Merge tag 'v3.14' into next

Linux 3.14

17 files changed, 260 insertions, 158 deletions

diff --git a/security/Kconfig b/security/Kconfig
index e9c6ac724fef..beb86b500adf 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -103,7 +103,7 @@ config INTEL_TXT
 config LSM_MMAP_MIN_ADDR
         int "Low address space for LSM to protect from user allocation"
         depends on SECURITY && SECURITY_SELINUX
-        default 32768 if ARM
+        default 32768 if ARM || (ARM64 && COMPAT)
         default 65536
         help
           This is the portion of low virtual memory which should be protected
diff --git a/security/capability.c b/security/capability.c
index 8b4f24ae4338..21e2b9cae685 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -757,7 +757,8 @@ static void cap_skb_owned_by(struct sk_buff *skb, struct sock *sk)
 
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 static int cap_xfrm_policy_alloc_security(struct xfrm_sec_ctx **ctxp,
-                                          struct xfrm_user_sec_ctx *sec_ctx)
+                                          struct xfrm_user_sec_ctx *sec_ctx,
+                                          gfp_t gfp)
 {
         return 0;
 }
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 7c2a0a71049e..d3b6d2cd3a06 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -274,10 +274,9 @@ static void set_majmin(char *str, unsigned m)
                 sprintf(str, "%u", m);
 }
 
-static int devcgroup_seq_read(struct cgroup_subsys_state *css,
-                              struct cftype *cft, struct seq_file *m)
+static int devcgroup_seq_show(struct seq_file *m, void *v)
 {
-        struct dev_cgroup *devcgroup = css_to_devcgroup(css);
+        struct dev_cgroup *devcgroup = css_to_devcgroup(seq_css(m));
         struct dev_exception_item *ex;
         char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
 
@@ -679,7 +678,7 @@ static struct cftype dev_cgroup_files[] = {
         },
         {
                 .name = "list",
-                .read_seq_string = devcgroup_seq_read,
+                .seq_show = devcgroup_seq_show,
                 .private = DEVCG_LIST,
         },
         { }     /* terminate */
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index c38adcc910fb..1683bbf289a4 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -162,8 +162,7 @@ void ima_show_template_sig(struct seq_file *m, enum ima_show_type show,
 }
 
 static int ima_eventdigest_init_common(u8 *digest, u32 digestsize, u8 hash_algo,
-                                       struct ima_field_data *field_data,
-                                       bool size_limit)
+                                       struct ima_field_data *field_data)
 {
         /*
          * digest formats:
@@ -176,11 +175,10 @@ static int ima_eventdigest_init_common(u8 *digest, u32 digestsize, u8 hash_algo,
         enum data_formats fmt = DATA_FMT_DIGEST;
         u32 offset = 0;
 
-        if (!size_limit) {
+        if (hash_algo < HASH_ALGO__LAST) {
                 fmt = DATA_FMT_DIGEST_WITH_ALGO;
-                if (hash_algo < HASH_ALGO__LAST)
-                        offset += snprintf(buffer, CRYPTO_MAX_ALG_NAME + 1,
-                                           "%s", hash_algo_name[hash_algo]);
+                offset += snprintf(buffer, CRYPTO_MAX_ALG_NAME + 1, "%s",
+                                   hash_algo_name[hash_algo]);
                 buffer[offset] = ':';
                 offset += 2;
         }
@@ -243,8 +241,8 @@ int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file,
         cur_digest = hash.hdr.digest;
         cur_digestsize = hash.hdr.length;
 out:
-        return ima_eventdigest_init_common(cur_digest, cur_digestsize, -1,
-                                           field_data, true);
+        return ima_eventdigest_init_common(cur_digest, cur_digestsize,
+                                           HASH_ALGO__LAST, field_data);
 }
 
 /*
@@ -255,7 +253,7 @@ int ima_eventdigest_ng_init(struct integrity_iint_cache *iint,
                             struct evm_ima_xattr_data *xattr_value,
                             int xattr_len, struct ima_field_data *field_data)
 {
-        u8 *cur_digest = NULL, hash_algo = HASH_ALGO__LAST;
+        u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1;
         u32 cur_digestsize = 0;
 
