & IMA_DO_MASK)
+                        actmask &= ~(entry->action | entry->action << 1);
+                else
+                        actmask &= ~(entry->action | entry->action >> 1);
 
-                rc = ima_match_rules(entry, inode, func, mask);
-                if (rc)
-                        return entry->action;
+                if (!actmask)
+                        break;
         }
-        return 0;
+
+        return action;
 }
 
 /**
  * ima_init_policy - initialize the default measure rules.
  *
- * ima_measure points to either the measure_default_rules or the
- * the new measure_policy_rules.
+ * ima_rules points to either the ima_default_rules or the
+ * the new ima_policy_rules.
  */
 void __init ima_init_policy(void)
 {
-        int i, entries;
+        int i, measure_entries, appraise_entries;
 
         /* if !ima_use_tcb set entries = 0 so we load NO default rules */
-        if (ima_use_tcb)
-                entries = ARRAY_SIZE(default_rules);
-        else
-                entries = 0;
-
-        for (i = 0; i < entries; i++)
-                list_add_tail(&default_rules[i].list, &measure_default_rules);
-        ima_measure = &measure_default_rules;
+        measure_entries = ima_use_tcb ? ARRAY_SIZE(default_rules) : 0;
+        appraise_entries = ima_use_appraise_tcb ?
+                         ARRAY_SIZE(default_appraise_rules) : 0;
+        
+        for (i = 0; i < measure_entries + appraise_entries; i++) {
+                if (i < measure_entries)
+                        list_add_tail(&default_rules[i].list,
+                                      &ima_default_rules);
+                else {
+                        int j = i - measure_entries;
+
+                        list_add_tail(&default_appraise_rules[j].list,
+                                      &ima_default_rules);
+                }
+        }
+
+        ima_rules = &ima_default_rules;
 }
 
 /**
@@ -212,8 +265,8 @@ void ima_update_policy(void)
         int result = 1;
         int audit_info = 0;
 
-        if (ima_measure == &measure_default_rules) {
-                ima_measure = &measure_policy_rules;
+        if (ima_rules == &ima_default_rules) {
+                ima_rules = &ima_policy_rules;
                 cause = "complete";
                 result = 0;
         }
@@ -224,14 +277,19 @@ void ima_update_policy(void)
 enum {
         Opt_err = -1,
         Opt_measure = 1, Opt_dont_measure,
+        Opt_appraise, Opt_dont_appraise,
+        Opt_audit,
         Opt_obj_user, Opt_obj_role, Opt_obj_type,
         Opt_subj_user, Opt_subj_role, Opt_subj_type,
-        Opt_func, Opt_mask, Opt_fsmagic, Opt_uid
+        Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner
 };
 
 static match_table_t policy_tokens = {
         {Opt_measure, "measure"},
         {Opt_dont_measure, "dont_measure"},
+        {Opt_appraise, "appraise"},
+        {Opt_dont_appraise, "dont_appraise"},
+        {Opt_audit, "audit"},
         {Opt_obj_user, "obj_user=%s"},
         {Opt_obj_role, "obj_role=%s"},
         {Opt_obj_type, "obj_type=%s"},
@@ -242,10 +300,11 @@ static match_table_t policy_tokens = {
         {Opt_mask, "mask=%s"},
         {Opt_fsmagic, "fsmagic=%s"},
         {Opt_uid, "uid=%s"},
+        {Opt_fowner, "fowner=%s"},
         {Opt_err, NULL}
 };
 
-static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry,
+static int ima_lsm_rule_init(struct ima_rule_entry *entry,
                              char *args, int lsm_rule, int audit_type)
 {
         int result;
@@ -269,7 +328,7 @@ static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
         audit_log_format(ab, " ");
 }
 
-static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
+static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 {
         struct audit_buffer *ab;
         char *p;
@@ -278,6 +337,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
         ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE);
 
         entry->uid = INVALID_UID;
+        entry->fowner = INVALID_UID;
         entry->action = UNKNOWN;
         while ((p = strsep(&rule, " \t")) != NULL) {
                 substring_t args[MAX_OPT_ARGS];
@@ -306,11 +366,35 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
 
