Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux into fixes

The merge of the 'clk-for-linus' branch caused an automated merge failure. Pull that in here so we can fix the problem. Signed-off-by: Arnd Bergmann <arnd@arndb.de>
author: Arnd Bergmann <arnd@arndb.de> 2012-07-25 08:33:45 -0400
committer: Arnd Bergmann <arnd@arndb.de> 2012-07-25 08:35:04 -0400
commit: 8cef081c71dd4e16a01a1e63cedab21eef8b5735 (patch)
tree: b5b0fb5ab09dc60dee5fc8fd8e980359abbd1b1e /security
parent: 3d55c29fb24286f350f04021bef2dd799e25dd20 (diff)
parent: 9161c3b796a2841a9a7be3d9c9dd121269ce90e8 (diff)
19 files changed, 131 insertions, 97 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 35664fe6daa1..b9c1219924f1 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -38,8 +38,9 @@ config IMA_MEASURE_PCR_IDX
          measurement list.  If unsure, use the default 10.
 config IMA_AUDIT
-        bool
+        bool "Enables auditing support"
        depends on IMA
+        depends on AUDIT
        default y
        help
          This option adds a kernel parameter 'ima_audit', which
diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
index 5690c021de8f..5f740f6971e1 100644
--- a/security/integrity/ima/Makefile
+++ b/security/integrity/ima/Makefile
@@ -6,4 +6,5 @@
 obj-$(CONFIG_IMA) += ima.o
 ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
-         ima_policy.o ima_audit.o
+         ima_policy.o
+ima-$(CONFIG_IMA_AUDIT) += ima_audit.o
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 3ccf7acac6df..e7c99fd0d223 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -61,10 +61,19 @@ struct ima_queue_entry {
 };
 extern struct list_head ima_measurements;       /* list of all measurements */
+#ifdef CONFIG_IMA_AUDIT
 /* declarations */
 void integrity_audit_msg(int audit_msgno, struct inode *inode,
                         const unsigned char *fname, const char *op,
                         const char *cause, int result, int info);
+#else
+static inline void integrity_audit_msg(int audit_msgno, struct inode *inode,
+                                       const unsigned char *fname,
+                                       const char *op, const char *cause,
+                                       int result, int info)
+{
+}
+#endif
 /* Internal IMA function definitions */
 int ima_init(void);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 88a2788b981d..032ff03ad907 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -175,7 +175,9 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
        }
        memset(&entry->template, 0, sizeof(entry->template));
        memcpy(entry->template.digest, iint->digest, IMA_DIGEST_SIZE);
-        strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX);
+        strcpy(entry->template.file_name,
+               (strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ?
+               file->f_dentry->d_name.name : filename);
        result = ima_store_template(entry, violation, inode);
        if (!result || result == -EEXIST)
diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/ima/ima_audit.c
index 21e96bf188df..7a57f6769e9c 100644
--- a/security/integrity/ima/ima_audit.c
+++ b/security/integrity/ima/ima_audit.c
@@ -17,8 +17,6 @@
 static int ima_audit;
-#ifdef CONFIG_IMA_AUDIT
 /* ima_audit_setup - enable informational auditing messages */
 static int __init ima_audit_setup(char *str)
 {
@@ -29,7 +27,6 @@ static int __init ima_audit_setup(char *str)
        return 1;
 }
 __setup("ima_audit=", ima_audit_setup);
-#endif
 void integrity_audit_msg(int audit_msgno, struct inode *inode,
                         const unsigned char *fname, const char *op,
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index e1aa2b482dd2..38477c9c3415 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -367,20 +367,11 @@ int __init ima_fs_init(void)
        return 0;
 out:
-        securityfs_remove(runtime_measurements_count);
-        securityfs_remove(ascii_runtime_measurements);
-        securityfs_remove(binary_runtime_measurements);
-        securityfs_remove(ima_dir);
-        securityfs_remove(ima_policy);
-        return -1;
-}
-void __exit ima_fs_cleanup(void)
-{
        securityfs_remove(violations);
        securityfs_remove(runtime_measurements_count);
        securityfs_remove(ascii_runtime_measurements);
        securityfs_remove(binary_runtime_measurements);
        securityfs_remove(ima_dir);
        securityfs_remove(ima_policy);
+        return -1;
 }
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 17f1f060306f..b5dfd534f13d 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -90,8 +90,3 @@ int __init ima_init(void)