         /* If iint is NULL, we are recording a violation. */
@@ -268,7 +266,7 @@ int ima_eventdigest_ng_init(struct integrity_iint_cache *iint,
         hash_algo = iint->ima_hash->algo;
 out:
         return ima_eventdigest_init_common(cur_digest, cur_digestsize,
-                                           hash_algo, field_data, false);
+                                           hash_algo, field_data);
 }
 
 static int ima_eventname_init_common(struct integrity_iint_cache *iint,
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index d46cbc5e335e..2fb2576dc644 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -1000,7 +1000,11 @@ static int keyring_detect_cycle_iterator(const void *object,
 
         kenter("{%d}", key->serial);
 
-        BUG_ON(key != ctx->match_data);
+        /* We might get a keyring with matching index-key that is nonetheless a
+         * different keyring. */
+        if (key != ctx->match_data)
+                return 0;
+
         ctx->result = ERR_PTR(-EDEADLK);
         return 1;
 }
diff --git a/security/security.c b/security/security.c
index 15b6928592ef..919cad93ac82 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1317,9 +1317,11 @@ void security_skb_owned_by(struct sk_buff *skb, struct sock *sk)
 
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 
-int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx)
+int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
+                               struct xfrm_user_sec_ctx *sec_ctx,
+                               gfp_t gfp)
 {
-        return security_ops->xfrm_policy_alloc_security(ctxp, sec_ctx);
+        return security_ops->xfrm_policy_alloc_security(ctxp, sec_ctx, gfp);
 }
 EXPORT_SYMBOL(security_xfrm_policy_alloc);
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8b1656f053f8..d58946dca8c9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -668,7 +668,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
                 if (flags[i] == SBLABEL_MNT)
                         continue;
                 rc = security_context_to_sid(mount_options[i],
-                                             strlen(mount_options[i]), &sid);
+                                             strlen(mount_options[i]), &sid, GFP_KERNEL);
                 if (rc) {
                         printk(KERN_WARNING "SELinux: security_context_to_sid"
                                "(%s) failed for (dev %s, type %s) errno=%d\n",
@@ -2507,7 +2507,8 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
                 if (flags[i] == SBLABEL_MNT)
                         continue;
                 len = strlen(mount_options[i]);
-                rc = security_context_to_sid(mount_options[i], len, &sid);
+                rc = security_context_to_sid(mount_options[i], len, &sid,
+                                             GFP_KERNEL);
                 if (rc) {
                         printk(KERN_WARNING "SELinux: security_context_to_sid"
                                "(%s) failed for (dev %s, type %s) errno=%d\n",
@@ -2911,7 +2912,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
         if (rc)
                 return rc;
 
-        rc = security_context_to_sid(value, size, &newsid);
+        rc = security_context_to_sid(value, size, &newsid, GFP_KERNEL);
         if (rc == -EINVAL) {
                 if (!capable(CAP_MAC_ADMIN)) {
                         struct audit_buffer *ab;
@@ -3068,7 +3069,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
         if (!value || !size)
                 return -EACCES;
 
-        rc = security_context_to_sid((void *)value, size, &newsid);
+        rc = security_context_to_sid((void *)value, size, &newsid, GFP_KERNEL);
         if (rc)
                 return rc;
 
@@ -5543,7 +5544,7 @@ static int selinux_setprocattr(struct task_struct *p,
                         str[size-1] = 0;
                         size--;
                 }
-                error = security_context_to_sid(value, size, &sid);
+                error = security_context_to_sid(value, size, &sid, GFP_KERNEL);
                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
                         if (!capable(CAP_MAC_ADMIN)) {
                                 struct audit_buffer *ab;
@@ -5652,7 +5653,7 @@ static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 
 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
 {
-        return security_context_to_sid(secdata, seclen, secid);
+        return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
 }
 
 static void selinux_release_secctx(char *secdata, u32 seclen)
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 8ed8daf7f1ee..ce7852cf526b 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -134,7 +134,7 @@ int security_sid_to_context(u32 sid, char **scontext,
 int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len);
 
 int security_context_to_sid(const char *scontext, u32 scontext_len,
-        u32 *out_sid);
+                            u32 *out_sid, gfp_t gfp);
 
 int security_context_to_sid_default(const char *scontext, u32 scontext_len,
                                     u32 *out_sid, u32 def_sid, gfp_t gfp_flags);
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 48c3cc94c168..9f0584710c85 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -10,7 +10,8 @@
 #include <net/flow.h>
 
 int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
-                              struct xfrm_user_sec_ctx *uctx);
+                              struct xfrm_user_sec_ctx *uctx,
+                              gfp_t gfp);
 int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
                               struct xfrm_sec_ctx **new_ctxp);
 void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 332ac8a80cf5..2df7b900e259 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -17,6 +17,7 @@
 #include <linux/inet_diag.h>
 #include <linux/xfrm.h>
 #include <linux/audit.h>
+#include <linux/sock_diag.h>
 