                         entry->action = DONT_MEASURE;
                         break;
+                case Opt_appraise:
+                        ima_log_string(ab, "action", "appraise");
+
+                        if (entry->action != UNKNOWN)
+                                result = -EINVAL;
+
+                        entry->action = APPRAISE;
+                        break;
+                case Opt_dont_appraise:
+                        ima_log_string(ab, "action", "dont_appraise");
+
+                        if (entry->action != UNKNOWN)
+                                result = -EINVAL;
+
+                        entry->action = DONT_APPRAISE;
+                        break;
+                case Opt_audit:
+                        ima_log_string(ab, "action", "audit");
+
+                        if (entry->action != UNKNOWN)
+                                result = -EINVAL;
+
+                        entry->action = AUDIT;
+                        break;
                 case Opt_func:
                         ima_log_string(ab, "func", args[0].from);
 
                         if (entry->func)
-                                result  = -EINVAL;
+                                result = -EINVAL;
 
                         if (strcmp(args[0].from, "FILE_CHECK") == 0)
                                 entry->func = FILE_CHECK;
@@ -375,6 +459,23 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
                                         entry->flags |= IMA_UID;
                         }
                         break;
+                case Opt_fowner:
+                        ima_log_string(ab, "fowner", args[0].from);
+
+                        if (uid_valid(entry->fowner)) {
+                                result = -EINVAL;
+                                break;
+                        }
+
+                        result = strict_strtoul(args[0].from, 10, &lnum);
+                        if (!result) {
+                                entry->fowner = make_kuid(current_user_ns(), (uid_t)lnum);
+                                if (!uid_valid(entry->fowner) || (((uid_t)lnum) != lnum))
+                                        result = -EINVAL;
+                                else
+                                        entry->flags |= IMA_FOWNER;
+                        }
+                        break;
                 case Opt_obj_user:
                         ima_log_string(ab, "obj_user", args[0].from);
                         result = ima_lsm_rule_init(entry, args[0].from,
@@ -426,7 +527,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
 }
 
 /**
- * ima_parse_add_rule - add a rule to measure_policy_rules
+ * ima_parse_add_rule - add a rule to ima_policy_rules
  * @rule - ima measurement policy rule
  *
  * Uses a mutex to protect the policy list from multiple concurrent writers.
@@ -436,12 +537,12 @@ ssize_t ima_parse_add_rule(char *rule)
 {
         const char *op = "update_policy";
         char *p;
-        struct ima_measure_rule_entry *entry;
+        struct ima_rule_entry *entry;
         ssize_t result, len;
         int audit_info = 0;
 
         /* Prevent installed policy from changing */
-        if (ima_measure != &measure_default_rules) {
+        if (ima_rules != &ima_default_rules) {
                 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
                                     NULL, op, "already exists",
                                     -EACCES, audit_info);
@@ -474,9 +575,9 @@ ssize_t ima_parse_add_rule(char *rule)
                 return result;
         }
 
-        mutex_lock(&ima_measure_mutex);
-        list_add_tail(&entry->list, &measure_policy_rules);
-        mutex_unlock(&ima_measure_mutex);
+        mutex_lock(&ima_rules_mutex);
+        list_add_tail(&entry->list, &ima_policy_rules);
+        mutex_unlock(&ima_rules_mutex);
 
         return len;
 }
@@ -484,12 +585,12 @@ ssize_t ima_parse_add_rule(char *rule)
 /* ima_delete_rules called to cleanup invalid policy */
 void ima_delete_rules(void)
 {
-        struct ima_measure_rule_entry *entry, *tmp;
+        struct ima_rule_entry *entry, *tmp;
 
-        mutex_lock(&ima_measure_mutex);
-        list_for_each_entry_safe(entry, tmp, &measure_policy_rules, list) {
+        mutex_lock(&ima_rules_mutex);
+        list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) {
                 list_del(&entry->list);
                 kfree(entry);
         }
-        mutex_unlock(&ima_measure_mutex);
+        mutex_unlock(&ima_rules_mutex);
 }
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 7a25ecec5aaa..e9db763a875e 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -15,8 +15,22 @@
 #include <linux/integrity.h>
 #include <crypto/sha.h>
 
