10 files changed, 140 insertions, 69 deletions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 87302a49067b..2253f388234f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -68,6 +68,7 @@
 #include <linux/personality.h>
 #include <linux/sysctl.h>
 #include <linux/audit.h>
+#include <linux/string.h>
 
 #include "avc.h"
 #include "objsec.h"
@@ -825,7 +826,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                         sid = sbsec->def_sid;
                         rc = 0;
                 } else {
-                        rc = security_context_to_sid(context, rc, &sid);
+                        rc = security_context_to_sid_default(context, rc, &sid,
+                                                             sbsec->def_sid);
                         if (rc) {
                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
                                        "returned %d for dev=%s ino=%ld\n",
@@ -1658,9 +1660,8 @@ static int selinux_bprm_secureexec (struct linux_binprm *bprm)
 
 static void selinux_bprm_free_security(struct linux_binprm *bprm)
 {
-        struct bprm_security_struct *bsec = bprm->security;
+        kfree(bprm->security);
         bprm->security = NULL;
-        kfree(bsec);
 }
 
 extern struct vfsmount *selinuxfs_mount;
@@ -1944,7 +1945,7 @@ static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void
                 }
         } while (*in_end++);
 
-        copy_page(in_save, nosec_save);
+        strcpy(in_save, nosec_save);
         free_page((unsigned long)nosec_save);
 out:
         return rc;
@@ -2477,6 +2478,17 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
                 prot = reqprot;
 
 #ifndef CONFIG_PPC32
+        if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXECUTABLE) &&
+           (vma->vm_start >= vma->vm_mm->start_brk &&
+            vma->vm_end <= vma->vm_mm->brk)) {
+                /*
+                 * We are making an executable mapping in the brk region.
+                 * This has an additional execheap check.
+                 */
+                rc = task_has_perm(current, current, PROCESS__EXECHEAP);
+                if (rc)
+                        return rc;
+        }
         if (vma->vm_file != NULL && vma->anon_vma != NULL && (prot & PROT_EXEC)) {
                 /*
                  * We are making executable a file mapping that has
@@ -2488,6 +2500,16 @@ static int selinux_file_mprotect(struct vm_area_struct *vma,
                 if (rc)
                         return rc;
         }
+        if (!vma->vm_file && (prot & PROT_EXEC) &&
+                vma->vm_start <= vma->vm_mm->start_stack &&
+                vma->vm_end >= vma->vm_mm->start_stack) {
+                /* Attempt to make the process stack executable.
+                 * This has an additional execstack check.
+                 */
+                rc = task_has_perm(current, current, PROCESS__EXECSTACK);
+                if (rc)
+                        return rc;
+        }
 #endif
 
         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
@@ -3104,12 +3126,12 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
 
                 if (sk->sk_family == PF_INET) {
                         addr4 = (struct sockaddr_in *)address;
-                        if (addrlen != sizeof(struct sockaddr_in))
+                        if (addrlen < sizeof(struct sockaddr_in))
                                 return -EINVAL;
                         snum = ntohs(addr4->sin_port);
                 } else {
                         addr6 = (struct sockaddr_in6 *)address;
-                        if (addrlen != sizeof(struct sockaddr_in6))
+                        if (addrlen < SIN6_LEN_RFC2133)
                                 return -EINVAL;
                         snum = ntohs(addr6->sin6_port);
                 }
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 8928bb4d3c53..1deb59e1b762 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -70,6 +70,8 @@
    S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
    S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
    S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
+   S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
+   S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
    S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
    S_(SECCLASS_MSG, MSG__SEND, "send")
    S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index bdfce4ca8f8e..a78b5d59c9fc 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -465,6 +465,8 @@
 #define PROCESS__DYNTRANSITION                    0x00800000UL
 #define PROCESS__SETCURRENT                       0x01000000UL
 #define PROCESS__EXECMEM                          0x02000000UL
+#define PROCESS__EXECSTACK                        0x04000000UL
+#define PROCESS__EXECHEAP                         0x08000000UL
 
 #define IPC__CREATE                               0x00000001UL
 #define IPC__DESTROY                              0x00000002UL
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index fa187c9a351d..71c0a19c9753 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -65,6 +65,8 @@ int security_sid_to_context(u32 sid, char **scontext,
 int security_context_to_sid(char *scontext, u32 scontext_len,
         u32 *out_sid);
 
+int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *out_sid, u32 def_sid);
+
 int security_get_user_sids(u32 callsid, char *username,
                            u32 **sids, u32 *nel);
 