 #include "flask.h"
 #include "av_permissions.h"
@@ -78,6 +79,7 @@ static struct nlmsg_perm nlmsg_tcpdiag_perms[] =
 {
         { TCPDIAG_GETSOCK,      NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
         { DCCPDIAG_GETSOCK,     NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
+        { SOCK_DIAG_BY_FAMILY,  NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
 };
 
 static struct nlmsg_perm nlmsg_xfrm_perms[] =
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 5122affe06a8..d60c0ee66387 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -576,7 +576,7 @@ static ssize_t sel_write_context(struct file *file, char *buf, size_t size)
         if (length)
                 goto out;
 
-        length = security_context_to_sid(buf, size, &sid);
+        length = security_context_to_sid(buf, size, &sid, GFP_KERNEL);
         if (length)
                 goto out;
 
@@ -731,11 +731,13 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
         if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3)
                 goto out;
 
-        length = security_context_to_sid(scon, strlen(scon) + 1, &ssid);
+        length = security_context_to_sid(scon, strlen(scon) + 1, &ssid,
+                                         GFP_KERNEL);
         if (length)
                 goto out;
 
-        length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid);
+        length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid,
+                                         GFP_KERNEL);
         if (length)
                 goto out;
 
@@ -817,11 +819,13 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
                 objname = namebuf;
         }
 
-        length = security_context_to_sid(scon, strlen(scon) + 1, &ssid);
+        length = security_context_to_sid(scon, strlen(scon) + 1, &ssid,
+                                         GFP_KERNEL);
         if (length)
                 goto out;
 
-        length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid);
+        length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid,
+                                         GFP_KERNEL);
         if (length)
                 goto out;
 
@@ -878,11 +882,13 @@ static ssize_t sel_write_relabel(struct file *file, char *buf, size_t size)
         if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3)
                 goto out;
 
-        length = security_context_to_sid(scon, strlen(scon) + 1, &ssid);
+        length = security_context_to_sid(scon, strlen(scon) + 1, &ssid,
+                                         GFP_KERNEL);
         if (length)
                 goto out;
 
-        length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid);
+        length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid,
+                                         GFP_KERNEL);
         if (length)
                 goto out;
 
@@ -934,7 +940,7 @@ static ssize_t sel_write_user(struct file *file, char *buf, size_t size)
         if (sscanf(buf, "%s %s", con, user) != 2)
                 goto out;
 
-        length = security_context_to_sid(con, strlen(con) + 1, &sid);
+        length = security_context_to_sid(con, strlen(con) + 1, &sid, GFP_KERNEL);
         if (length)
                 goto out;
 
@@ -994,11 +1000,13 @@ static ssize_t sel_write_member(struct file *file, char *buf, size_t size)
         if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3)
                 goto out;
 
-        length = security_context_to_sid(scon, strlen(scon) + 1, &ssid);
+        length = security_context_to_sid(scon, strlen(scon) + 1, &ssid,
+                                         GFP_KERNEL);
         if (length)
                 goto out;
 
-        length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid);
+        length = security_context_to_sid(tcon, strlen(tcon) + 1, &tsid,
+                                         GFP_KERNEL);
         if (length)
                 goto out;
 
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index c0f498842129..9c5cdc2caaef 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -3338,10 +3338,10 @@ static int filename_write_helper(void *key, void *data, void *ptr)
         if (rc)
                 return rc;
 
-        buf[0] = ft->stype;
-        buf[1] = ft->ttype;
-        buf[2] = ft->tclass;
-        buf[3] = otype->otype;
+        buf[0] = cpu_to_le32(ft->stype);
+        buf[1] = cpu_to_le32(ft->ttype);
+        buf[2] = cpu_to_le32(ft->tclass);
+        buf[3] = cpu_to_le32(otype->otype);
 
         rc = put_entry(buf, sizeof(u32), 4, fp);
         if (rc)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index fc5a63a05a1c..4bca49414a40 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1232,6 +1232,10 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
         struct context context;
         int rc = 0;
 
+        /* An empty security context is never valid. */
+        if (!scontext_len)
+                return -EINVAL;
+
         if (!ss_initialized) {
                 int i;
 