+/* iint action cache flags */
+#define IMA_MEASURE             0x0001
+#define IMA_MEASURED            0x0002
+#define IMA_APPRAISE            0x0004
+#define IMA_APPRAISED           0x0008
+/*#define IMA_COLLECT           0x0010  do not use this flag */
+#define IMA_COLLECTED           0x0020
+#define IMA_AUDIT               0x0040
+#define IMA_AUDITED             0x0080
+
 /* iint cache flags */
-#define IMA_MEASURED            0x01
+#define IMA_DIGSIG              0x0100
+
+#define IMA_DO_MASK             (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT)
+#define IMA_DONE_MASK           (IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED \
+                                 | IMA_COLLECTED)
 
 enum evm_ima_xattr_type {
         IMA_XATTR_DIGEST = 0x01,
@@ -34,9 +48,9 @@ struct integrity_iint_cache {
         struct rb_node rb_node; /* rooted in integrity_iint_tree */
         struct inode *inode;    /* back pointer to inode in question */
         u64 version;            /* track inode changes */
-        unsigned char flags;
-        u8 digest[SHA1_DIGEST_SIZE];
-        struct mutex mutex;     /* protects: version, flags, digest */
+        unsigned short flags;
+        struct evm_ima_xattr_data ima_xattr;
+        enum integrity_status ima_status;
         enum integrity_status evm_status;
 };
 
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 2d5d041f2049..3f163d0489ad 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -369,38 +369,6 @@ static int trusted_tpm_send(const u32 chip_num, unsigned char *cmd,
 }
 
 /*
- * get a random value from TPM
- */
-static int tpm_get_random(struct tpm_buf *tb, unsigned char *buf, uint32_t len)
-{
-        int ret;
-
-        INIT_BUF(tb);
-        store16(tb, TPM_TAG_RQU_COMMAND);
-        store32(tb, TPM_GETRANDOM_SIZE);
-        store32(tb, TPM_ORD_GETRANDOM);
-        store32(tb, len);
-        ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, sizeof tb->data);
-        if (!ret)
-                memcpy(buf, tb->data + TPM_GETRANDOM_SIZE, len);
-        return ret;
-}
-
-static int my_get_random(unsigned char *buf, int len)
-{
-        struct tpm_buf *tb;
-        int ret;
-
-        tb = kmalloc(sizeof *tb, GFP_KERNEL);
-        if (!tb)
-                return -ENOMEM;
-        ret = tpm_get_random(tb, buf, len);
-
-        kfree(tb);
-        return ret;
-}
-
-/*
  * Lock a trusted key, by extending a selected PCR.
  *
  * Prevents a trusted key that is sealed to PCRs from being accessed.
@@ -413,8 +381,8 @@ static int pcrlock(const int pcrnum)
 
         if (!capable(CAP_SYS_ADMIN))
                 return -EPERM;
-        ret = my_get_random(hash, SHA1_DIGEST_SIZE);
-        if (ret < 0)
+        ret = tpm_get_random(TPM_ANY_NUM, hash, SHA1_DIGEST_SIZE);
+        if (ret != SHA1_DIGEST_SIZE)
                 return ret;
         return tpm_pcr_extend(TPM_ANY_NUM, pcrnum, hash) ? -EINVAL : 0;
 }
@@ -429,8 +397,8 @@ static int osap(struct tpm_buf *tb, struct osapsess *s,
         unsigned char ononce[TPM_NONCE_SIZE];
         int ret;
 
-        ret = tpm_get_random(tb, ononce, TPM_NONCE_SIZE);
-        if (ret < 0)
+        ret = tpm_get_random(TPM_ANY_NUM, ononce, TPM_NONCE_SIZE);
+        if (ret != TPM_NONCE_SIZE)
                 return ret;
 
         INIT_BUF(tb);
@@ -524,8 +492,8 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
         if (ret < 0)
                 goto out;
 
-        ret = tpm_get_random(tb, td->nonceodd, TPM_NONCE_SIZE);
-        if (ret < 0)
+        ret = tpm_get_random(TPM_ANY_NUM, td->nonceodd, TPM_NONCE_SIZE);
+        if (ret != TPM_NONCE_SIZE)
                 goto out;
         ordinal = htonl(TPM_ORD_SEAL);
         datsize = htonl(datalen);
@@ -634,8 +602,8 @@ static int tpm_unseal(struct tpm_buf *tb,
 