        return ima_fs_init();
 }
-void __exit ima_cleanup(void)
-{
-        ima_fs_cleanup();
-}
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index b17be79b9cf2..be8294915cf7 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -54,6 +54,7 @@ static void ima_rdwr_violation_check(struct file *file)
        fmode_t mode = file->f_mode;
        int rc;
        bool send_tomtou = false, send_writers = false;
+        unsigned char *pathname = NULL, *pathbuf = NULL;
        if (!S_ISREG(inode->i_mode) || !ima_initialized)
                return;
@@ -75,12 +76,27 @@ static void ima_rdwr_violation_check(struct file *file)
 out:
        mutex_unlock(&inode->i_mutex);
+        if (!send_tomtou && !send_writers)
+                return;
+        /* We will allow 11 spaces for ' (deleted)' to be appended */
+        pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL);
+        if (pathbuf) {
+                pathname = d_path(&file->f_path, pathbuf, PATH_MAX + 11);
+                if (IS_ERR(pathname))
+                        pathname = NULL;
+                else if (strlen(pathname) > IMA_EVENT_NAME_LEN_MAX)
+                        pathname = NULL;
+        }
        if (send_tomtou)
-                ima_add_violation(inode, dentry->d_name.name, "invalid_pcr",
+                ima_add_violation(inode,
-                                  "ToMToU");
+                                  !pathname ? dentry->d_name.name : pathname,
+                                  "invalid_pcr", "ToMToU");
        if (send_writers)
-                ima_add_violation(inode, dentry->d_name.name, "invalid_pcr",
+                ima_add_violation(inode,
-                                  "open_writers");
+                                  !pathname ? dentry->d_name.name : pathname,
+                                  "invalid_pcr", "open_writers");
+        kfree(pathbuf);
 }
 static void ima_check_last_writer(struct integrity_iint_cache *iint,
@@ -123,6 +139,7 @@ static int process_measurement(struct file *file, const unsigned char *filename,
 {
        struct inode *inode = file->f_dentry->d_inode;
        struct integrity_iint_cache *iint;
+        unsigned char *pathname = NULL, *pathbuf = NULL;
        int rc = 0;
        if (!ima_initialized || !S_ISREG(inode->i_mode))
@@ -147,8 +164,21 @@ retry:
                goto out;
        rc = ima_collect_measurement(iint, file);
-        if (!rc)
+        if (rc != 0)
-                ima_store_measurement(iint, file, filename);
+                goto out;
+        if (function != BPRM_CHECK) {
+                /* We will allow 11 spaces for ' (deleted)' to be appended */
+                pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL);
+                if (pathbuf) {
+                        pathname =
+                            d_path(&file->f_path, pathbuf, PATH_MAX + 11);
+                        if (IS_ERR(pathname))
+                                pathname = NULL;
+                }
+        }
+        ima_store_measurement(iint, file, !pathname ? filename : pathname);
+        kfree(pathbuf);
 out:
        mutex_unlock(&iint->mutex);
        return rc;
@@ -228,15 +258,11 @@ static int __init init_ima(void)
        int error;
        error = ima_init();
-        ima_initialized = 1;
+        if (!error)
+                ima_initialized = 1;
        return error;
 }
-static void __exit cleanup_ima(void)
-{
-        ima_cleanup();
-}
 late_initcall(init_ima);        /* Start IMA after the TPM is available */
 MODULE_DESCRIPTION("Integrity Measurement Architecture");
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index d8edff209bf3..1a9583008aae 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -63,6 +63,8 @@ static struct ima_measure_rule_entry default_rules[] = {
        {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
        {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
        {.action = DONT_MEASURE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_MEASURE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_MEASURE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC},
        {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
        {.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
        {.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,
diff --git a/security/keys/compat.c b/security/keys/compat.c
index c92d42b021aa..1c261763f479 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -24,7 +24,7 @@
 *
 * If successful, 0 will be returned.