@@ -1285,16 +1289,18 @@ out:
  * @scontext: security context
  * @scontext_len: length in bytes
  * @sid: security identifier, SID
+ * @gfp: context for the allocation
  *
  * Obtains a SID associated with the security context that
  * has the string representation specified by @scontext.
  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
  * memory is available, or 0 on success.
  */
-int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid)
+int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid,
+                            gfp_t gfp)
 {
         return security_context_to_sid_core(scontext, scontext_len,
-                                            sid, SECSID_NULL, GFP_KERNEL, 0);
+                                            sid, SECSID_NULL, gfp, 0);
 }
 
 /**
@@ -2948,25 +2954,21 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
         struct selinux_audit_rule *rule = vrule;
         int match = 0;
 
-        if (!rule) {
-                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
-                          "selinux_audit_rule_match: missing rule\n");
+        if (unlikely(!rule)) {
+                WARN_ONCE(1, "selinux_audit_rule_match: missing rule\n");
                 return -ENOENT;
         }
 
         read_lock(&policy_rwlock);
 
         if (rule->au_seqno < latest_granting) {
-                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
-                          "selinux_audit_rule_match: stale rule\n");
                 match = -ESTALE;
                 goto out;
         }
 
         ctxt = sidtab_search(&sidtab, sid);
-        if (!ctxt) {
-                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
-                          "selinux_audit_rule_match: unrecognized SID %d\n",
+        if (unlikely(!ctxt)) {
+                WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n",
                           sid);
                 match = -ENOENT;
                 goto out;
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 0462cb3ff0a7..98b042630a9e 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -78,7 +78,8 @@ static inline int selinux_authorizable_xfrm(struct xfrm_state *x)
  * xfrm_user_sec_ctx context.
  */
 static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
-                                   struct xfrm_user_sec_ctx *uctx)
+                                   struct xfrm_user_sec_ctx *uctx,
+                                   gfp_t gfp)
 {
         int rc;
         const struct task_security_struct *tsec = current_security();
@@ -94,7 +95,7 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
         if (str_len >= PAGE_SIZE)
                 return -ENOMEM;
 
-        ctx = kmalloc(sizeof(*ctx) + str_len + 1, GFP_KERNEL);
+        ctx = kmalloc(sizeof(*ctx) + str_len + 1, gfp);
         if (!ctx)
                 return -ENOMEM;
 
@@ -103,7 +104,7 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
         ctx->ctx_len = str_len;
         memcpy(ctx->ctx_str, &uctx[1], str_len);
         ctx->ctx_str[str_len] = '\0';
-        rc = security_context_to_sid(ctx->ctx_str, str_len, &ctx->ctx_sid);
+        rc = security_context_to_sid(ctx->ctx_str, str_len, &ctx->ctx_sid, gfp);
         if (rc)
                 goto err;
 
@@ -282,9 +283,10 @@ int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
  * LSM hook implementation that allocs and transfers uctx spec to xfrm_policy.
  */
 int selinux_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
-                              struct xfrm_user_sec_ctx *uctx)
+                              struct xfrm_user_sec_ctx *uctx,
+                              gfp_t gfp)
 {
-        return selinux_xfrm_alloc_user(ctxp, uctx);
+        return selinux_xfrm_alloc_user(ctxp, uctx, gfp);
 }
 
 /*
@@ -332,7 +334,7 @@ int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
 int selinux_xfrm_state_alloc(struct xfrm_state *x,
                              struct xfrm_user_sec_ctx *uctx)
 {
-        return selinux_xfrm_alloc_user(&x->security, uctx);
+        return selinux_xfrm_alloc_user(&x->security, uctx, GFP_KERNEL);
 }
 
 /*
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 364cc64fce71..d072fd32212d 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -241,7 +241,8 @@ u32 smack_to_secid(const char *);
 extern int smack_cipso_direct;
 extern int smack_cipso_mapped;
 extern struct smack_known *smack_net_ambient;
-extern char *smack_onlycap;
+extern struct smack_known *smack_onlycap;
+extern struct smack_known *smack_syslog_label;
 extern const char *smack_cipso_option;
 
 extern struct smack_known smack_known_floor;
@@ -312,7 +313,7 @@ static inline int smack_privileged(int cap)
 
         if (!capable(cap))
                 return 0;
-        if (smack_onlycap == NULL || smack_onlycap == skp->smk_known)
+        if (smack_onlycap == NULL || smack_onlycap == skp)
                 return 1;
         return 0;
 }
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index b0be893ad44d..14f52be78c75 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -219,8 +219,6 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
  * smack_syslog - Smack approval on syslog
  * @type: message type
  *
- * Require that the task has the floor label
- *
  * Returns 0 on success, error code otherwise.
  */
 static int smack_syslog(int typefrom_file)
@@ -231,7 +229,7 @@ static int smack_syslog(int typefrom_file)
         if (smack_privileged(CAP_MAC_OVERRIDE))
                 return 0;
 