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 07221568b505..8eb140dd2e4b 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -951,8 +951,7 @@ static int sel_make_bools(void)
         u32 sid;
 
         /* remove any existing files */
-        if (bool_pending_values)
-                kfree(bool_pending_values);
+        kfree(bool_pending_values);
 
         sel_remove_bools(dir);
 
@@ -997,10 +996,8 @@ static int sel_make_bools(void)
 out:
         free_page((unsigned long)page);
         if (names) {
-                for (i = 0; i < num; i++) {
-                        if (names[i])
-                                kfree(names[i]);
-                }
+                for (i = 0; i < num; i++)
+                        kfree(names[i]);
                 kfree(names);
         }
         return ret;
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index b53441184aca..e2057f5a411a 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -166,16 +166,14 @@ static void cond_list_destroy(struct cond_node *list)
 
 void cond_policydb_destroy(struct policydb *p)
 {
-        if (p->bool_val_to_struct != NULL)
-                kfree(p->bool_val_to_struct);
+        kfree(p->bool_val_to_struct);
         avtab_destroy(&p->te_cond_avtab);
         cond_list_destroy(p->cond_list);
 }
 
 int cond_init_bool_indexes(struct policydb *p)
 {
-        if (p->bool_val_to_struct)
-                kfree(p->bool_val_to_struct);
+        kfree(p->bool_val_to_struct);
         p->bool_val_to_struct = (struct cond_bool_datum**)
                 kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum*), GFP_KERNEL);
         if (!p->bool_val_to_struct)
@@ -185,8 +183,7 @@ int cond_init_bool_indexes(struct policydb *p)
 
 int cond_destroy_bool(void *key, void *datum, void *p)
 {
-        if (key)
-                kfree(key);
+        kfree(key);
         kfree(datum);
         return 0;
 }
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 756036bcc243..d4c32c39ccc9 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -15,6 +15,7 @@
 #include <linux/slab.h>
 #include <linux/string.h>
 #include <linux/errno.h>
+#include "sidtab.h"
 #include "mls.h"
 #include "policydb.h"
 #include "services.h"
@@ -208,6 +209,26 @@ int mls_context_isvalid(struct policydb *p, struct context *c)
 }
 
 /*
+ * Copies the MLS range from `src' into `dst'.
+ */
+static inline int mls_copy_context(struct context *dst,
+                                   struct context *src)
+{
+        int l, rc = 0;
+
+        /* Copy the MLS range from the source context */
+        for (l = 0; l < 2; l++) {
+                dst->range.level[l].sens = src->range.level[l].sens;
+                rc = ebitmap_cpy(&dst->range.level[l].cat,
+                                 &src->range.level[l].cat);
+                if (rc)
+                        break;
+        }
+
+        return rc;
+}
+
+/*
  * Set the MLS fields in the security context structure
  * `context' based on the string representation in
  * the string `*scontext'.  Update `*scontext' to
@@ -216,10 +237,20 @@ int mls_context_isvalid(struct policydb *p, struct context *c)
  *
  * This function modifies the string in place, inserting
  * NULL characters to terminate the MLS fields.
+ *
+ * If a def_sid is provided and no MLS field is present,
+ * copy the MLS field of the associated default context.
+ * Used for upgraded to MLS systems where objects may lack
+ * MLS fields.
+ *
+ * Policy read-lock must be held for sidtab lookup.
+ *
  */
 int mls_context_to_sid(char oldc,
                        char **scontext,
-                       struct context *context)
+                       struct context *context,
+                       struct sidtab *s,
+                       u32 def_sid)
 {
 
         char delim;
@@ -231,9 +262,23 @@ int mls_context_to_sid(char oldc,
         if (!selinux_mls_enabled)
                 return 0;
 
-        /* No MLS component to the security context. */
-        if (!oldc)
+        /*
+         * No MLS component to the security context, try and map to
+         * default if provided.
+         */
+        if (!oldc) {
+                struct context *defcon;
+
+                if (def_sid == SECSID_NULL)
+                        goto out;
+
+                defcon = sidtab_search(s, def_sid);
+                if (!defcon)
+                        goto out;
+
+                rc = mls_copy_context(context, defcon);
                 goto out;
+        }
 
         /* Extract low sensitivity. */
         scontextp = p = *scontext;
@@ -334,26 +379,6 @@ out:
 }
 