 */
-long compat_keyctl_instantiate_key_iov(
+static long compat_keyctl_instantiate_key_iov(
        key_serial_t id,
        const struct compat_iovec __user *_payload_iov,
        unsigned ioc,
@@ -33,7 +33,7 @@ long compat_keyctl_instantiate_key_iov(
        struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
        long ret;
-        if (_payload_iov == 0 || ioc == 0)
+        if (!_payload_iov || !ioc)
                goto no_payload;
        ret = compat_rw_copy_check_uvector(WRITE, _payload_iov, ioc,
diff --git a/security/keys/internal.h b/security/keys/internal.h
index c246ba5d43ab..22ff05269e3d 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -242,7 +242,7 @@ extern long keyctl_instantiate_key_iov(key_serial_t,
 extern long keyctl_invalidate_key(key_serial_t);
 extern long keyctl_instantiate_key_common(key_serial_t,
-                                          const struct iovec __user *,
+                                          const struct iovec *,
                                          unsigned, size_t, key_serial_t);
 /*
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index f1b59ae39d7e..3364fbf46807 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1106,7 +1106,7 @@ long keyctl_instantiate_key_iov(key_serial_t id,
        struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
        long ret;
-        if (_payload_iov == 0 || ioc == 0)
+        if (!_payload_iov || !ioc)
                goto no_payload;
        ret = rw_copy_check_uvector(WRITE, _payload_iov, ioc,
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 7445875f6818..81e7852d281d 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -751,6 +751,7 @@ static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
 int __key_link_begin(struct key *keyring, const struct key_type *type,
                     const char *description, unsigned long *_prealloc)
        __acquires(&keyring->sem)
+        __acquires(&keyring_serialise_link_sem)
 {
        struct keyring_list *klist, *nklist;
        unsigned long prealloc;
@@ -960,6 +961,7 @@ void __key_link(struct key *keyring, struct key *key,
 void __key_link_end(struct key *keyring, struct key_type *type,
                    unsigned long prealloc)
        __releases(&keyring->sem)
+        __releases(&keyring_serialise_link_sem)
 {
        BUG_ON(type == NULL);
        BUG_ON(type->name == NULL);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9292a8971e66..689fe2d22165 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5762,21 +5762,21 @@ static struct nf_hook_ops selinux_ipv4_ops[] = {
        {
                .hook =         selinux_ipv4_postroute,
                .owner =        THIS_MODULE,
-                .pf =           PF_INET,
+                .pf =           NFPROTO_IPV4,
                .hooknum =      NF_INET_POST_ROUTING,
                .priority =     NF_IP_PRI_SELINUX_LAST,
        },
        {
                .hook =         selinux_ipv4_forward,
                .owner =        THIS_MODULE,
-                .pf =           PF_INET,
+                .pf =           NFPROTO_IPV4,
                .hooknum =      NF_INET_FORWARD,
                .priority =     NF_IP_PRI_SELINUX_FIRST,
        },
        {
                .hook =         selinux_ipv4_output,
                .owner =        THIS_MODULE,
-                .pf =           PF_INET,
+                .pf =           NFPROTO_IPV4,
                .hooknum =      NF_INET_LOCAL_OUT,
                .priority =     NF_IP_PRI_SELINUX_FIRST,
        }
@@ -5788,14 +5788,14 @@ static struct nf_hook_ops selinux_ipv6_ops[] = {
        {
                .hook =         selinux_ipv6_postroute,
                .owner =        THIS_MODULE,
-                .pf =           PF_INET6,
+                .pf =           NFPROTO_IPV6,
                .hooknum =      NF_INET_POST_ROUTING,
                .priority =     NF_IP6_PRI_SELINUX_LAST,
        },
        {
                .hook =         selinux_ipv6_forward,
                .owner =        THIS_MODULE,
-                .pf =           PF_INET6,
+                .pf =           NFPROTO_IPV6,
                .hooknum =      NF_INET_FORWARD,
                .priority =     NF_IP6_PRI_SELINUX_FIRST,
        }
diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c
index 161e01a6c7ef..8a77725423e0 100644
--- a/security/selinux/netlink.c
+++ b/security/selinux/netlink.c
@@ -19,6 +19,7 @@
 #include <linux/netlink.h>
 #include <linux/selinux_netlink.h>
 #include <net/net_namespace.h>
+#include <net/netlink.h>
 #include "security.h"
@@ -47,7 +48,7 @@ static void selnl_add_payload(struct nlmsghdr *nlh, int len, int msgtype, void *
 {
        switch (msgtype) {
        case SELNL_MSG_SETENFORCE: {
-                struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
+                struct selnl_msg_setenforce *msg = nlmsg_data(nlh);
                memset(msg, 0, len);
                msg->val = *((int *)data);
@@ -55,7 +56,7 @@ static void selnl_add_payload(struct nlmsghdr *nlh, int len, int msgtype, void *
        }
        case SELNL_MSG_POLICYLOAD: {
-                struct selnl_msg_policyload *msg = NLMSG_DATA(nlh);
+                struct selnl_msg_policyload *msg = nlmsg_data(nlh);
                memset(msg, 0, len);
                msg->seqno = *((u32 *)data);
@@ -81,7 +82,9 @@ static void selnl_notify(int msgtype, void *data)
                goto oom;