-         if (skp != &smack_known_floor)
+        if (smack_syslog_label != NULL && smack_syslog_label != skp)
                 rc = -EACCES;
 
         return rc;
@@ -341,10 +339,12 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
         struct inode *inode = root->d_inode;
         struct superblock_smack *sp = sb->s_security;
         struct inode_smack *isp;
+        struct smack_known *skp;
         char *op;
         char *commap;
         char *nsp;
         int transmute = 0;
+        int specified = 0;
 
         if (sp->smk_initialized)
                 return 0;
@@ -359,34 +359,56 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
                 if (strncmp(op, SMK_FSHAT, strlen(SMK_FSHAT)) == 0) {
                         op += strlen(SMK_FSHAT);
                         nsp = smk_import(op, 0);
-                        if (nsp != NULL)
+                        if (nsp != NULL) {
                                 sp->smk_hat = nsp;
+                                specified = 1;
+                        }
                 } else if (strncmp(op, SMK_FSFLOOR, strlen(SMK_FSFLOOR)) == 0) {
                         op += strlen(SMK_FSFLOOR);
                         nsp = smk_import(op, 0);
-                        if (nsp != NULL)
+                        if (nsp != NULL) {
                                 sp->smk_floor = nsp;
+                                specified = 1;
+                        }
                 } else if (strncmp(op, SMK_FSDEFAULT,
                                    strlen(SMK_FSDEFAULT)) == 0) {
                         op += strlen(SMK_FSDEFAULT);
                         nsp = smk_import(op, 0);
-                        if (nsp != NULL)
+                        if (nsp != NULL) {
                                 sp->smk_default = nsp;
+                                specified = 1;
+                        }
                 } else if (strncmp(op, SMK_FSROOT, strlen(SMK_FSROOT)) == 0) {
                         op += strlen(SMK_FSROOT);
                         nsp = smk_import(op, 0);
-                        if (nsp != NULL)
+                        if (nsp != NULL) {
                                 sp->smk_root = nsp;
+                                specified = 1;
+                        }
                 } else if (strncmp(op, SMK_FSTRANS, strlen(SMK_FSTRANS)) == 0) {
                         op += strlen(SMK_FSTRANS);
                         nsp = smk_import(op, 0);
                         if (nsp != NULL) {
                                 sp->smk_root = nsp;
                                 transmute = 1;
+                                specified = 1;
                         }
                 }
         }
 
+        if (!smack_privileged(CAP_MAC_ADMIN)) {
+                /*
+                 * Unprivileged mounts don't get to specify Smack values.
+                 */
+                if (specified)
+                        return -EPERM;
+                /*
+                 * Unprivileged mounts get root and default from the caller.
+                 */
+                skp = smk_of_current();
+                sp->smk_root = skp->smk_known;
+                sp->smk_default = skp->smk_known;
+        }
         /*
          * Initialize the root inode.
          */
@@ -423,53 +445,6 @@ static int smack_sb_statfs(struct dentry *dentry)
         return rc;
 }
 
-/**
- * smack_sb_mount - Smack check for mounting
- * @dev_name: unused
- * @path: mount point
- * @type: unused
- * @flags: unused
- * @data: unused
- *
- * Returns 0 if current can write the floor of the filesystem
- * being mounted on, an error code otherwise.
- */
-static int smack_sb_mount(const char *dev_name, struct path *path,
-                          const char *type, unsigned long flags, void *data)
-{
-        struct superblock_smack *sbp = path->dentry->d_sb->s_security;
-        struct smk_audit_info ad;
-
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
-        smk_ad_setfield_u_fs_path(&ad, *path);
-
-        return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
-}
-
-/**
- * smack_sb_umount - Smack check for unmounting
- * @mnt: file system to unmount
- * @flags: unused
- *
- * Returns 0 if current can write the floor of the filesystem
- * being unmounted, an error code otherwise.
- */
-static int smack_sb_umount(struct vfsmount *mnt, int flags)
-{
-        struct superblock_smack *sbp;
-        struct smk_audit_info ad;
-        struct path path;
-
-        path.dentry = mnt->mnt_root;
-        path.mnt = mnt;
-
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
-        smk_ad_setfield_u_fs_path(&ad, path);
-
-        sbp = path.dentry->d_sb->s_security;
-        return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
-}
-
 /*
  * BPRM hooks
  */
@@ -837,31 +812,43 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
                                 const void *value, size_t size, int flags)
 {
         struct smk_audit_info ad;
+        struct smack_known *skp;
+        int check_priv = 0;
+        int check_import = 0;
+        int check_star = 0;
         int rc = 0;
 