         ordinal = htonl(TPM_ORD_UNSEAL);
         keyhndl = htonl(SRKHANDLE);
-        ret = tpm_get_random(tb, nonceodd, TPM_NONCE_SIZE);
-        if (ret < 0) {
+        ret = tpm_get_random(TPM_ANY_NUM, nonceodd, TPM_NONCE_SIZE);
+        if (ret != TPM_NONCE_SIZE) {
                 pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
                 return ret;
         }
@@ -935,6 +903,7 @@ static int trusted_instantiate(struct key *key, const void *data,
         char *datablob;
         int ret = 0;
         int key_cmd;
+        size_t key_len;
 
         if (datalen <= 0 || datalen > 32767 || !data)
                 return -EINVAL;
@@ -974,8 +943,9 @@ static int trusted_instantiate(struct key *key, const void *data,
                         pr_info("trusted_key: key_unseal failed (%d)\n", ret);
                 break;
         case Opt_new:
-                ret = my_get_random(payload->key, payload->key_len);
-                if (ret < 0) {
+                key_len = payload->key_len;
+                ret = tpm_get_random(TPM_ANY_NUM, payload->key, key_len);
+                if (ret != key_len) {
                         pr_info("trusted_key: key_create failed (%d)\n", ret);
                         goto out;
                 }
diff --git a/security/security.c b/security/security.c
index f9a2f2ef2454..3724029d0f6d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -136,11 +136,23 @@ int __init register_security(struct security_operations *ops)
 
 int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
 {
+#ifdef CONFIG_SECURITY_YAMA_STACKED
+        int rc;
+        rc = yama_ptrace_access_check(child, mode);
+        if (rc)
+                return rc;
+#endif
         return security_ops->ptrace_access_check(child, mode);
 }
 
 int security_ptrace_traceme(struct task_struct *parent)
 {
+#ifdef CONFIG_SECURITY_YAMA_STACKED
+        int rc;
+        rc = yama_ptrace_traceme(parent);
+        if (rc)
+                return rc;
+#endif
         return security_ops->ptrace_traceme(parent);
 }
 
@@ -561,6 +573,9 @@ int security_inode_setxattr(struct dentry *dentry, const char *name,
         ret = security_ops->inode_setxattr(dentry, name, value, size, flags);
         if (ret)
                 return ret;
+        ret = ima_inode_setxattr(dentry, name, value, size);
+        if (ret)
+                return ret;
         return evm_inode_setxattr(dentry, name, value, size);
 }
 
@@ -596,6 +611,9 @@ int security_inode_removexattr(struct dentry *dentry, const char *name)
         ret = security_ops->inode_removexattr(dentry, name);
         if (ret)
                 return ret;
+        ret = ima_inode_removexattr(dentry, name);
+        if (ret)
+                return ret;
         return evm_inode_removexattr(dentry, name);
 }
 
@@ -761,6 +779,9 @@ int security_task_create(unsigned long clone_flags)
 
 void security_task_free(struct task_struct *task)
 {
+#ifdef CONFIG_SECURITY_YAMA_STACKED
+        yama_task_free(task);
+#endif
         security_ops->task_free(task);
 }
 
@@ -876,6 +897,12 @@ int security_task_wait(struct task_struct *p)
 int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
                          unsigned long arg4, unsigned long arg5)
 {
+#ifdef CONFIG_SECURITY_YAMA_STACKED
+        int rc;
+        rc = yama_task_prctl(option, arg2, arg3, arg4, arg5);
+        if (rc != -ENOSYS)
+                return rc;
+#endif
         return security_ops->task_prctl(option, arg2, arg3, arg4, arg5);
 }
 
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 8221514cc997..2874c7316783 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1691,40 +1691,19 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
  * smack_task_wait - Smack access check for waiting
  * @p: task to wait for
  *
- * Returns 0 if current can wait for p, error code otherwise
+ * Returns 0
  */
 static int smack_task_wait(struct task_struct *p)
 {
-        struct smk_audit_info ad;
-        char *sp = smk_of_current();
-        char *tsp = smk_of_forked(task_security(p));
-        int rc;
-
-        /* we don't log here, we can be overriden */
-        rc = smk_access(tsp, sp, MAY_WRITE, NULL);
-        if (rc == 0)
-                goto out_log;
-
         /*
-         * Allow the operation to succeed if either task
-         * has privilege to perform operations that might
-         * account for the smack labels having gotten to
-         * be different in the first place.
-         *
-         * This breaks the strict subject/object access
-         * control ideal, taking the object's privilege
-         * state into account in the decision as well as
-         * the smack value.
+         * Allow the operation to succeed.
+         * Zombies are bad.
+         * In userless environments (e.g. phones) programs
+         * get marked with SMACK64EXEC and even if the parent
+         * and child shouldn't be talking the parent still
+         * may expect to know when the child exits.
          */
-        if (smack_privileged(CAP_MAC_OVERRIDE) ||
-            has_capability(p, CAP_MAC_OVERRIDE))
-                rc = 0;
-        /* we log only if we didn't get overriden */
- out_log:
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
-        smk_ad_setfield_u_tsk(&ad, p);
-        smack_log(tsp, sp, MAY_WRITE, rc, &ad);
-        return rc;
+        return 0;
 }
 