        tmp = skb->tail;
-        nlh = NLMSG_PUT(skb, 0, 0, msgtype, len);
+        nlh = nlmsg_put(skb, 0, 0, msgtype, len, 0);
+        if (!nlh)
+                goto out_kfree_skb;
        selnl_add_payload(nlh, len, msgtype, data);
        nlh->nlmsg_len = skb->tail - tmp;
        NETLINK_CB(skb).dst_group = SELNLGRP_AVC;
@@ -89,7 +92,7 @@ static void selnl_notify(int msgtype, void *data)
 out:
        return;
-nlmsg_failure:
+out_kfree_skb:
        kfree_skb(skb);
 oom:
        printk(KERN_ERR "SELinux:  OOM in %s\n", __func__);
@@ -108,8 +111,12 @@ void selnl_notify_policyload(u32 seqno)
 static int __init selnl_init(void)
 {
+        struct netlink_kernel_cfg cfg = {
+                .groups = SELNLGRP_MAX,
+        };
        selnl = netlink_kernel_create(&init_net, NETLINK_SELINUX,
-                                      SELNLGRP_MAX, NULL, NULL, THIS_MODULE);
+                                      THIS_MODULE, &cfg);
        if (selnl == NULL)
                panic("SELinux:  Cannot create netlink socket.");
        netlink_set_nonroot(NETLINK_SELINUX, NL_NONROOT_RECV);
diff --git a/security/smack/smack.h b/security/smack/smack.h
index cc361b8f3d13..99b36124f712 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -43,7 +43,6 @@ struct superblock_smack {
        char            *smk_hat;
        char            *smk_default;
        int             smk_initialized;
-        spinlock_t      smk_sblock;     /* for initialization */
 };
 struct socket_smack {
@@ -284,6 +283,19 @@ static inline char *smk_of_current(void)
 }
 /*
+ * Is the task privileged and allowed to be privileged
+ * by the onlycap rule.
+ */
+static inline int smack_privileged(int cap)
+{
+        if (!capable(cap))
+                return 0;
+        if (smack_onlycap == NULL || smack_onlycap == smk_of_current())
+                return 1;
+        return 0;
+}
+/*
 * logging functions
 */
 #define SMACK_AUDIT_DENIED 0x1
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 9f3705e92712..db14689a21e0 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -220,14 +220,9 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
        }
        /*
-         * Return if a specific label has been designated as the
+         * Allow for priviliged to override policy.
-         * only one that gets privilege and current does not
-         * have that label.
         */
-        if (smack_onlycap != NULL && smack_onlycap != sp)
+        if (rc != 0 && smack_privileged(CAP_MAC_OVERRIDE))
-                goto out_audit;
-        if (capable(CAP_MAC_OVERRIDE))
                rc = 0;
 out_audit:
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index ee0bb5735f35..8221514cc997 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -217,7 +217,7 @@ static int smack_syslog(int typefrom_file)
        int rc = 0;
        char *sp = smk_of_current();
-        if (capable(CAP_MAC_OVERRIDE))
+        if (smack_privileged(CAP_MAC_OVERRIDE))
                return 0;
         if (sp != smack_known_floor.smk_known)
@@ -251,7 +251,6 @@ static int smack_sb_alloc_security(struct super_block *sb)
        sbsp->smk_floor = smack_known_floor.smk_known;
        sbsp->smk_hat = smack_known_hat.smk_known;
        sbsp->smk_initialized = 0;
-        spin_lock_init(&sbsp->smk_sblock);
        sb->s_security = sbsp;
@@ -332,13 +331,10 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
        char *commap;
        char *nsp;
-        spin_lock(&sp->smk_sblock);
+        if (sp->smk_initialized != 0)
-        if (sp->smk_initialized != 0) {
-                spin_unlock(&sp->smk_sblock);
                return 0;
-        }
        sp->smk_initialized = 1;
-        spin_unlock(&sp->smk_sblock);
        for (op = data; op != NULL; op = commap) {
                commap = strchr(op, ',');
@@ -825,7 +821,7 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
            strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 ||
            strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
            strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
-                if (!capable(CAP_MAC_ADMIN))
+                if (!smack_privileged(CAP_MAC_ADMIN))
                        rc = -EPERM;
                /*
                 * check label validity here so import wont fail on
@@ -835,7 +831,7 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
                    smk_import(value, size) == NULL)
                        rc = -EINVAL;
        } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
-                if (!capable(CAP_MAC_ADMIN))
+                if (!smack_privileged(CAP_MAC_ADMIN))
                        rc = -EPERM;
                if (size != TRANS_TRUE_SIZE ||
                    strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0)
@@ -931,7 +927,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
            strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
            strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 ||
            strcmp(name, XATTR_NAME_SMACKMMAP)) {
-                if (!capable(CAP_MAC_ADMIN))
+                if (!smack_privileged(CAP_MAC_ADMIN))
                        rc = -EPERM;
        } else
                rc = cap_inode_removexattr(dentry, name);
@@ -1720,7 +1716,8 @@ static int smack_task_wait(struct task_struct *p)
         * state into account in the decision as well as
         * the smack value.