+        /*
+         * Check label validity here so import won't fail in post_setxattr
+         */
         if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
             strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
-            strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 ||
-            strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
-            strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
-                if (!smack_privileged(CAP_MAC_ADMIN))
-                        rc = -EPERM;
-                /*
-                 * check label validity here so import wont fail on
-                 * post_setxattr
-                 */
-                if (size == 0 || size >= SMK_LONGLABEL ||
-                    smk_import(value, size) == NULL)
-                        rc = -EINVAL;
+            strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
+                check_priv = 1;
+                check_import = 1;
+        } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
+                   strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
+                check_priv = 1;
+                check_import = 1;
+                check_star = 1;
         } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
-                if (!smack_privileged(CAP_MAC_ADMIN))
-                        rc = -EPERM;
+                check_priv = 1;
                 if (size != TRANS_TRUE_SIZE ||
                     strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0)
                         rc = -EINVAL;
         } else
                 rc = cap_inode_setxattr(dentry, name, value, size, flags);
 
+        if (check_priv && !smack_privileged(CAP_MAC_ADMIN))
+                rc = -EPERM;
+
+        if (rc == 0 && check_import) {
+                skp = smk_import_entry(value, size);
+                if (skp == NULL || (check_star &&
+                    (skp == &smack_known_star || skp == &smack_known_web)))
+                        rc = -EINVAL;
+        }
+
         smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
         smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
 
@@ -1364,7 +1351,7 @@ static int smack_file_receive(struct file *file)
         int may = 0;
         struct smk_audit_info ad;
 
-        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+        smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
         smk_ad_setfield_u_fs_path(&ad, file->f_path);
         /*
          * This code relies on bitmasks.
@@ -2847,8 +2834,17 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
                         if (rc >= 0)
                                 transflag = SMK_INODE_TRANSMUTE;
                 }
-                isp->smk_task = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
-                isp->smk_mmap = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
+                /*
+                 * Don't let the exec or mmap label be "*" or "@".
+                 */
+                skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
+                if (skp == &smack_known_star || skp == &smack_known_web)
+                        skp = NULL;
+                isp->smk_task = skp;
+                skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
+                if (skp == &smack_known_star || skp == &smack_known_web)
+                        skp = NULL;
+                isp->smk_mmap = skp;
 
                 dput(dp);
                 break;
@@ -3620,9 +3616,8 @@ static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule,
         struct smack_known *skp;
         char *rule = vrule;
 
-        if (!rule) {
-                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
-                          "Smack: missing rule\n");
+        if (unlikely(!rule)) {
+                WARN_ONCE(1, "Smack: missing rule\n");
                 return -ENOENT;
         }
 
@@ -3743,8 +3738,6 @@ struct security_operations smack_ops = {
         .sb_copy_data =                 smack_sb_copy_data,
         .sb_kern_mount =                smack_sb_kern_mount,
         .sb_statfs =                    smack_sb_statfs,
-        .sb_mount =                     smack_sb_mount,
-        .sb_umount =                    smack_sb_umount,
 
         .bprm_set_creds =               smack_bprm_set_creds,
         .bprm_committing_creds =        smack_bprm_committing_creds,
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 160aa08e3cd5..3198cfe1dcc6 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -52,6 +52,7 @@ enum smk_inos {
         SMK_CIPSO2      = 17,   /* load long label -> CIPSO mapping */
         SMK_REVOKE_SUBJ = 18,   /* set rules with subject label to '-' */
         SMK_CHANGE_RULE = 19,   /* change or add rules (long labels) */
+        SMK_SYSLOG      = 20,   /* change syslog label) */
 };
 