 /**
@@ -2705,9 +2684,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
 static int smack_setprocattr(struct task_struct *p, char *name,
                              void *value, size_t size)
 {
-        int rc;
         struct task_smack *tsp;
-        struct task_smack *oldtsp;
         struct cred *new;
         char *newsmack;
 
@@ -2737,21 +2714,13 @@ static int smack_setprocattr(struct task_struct *p, char *name,
         if (newsmack == smack_known_web.smk_known)
                 return -EPERM;
 
-        oldtsp = p->cred->security;
         new = prepare_creds();
         if (new == NULL)
                 return -ENOMEM;
 
-        tsp = new_task_smack(newsmack, oldtsp->smk_forked, GFP_KERNEL);
-        if (tsp == NULL) {
-                kfree(new);
-                return -ENOMEM;
-        }
-        rc = smk_copy_rules(&tsp->smk_rules, &oldtsp->smk_rules, GFP_KERNEL);
-        if (rc != 0)
-                return rc;
+        tsp = new->security;
+        tsp->smk_task = newsmack;
 
-        new->security = tsp;
         commit_creds(new);
         return size;
 }
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index b1b768e4049a..99929a50093a 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -49,6 +49,7 @@ enum smk_inos {
         SMK_LOAD_SELF2  = 15,   /* load task specific rules with long labels */
         SMK_ACCESS2     = 16,   /* make an access check with long labels */
         SMK_CIPSO2      = 17,   /* load long label -> CIPSO mapping */
+        SMK_REVOKE_SUBJ = 18,   /* set rules with subject label to '-' */
 };
 
 /*
@@ -1992,6 +1993,77 @@ static const struct file_operations smk_access2_ops = {
 };
 
 /**
+ * smk_write_revoke_subj - write() for /smack/revoke-subject
+ * @file: file pointer
+ * @buf: data from user space
+ * @count: bytes sent
+ * @ppos: where to start - must be 0
+ */
+static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
+                                size_t count, loff_t *ppos)
+{
+        char *data = NULL;
+        const char *cp = NULL;
+        struct smack_known *skp;
+        struct smack_rule *sp;
+        struct list_head *rule_list;
+        struct mutex *rule_lock;
+        int rc = count;
+
+        if (*ppos != 0)
+                return -EINVAL;
+
+        if (!smack_privileged(CAP_MAC_ADMIN))
+                return -EPERM;
+
+        if (count == 0 || count > SMK_LONGLABEL)
+                return -EINVAL;
+
+        data = kzalloc(count, GFP_KERNEL);
+        if (data == NULL)
+                return -ENOMEM;
+
+        if (copy_from_user(data, buf, count) != 0) {
+                rc = -EFAULT;
+                goto free_out;
+        }
+
+        cp = smk_parse_smack(data, count);
+        if (cp == NULL) {
+                rc = -EINVAL;
+                goto free_out;
+        }
+
+        skp = smk_find_entry(cp);
+        if (skp == NULL) {
+                rc = -EINVAL;
+                goto free_out;
+        }
+
+        rule_list = &skp->smk_rules;
+        rule_lock = &skp->smk_rules_lock;
+
+        mutex_lock(rule_lock);
+
+        list_for_each_entry_rcu(sp, rule_list, list)
+                sp->smk_access = 0;
+
+        mutex_unlock(rule_lock);
+
+free_out:
+        kfree(data);
+        kfree(cp);
+        return rc;
+}
+
+static const struct file_operations smk_revoke_subj_ops = {
+        .write          = smk_write_revoke_subj,
+        .read           = simple_transaction_read,
+        .release        = simple_transaction_release,
+        .llseek         = generic_file_llseek,
+};
+
+/**
  * smk_fill_super - fill the /smackfs superblock
  * @sb: the empty superblock
  * @data: unused
@@ -2037,6 +2109,9 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
                         "access2", &smk_access2_ops, S_IRUGO|S_IWUGO},
                 [SMK_CIPSO2] = {
                         "cipso2", &smk_cipso2_ops, S_IRUGO|S_IWUSR},
+                [SMK_REVOKE_SUBJ] = {
+                        "revoke-subject", &smk_revoke_subj_ops,
+                        S_IRUGO|S_IWUSR},
                 /* last one */
                         {""}
         };
diff --git a/security/yama/Kconfig b/security/yama/Kconfig
index 51d6709d8bbd..20ef5143c0c0 100644
--- a/security/yama/Kconfig
+++ b/security/yama/Kconfig
@@ -11,3 +11,11 @@ config SECURITY_YAMA
           Further information can be found in Documentation/security/Yama.txt.
 