         */
-        if (capable(CAP_MAC_OVERRIDE) || has_capability(p, CAP_MAC_OVERRIDE))
+        if (smack_privileged(CAP_MAC_OVERRIDE) ||
+            has_capability(p, CAP_MAC_OVERRIDE))
                rc = 0;
        /* we log only if we didn't get overriden */
 out_log:
@@ -2721,7 +2718,7 @@ static int smack_setprocattr(struct task_struct *p, char *name,
        if (p != current)
                return -EPERM;
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        if (value == NULL || size == 0 || size >= SMK_LONGLABEL)
@@ -2784,7 +2781,7 @@ static int smack_unix_stream_connect(struct sock *sock,
        smk_ad_setfield_u_net_sk(&ad, other);
 #endif
-        if (!capable(CAP_MAC_OVERRIDE))
+        if (!smack_privileged(CAP_MAC_OVERRIDE))
                rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad);
        /*
@@ -2820,7 +2817,7 @@ static int smack_unix_may_send(struct socket *sock, struct socket *other)
        smk_ad_setfield_u_net_sk(&ad, other->sk);
 #endif
-        if (!capable(CAP_MAC_OVERRIDE))
+        if (!smack_privileged(CAP_MAC_OVERRIDE))
                rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad);
        return rc;
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 1810c9a4ed48..d31e6d957c21 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -215,28 +215,27 @@ static int smk_set_access(struct smack_rule *srp, struct list_head *rule_list,
 * @access: access string
 * @rule: Smack rule
 * @import: if non-zero, import labels
+ * @len: label length limit
 *
 * Returns 0 on success, -1 on failure
 */
 static int smk_fill_rule(const char *subject, const char *object,
                                const char *access, struct smack_rule *rule,
-                                int import)
+                                int import, int len)
 {
-        int rc = -1;
-        int done;
        const char *cp;
        struct smack_known *skp;
        if (import) {
-                rule->smk_subject = smk_import(subject, 0);
+                rule->smk_subject = smk_import(subject, len);
                if (rule->smk_subject == NULL)
                        return -1;
-                rule->smk_object = smk_import(object, 0);
+                rule->smk_object = smk_import(object, len);
                if (rule->smk_object == NULL)
                        return -1;
        } else {
-                cp = smk_parse_smack(subject, 0);
+                cp = smk_parse_smack(subject, len);
                if (cp == NULL)
                        return -1;
                skp = smk_find_entry(cp);
@@ -245,7 +244,7 @@ static int smk_fill_rule(const char *subject, const char *object,
                        return -1;
                rule->smk_subject = skp->smk_known;
-                cp = smk_parse_smack(object, 0);
+                cp = smk_parse_smack(object, len);
                if (cp == NULL)
                        return -1;
                skp = smk_find_entry(cp);
@@ -257,7 +256,7 @@ static int smk_fill_rule(const char *subject, const char *object,
        rule->smk_access = 0;
-        for (cp = access, done = 0; *cp && !done; cp++) {
+        for (cp = access; *cp != '\0'; cp++) {
                switch (*cp) {
                case '-':
                        break;
@@ -282,13 +281,11 @@ static int smk_fill_rule(const char *subject, const char *object,
                        rule->smk_access |= MAY_TRANSMUTE;
                        break;
                default:
-                        done = 1;
+                        return 0;
-                        break;
                }
        }
-        rc = 0;
-        return rc;
+        return 0;
 }
 /**
@@ -304,7 +301,8 @@ static int smk_parse_rule(const char *data, struct smack_rule *rule, int import)
        int rc;
        rc = smk_fill_rule(data, data + SMK_LABELLEN,
-                           data + SMK_LABELLEN + SMK_LABELLEN, rule, import);
+                           data + SMK_LABELLEN + SMK_LABELLEN, rule, import,
+                           SMK_LABELLEN);
        return rc;
 }
@@ -340,7 +338,7 @@ static int smk_parse_long_rule(const char *data, struct smack_rule *rule,