 /*
@@ -59,6 +60,7 @@ enum smk_inos {
  */
 static DEFINE_MUTEX(smack_cipso_lock);
 static DEFINE_MUTEX(smack_ambient_lock);
+static DEFINE_MUTEX(smack_syslog_lock);
 static DEFINE_MUTEX(smk_netlbladdr_lock);
 
 /*
@@ -90,7 +92,13 @@ int smack_cipso_mapped = SMACK_CIPSO_MAPPED_DEFAULT;
  * everyone. It is expected that the hat (^) label
  * will be used if any label is used.
  */
-char *smack_onlycap;
+struct smack_known *smack_onlycap;
+
+/*
+ * If this value is set restrict syslog use to the label specified.
+ * It can be reset via smackfs/syslog
+ */
+struct smack_known *smack_syslog_label;
 
 /*
  * Certain IP addresses may be designated as single label hosts.
@@ -301,7 +309,8 @@ static int smk_perm_from_str(const char *string)
  * @import: if non-zero, import labels
  * @len: label length limit
  *
- * Returns 0 on success, -1 on failure
+ * Returns 0 on success, -EINVAL on failure and -ENOENT when either subject
+ * or object is missing.
  */
 static int smk_fill_rule(const char *subject, const char *object,
                                 const char *access1, const char *access2,
@@ -314,28 +323,28 @@ static int smk_fill_rule(const char *subject, const char *object,
         if (import) {
                 rule->smk_subject = smk_import_entry(subject, len);
                 if (rule->smk_subject == NULL)
-                        return -1;
+                        return -EINVAL;
 
                 rule->smk_object = smk_import(object, len);
                 if (rule->smk_object == NULL)
-                        return -1;
+                        return -EINVAL;
         } else {
                 cp = smk_parse_smack(subject, len);
                 if (cp == NULL)
-                        return -1;
+                        return -EINVAL;
                 skp = smk_find_entry(cp);
                 kfree(cp);
                 if (skp == NULL)
-                        return -1;
+                        return -ENOENT;
                 rule->smk_subject = skp;
 
                 cp = smk_parse_smack(object, len);
                 if (cp == NULL)
-                        return -1;
+                        return -EINVAL;
                 skp = smk_find_entry(cp);
                 kfree(cp);
                 if (skp == NULL)
-                        return -1;
+                        return -ENOENT;
                 rule->smk_object = skp->smk_known;
         }
 
@@ -381,6 +390,7 @@ static ssize_t smk_parse_long_rule(char *data, struct smack_parsed_rule *rule,
 {
         ssize_t cnt = 0;
         char *tok[4];
+        int rc;
         int i;
 
         /*
@@ -405,10 +415,8 @@ static ssize_t smk_parse_long_rule(char *data, struct smack_parsed_rule *rule,
         while (i < 4)
                 tok[i++] = NULL;
 
-        if (smk_fill_rule(tok[0], tok[1], tok[2], tok[3], rule, import, 0))
-                return -1;
-
-        return cnt;
+        rc = smk_fill_rule(tok[0], tok[1], tok[2], tok[3], rule, import, 0);
+        return rc == 0 ? cnt : rc;
 }
 
 #define SMK_FIXED24_FMT 0       /* Fixed 24byte label format */
@@ -1603,7 +1611,7 @@ static const struct file_operations smk_ambient_ops = {
 };
 
 /**
- * smk_read_onlycap - read() for /smack/onlycap
+ * smk_read_onlycap - read() for smackfs/onlycap
  * @filp: file pointer, not actually used
  * @buf: where to put the result
  * @cn: maximum to send along
@@ -1622,7 +1630,7 @@ static ssize_t smk_read_onlycap(struct file *filp, char __user *buf,
                 return 0;
 
         if (smack_onlycap != NULL)
-                smack = smack_onlycap;
+                smack = smack_onlycap->smk_known;
 
         asize = strlen(smack) + 1;
 
@@ -1633,7 +1641,7 @@ static ssize_t smk_read_onlycap(struct file *filp, char __user *buf,
 }
 