 /*
- * Copies the MLS range from `src' into `dst'.
- */
-static inline int mls_copy_context(struct context *dst,
-                                   struct context *src)
-{
-        int l, rc = 0;
-
-        /* Copy the MLS range from the source context */
-        for (l = 0; l < 2; l++) {
-                dst->range.level[l].sens = src->range.level[l].sens;
-                rc = ebitmap_cpy(&dst->range.level[l].cat,
-                                 &src->range.level[l].cat);
-                if (rc)
-                        break;
-        }
-
-        return rc;
-}
-
-/*
  * Copies the effective MLS range from `src' into `dst'.
  */
 static inline int mls_scopy_context(struct context *dst,
diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h
index 0d37beaa85e2..03de697c8058 100644
--- a/security/selinux/ss/mls.h
+++ b/security/selinux/ss/mls.h
@@ -23,7 +23,9 @@ int mls_context_isvalid(struct policydb *p, struct context *c);
 
 int mls_context_to_sid(char oldc,
                        char **scontext,
-                       struct context *context);
+                       struct context *context,
+                       struct sidtab *s,
+                       u32 def_sid);
 
 int mls_convert_context(struct policydb *oldp,
                         struct policydb *newp,
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 14190efbf333..785c33cf4864 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -590,17 +590,12 @@ void policydb_destroy(struct policydb *p)
                 hashtab_destroy(p->symtab[i].table);
         }
 
-        for (i = 0; i < SYM_NUM; i++) {
-                if (p->sym_val_to_name[i])
-                        kfree(p->sym_val_to_name[i]);
-        }
+        for (i = 0; i < SYM_NUM; i++)
+                kfree(p->sym_val_to_name[i]);
 
-        if (p->class_val_to_struct)
-                kfree(p->class_val_to_struct);
-        if (p->role_val_to_struct)
-                kfree(p->role_val_to_struct);
-        if (p->user_val_to_struct)
-                kfree(p->user_val_to_struct);
+        kfree(p->class_val_to_struct);
+        kfree(p->role_val_to_struct);
+        kfree(p->user_val_to_struct);
 
         avtab_destroy(&p->te_avtab);
 
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b6149147d5cb..014120474e69 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -601,18 +601,7 @@ out:
 
 }
 
-/**
- * security_context_to_sid - Obtain a SID for a given security context.
- * @scontext: security context
- * @scontext_len: length in bytes
- * @sid: security identifier, SID
- *
- * Obtains a SID associated with the security context that
- * has the string representation specified by @scontext.
- * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
- * memory is available, or 0 on success.
- */
-int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
+static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
 {
         char *scontext2;
         struct context context;
@@ -703,7 +692,7 @@ int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
 
         context.type = typdatum->value;
 
-        rc = mls_context_to_sid(oldc, &p, &context);
+        rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid);
         if (rc)
                 goto out_unlock;
 
@@ -727,6 +716,46 @@ out:
         return rc;
 }
 
+/**
+ * security_context_to_sid - Obtain a SID for a given security context.
+ * @scontext: security context
+ * @scontext_len: length in bytes
+ * @sid: security identifier, SID
+ *
+ * Obtains a SID associated with the security context that
+ * has the string representation specified by @scontext.
+ * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
+ * memory is available, or 0 on success.
+ */
+int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
+{
+        return security_context_to_sid_core(scontext, scontext_len,
+                                            sid, SECSID_NULL);
+}
+
+/**
+ * security_context_to_sid_default - Obtain a SID for a given security context,
+ * falling back to specified default if needed.
+ *
+ * @scontext: security context
+ * @scontext_len: length in bytes
+ * @sid: security identifier, SID
+ * @def_sid: default SID to assign on errror
+ *
+ * Obtains a SID associated with the security context that
+ * has the string representation specified by @scontext.
+ * The default SID is passed to the MLS layer to be used to allow
+ * kernel labeling of the MLS field if the MLS field is not present
+ * (for upgrading to MLS without full relabel).
+ * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
+ * memory is available, or 0 on success.
+ */
+int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
+{
+        return security_context_to_sid_core(scontext, scontext_len,
+                                            sid, def_sid);
+}
+
 static int compute_sid_handle_invalid_context(
         struct context *scontext,
         struct context *tcontext,
@@ -1705,11 +1734,9 @@ out:
 err:
         if (*names) {
                 for (i = 0; i < *len; i++)
-                        if ((*names)[i])
-                                kfree((*names)[i]);
+                        kfree((*names)[i]);
         }
-        if (*values)
-                kfree(*values);
+        kfree(*values);
         goto out;
 }