           If you are unsure how to answer this question, answer N.
+
+config SECURITY_YAMA_STACKED
+        bool "Yama stacked with other LSMs"
+        depends on SECURITY_YAMA
+        default n
+        help
+          When Yama is built into the kernel, force it to stack with the
+          selected primary LSM.
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 0cc99a3ea42d..b4c29848b49d 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -100,7 +100,7 @@ static void yama_ptracer_del(struct task_struct *tracer,
  * yama_task_free - check for task_pid to remove from exception list
  * @task: task being removed
  */
-static void yama_task_free(struct task_struct *task)
+void yama_task_free(struct task_struct *task)
 {
         yama_ptracer_del(task, task);
 }
@@ -116,7 +116,7 @@ static void yama_task_free(struct task_struct *task)
  * Return 0 on success, -ve on error.  -ENOSYS is returned when Yama
  * does not handle the given option.
  */
-static int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
+int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
                            unsigned long arg4, unsigned long arg5)
 {
         int rc;
@@ -143,7 +143,7 @@ static int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
                 if (arg2 == 0) {
                         yama_ptracer_del(NULL, myself);
                         rc = 0;
-                } else if (arg2 == PR_SET_PTRACER_ANY) {
+                } else if (arg2 == PR_SET_PTRACER_ANY || (int)arg2 == -1) {
                         rc = yama_ptracer_add(NULL, myself);
                 } else {
                         struct task_struct *tracer;
@@ -243,7 +243,7 @@ static int ptracer_exception_found(struct task_struct *tracer,
  *
  * Returns 0 if following the ptrace is allowed, -ve on error.
  */
-static int yama_ptrace_access_check(struct task_struct *child,
+int yama_ptrace_access_check(struct task_struct *child,
                                     unsigned int mode)
 {
         int rc;
@@ -293,7 +293,7 @@ static int yama_ptrace_access_check(struct task_struct *child,
  *
  * Returns 0 if following the ptrace is allowed, -ve on error.
  */
-static int yama_ptrace_traceme(struct task_struct *parent)
+int yama_ptrace_traceme(struct task_struct *parent)
 {
         int rc;
 
@@ -324,6 +324,7 @@ static int yama_ptrace_traceme(struct task_struct *parent)
         return rc;
 }
 
+#ifndef CONFIG_SECURITY_YAMA_STACKED
 static struct security_operations yama_ops = {
         .name =                 "yama",
 
@@ -332,6 +333,7 @@ static struct security_operations yama_ops = {
         .task_prctl =           yama_task_prctl,
         .task_free =            yama_task_free,
 };
+#endif
 
 #ifdef CONFIG_SYSCTL
 static int yama_dointvec_minmax(struct ctl_table *table, int write,
@@ -378,13 +380,17 @@ static struct ctl_table yama_sysctl_table[] = {
 
 static __init int yama_init(void)
 {
+#ifndef CONFIG_SECURITY_YAMA_STACKED
         if (!security_module_enable(&yama_ops))
                 return 0;
+#endif
 
         printk(KERN_INFO "Yama: becoming mindful.\n");
 
+#ifndef CONFIG_SECURITY_YAMA_STACKED
         if (register_security(&yama_ops))
                 panic("Yama: kernel registration failed.\n");
+#endif
 
 #ifdef CONFIG_SYSCTL
         if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table))