 /**
- * smk_write_onlycap - write() for /smack/onlycap
+ * smk_write_onlycap - write() for smackfs/onlycap
  * @file: file pointer, not actually used
  * @buf: where to get the data from
  * @count: bytes sent
@@ -1656,7 +1664,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
          * explicitly for clarity. The smk_access() implementation
          * would use smk_access(smack_onlycap, MAY_WRITE)
          */
-        if (smack_onlycap != NULL && smack_onlycap != skp->smk_known)
+        if (smack_onlycap != NULL && smack_onlycap != skp)
                 return -EPERM;
 
         data = kzalloc(count, GFP_KERNEL);
@@ -1676,7 +1684,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
         if (copy_from_user(data, buf, count) != 0)
                 rc = -EFAULT;
         else
-                smack_onlycap = smk_import(data, count);
+                smack_onlycap = smk_import_entry(data, count);
 
         kfree(data);
         return rc;
@@ -1856,11 +1864,12 @@ static ssize_t smk_user_access(struct file *file, const char __user *buf,
                 res = smk_parse_long_rule(data, &rule, 0, 3);
         }
 
-        if (res < 0)
+        if (res >= 0)
+                res = smk_access(rule.smk_subject, rule.smk_object,
+                                 rule.smk_access1, NULL);
+        else if (res != -ENOENT)
                 return -EINVAL;
 
-        res = smk_access(rule.smk_subject, rule.smk_object,
-                                rule.smk_access1, NULL);
         data[0] = res == 0 ? '1' : '0';
         data[1] = '\0';
 
@@ -2143,7 +2152,7 @@ static ssize_t smk_write_change_rule(struct file *file, const char __user *buf,
         /*
          * Must have privilege.
          */
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                 return -EPERM;
 
         return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
@@ -2158,12 +2167,89 @@ static const struct file_operations smk_change_rule_ops = {
 };
 
 /**
- * smk_fill_super - fill the /smackfs superblock
+ * smk_read_syslog - read() for smackfs/syslog
+ * @filp: file pointer, not actually used
+ * @buf: where to put the result
+ * @cn: maximum to send along
+ * @ppos: where to start
+ *
+ * Returns number of bytes read or error code, as appropriate
+ */
+static ssize_t smk_read_syslog(struct file *filp, char __user *buf,
+                                size_t cn, loff_t *ppos)
+{
+        struct smack_known *skp;
+        ssize_t rc = -EINVAL;
+        int asize;
+
+        if (*ppos != 0)
+                return 0;
+
+        if (smack_syslog_label == NULL)
+                skp = &smack_known_star;
+        else
+                skp = smack_syslog_label;
+
+        asize = strlen(skp->smk_known) + 1;
+
+        if (cn >= asize)
+                rc = simple_read_from_buffer(buf, cn, ppos, skp->smk_known,
+                                                asize);
+
+        return rc;
+}
+
+/**
+ * smk_write_syslog - write() for smackfs/syslog
+ * @file: file pointer, not actually used
+ * @buf: where to get the data from
+ * @count: bytes sent
+ * @ppos: where to start
+ *
+ * Returns number of bytes written or error code, as appropriate
+ */
+static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
+                                size_t count, loff_t *ppos)
+{
+        char *data;
+        struct smack_known *skp;
+        int rc = count;
+
+        if (!smack_privileged(CAP_MAC_ADMIN))
+                return -EPERM;
+
+        data = kzalloc(count, GFP_KERNEL);
+        if (data == NULL)
+                return -ENOMEM;
+
+        if (copy_from_user(data, buf, count) != 0)
+                rc = -EFAULT;
+        else {
+                skp = smk_import_entry(data, count);
+                if (skp == NULL)
+                        rc = -EINVAL;
+                else
+                        smack_syslog_label = smk_import_entry(data, count);
+        }
+
+        kfree(data);
+        return rc;
+}
+
+static const struct file_operations smk_syslog_ops = {
+        .read           = smk_read_syslog,
+        .write          = smk_write_syslog,
+        .llseek         = default_llseek,
+};
+
+
+/**
+ * smk_fill_super - fill the smackfs superblock
  * @sb: the empty superblock
  * @data: unused
  * @silent: unused
  *
- * Fill in the well known entries for /smack
+ * Fill in the well known entries for the smack filesystem
  *
  * Returns 0 on success, an error code on failure
  */
@@ -2208,6 +2294,8 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
                         S_IRUGO|S_IWUSR},
                 [SMK_CHANGE_RULE] = {
                         "change-rule", &smk_change_rule_ops, S_IRUGO|S_IWUSR},
+                [SMK_SYSLOG] = {
+                        "syslog", &smk_syslog_ops, S_IRUGO|S_IWUSR},
                 /* last one */
                         {""}
         };