                goto free_out_o;
        if (sscanf(data, "%s %s %s", subject, object, access) == 3)
-                rc = smk_fill_rule(subject, object, access, rule, import);
+                rc = smk_fill_rule(subject, object, access, rule, import, 0);
        kfree(access);
 free_out_o:
@@ -520,6 +518,9 @@ static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
        if (strlen(srp->smk_subject) >= max || strlen(srp->smk_object) >= max)
                return;
+        if (srp->smk_access == 0)
+                return;
        seq_printf(s, "%s %s", srp->smk_subject, srp->smk_object);
        seq_putc(s, ' ');
@@ -534,8 +535,6 @@ static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
                seq_putc(s, 'a');
        if (srp->smk_access & MAY_TRANSMUTE)
                seq_putc(s, 't');
-        if (srp->smk_access == 0)
-                seq_putc(s, '-');
        seq_putc(s, '\n');
 }
@@ -595,13 +594,12 @@ static int smk_open_load(struct inode *inode, struct file *file)
 static ssize_t smk_write_load(struct file *file, const char __user *buf,
                              size_t count, loff_t *ppos)
 {
        /*
         * Must have privilege.
         * No partial writes.
         * Enough data must be present.
         */
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
@@ -787,7 +785,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
         * No partial writes.
         * Enough data must be present.
         */
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        if (*ppos != 0)
                return -EINVAL;
@@ -1090,7 +1088,7 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
         * "<addr/mask, as a.b.c.d/e><space><label>"
         * "<addr, as a.b.c.d><space><label>"
         */
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        if (*ppos != 0)
                return -EINVAL;
@@ -1267,7 +1265,7 @@ static ssize_t smk_write_doi(struct file *file, const char __user *buf,
        char temp[80];
        int i;
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        if (count >= sizeof(temp) || count == 0)
@@ -1334,7 +1332,7 @@ static ssize_t smk_write_direct(struct file *file, const char __user *buf,
        char temp[80];
        int i;
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        if (count >= sizeof(temp) || count == 0)
@@ -1412,7 +1410,7 @@ static ssize_t smk_write_mapped(struct file *file, const char __user *buf,
        char temp[80];
        int i;
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        if (count >= sizeof(temp) || count == 0)
@@ -1503,7 +1501,7 @@ static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
        char *data;
        int rc = count;
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        data = kzalloc(count + 1, GFP_KERNEL);
@@ -1586,7 +1584,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
        char *sp = smk_of_task(current->cred->security);
        int rc = count;
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        /*
@@ -1664,7 +1662,7 @@ static ssize_t smk_write_logging(struct file *file, const char __user *buf,
        char temp[32];
        int i;
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        if (count >= sizeof(temp) || count == 0)
@@ -1885,7 +1883,7 @@ static ssize_t smk_write_load2(struct file *file, const char __user *buf,
        /*
         * Must have privilege.
         */
-        if (!capable(CAP_MAC_ADMIN))
+        if (!smack_privileged(CAP_MAC_ADMIN))
                return -EPERM;
        return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
@@ -2051,7 +2049,6 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
        }
        root_inode = sb->s_root->d_inode;
-        root_inode->i_security = new_inode_smack(smack_known_floor.smk_known);
        return 0;
 }
author	Arnd Bergmann <arnd@arndb.de>	2012-07-25 08:33:45 -0400
committer	Arnd Bergmann <arnd@arndb.de>	2012-07-25 08:35:04 -0400
commit	8cef081c71dd4e16a01a1e63cedab21eef8b5735 (patch)
tree	b5b0fb5ab09dc60dee5fc8fd8e980359abbd1b1e /security
parent	3d55c29fb24286f350f04021bef2dd799e25dd20 (diff)
parent	9161c3b796a2841a9a7be3d9c9dd121269ce90e8 (diff)