7 files changed, 78 insertions, 39 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 9da6420e2056..1d027e29ce8d 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -471,6 +471,7 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
 * @avd: access vector decisions
 * @result: result from avc_has_perm_noaudit
 * @a:  auxiliary audit data
+ * @flags: VFS walk flags
 *
 * Audit the granting or denial of permissions in accordance
 * with the policy.  This function is typically called by
@@ -481,9 +482,10 @@ static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
 * be performed under a lock, to allow the lock to be released
 * before calling the auditing code.
 */
-void avc_audit(u32 ssid, u32 tsid,
+int avc_audit(u32 ssid, u32 tsid,
               u16 tclass, u32 requested,
-               struct av_decision *avd, int result, struct common_audit_data *a)
+               struct av_decision *avd, int result, struct common_audit_data *a,
+               unsigned flags)
 {
        struct common_audit_data stack_data;
        u32 denied, audited;
@@ -515,11 +517,24 @@ void avc_audit(u32 ssid, u32 tsid,
        else
                audited = requested & avd->auditallow;
        if (!audited)
-                return;
+                return 0;
        if (!a) {
                a = &stack_data;
                COMMON_AUDIT_DATA_INIT(a, NONE);
        }
+        /*
+         * When in a RCU walk do the audit on the RCU retry.  This is because
+         * the collection of the dname in an inode audit message is not RCU
+         * safe.  Note this may drop some audits when the situation changes
+         * during retry. However this is logically just as if the operation
+         * happened a little later.
+         */
+        if ((a->type == LSM_AUDIT_DATA_FS) &&
+            (flags & IPERM_FLAG_RCU))
+                return -ECHILD;
        a->selinux_audit_data.tclass = tclass;
        a->selinux_audit_data.requested = requested;
        a->selinux_audit_data.ssid = ssid;
@@ -529,6 +544,7 @@ void avc_audit(u32 ssid, u32 tsid,
        a->lsm_pre_audit = avc_audit_pre_callback;
        a->lsm_post_audit = avc_audit_post_callback;
        common_lsm_audit(a);
+        return 0;
 }
 /**
@@ -793,6 +809,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
 * @tclass: target security class
 * @requested: requested permissions, interpreted based on @tclass
 * @auditdata: auxiliary audit data
+ * @flags: VFS walk flags
 *
 * Check the AVC to determine whether the @requested permissions are granted
 * for the SID pair (@ssid, @tsid), interpreting the permissions
@@ -802,14 +819,19 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
 * permissions are granted, -%EACCES if any permissions are denied, or
 * another -errno upon other errors.
 */
-int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
+int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass,
-                 u32 requested, struct common_audit_data *auditdata)
+                       u32 requested, struct common_audit_data *auditdata,
+                       unsigned flags)
 {
        struct av_decision avd;
-        int rc;
+        int rc, rc2;
        rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);
-        avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);
+        rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata,
+                        flags);
+        if (rc2)
+                return rc2;
        return rc;
 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9a93af81a0c3..8fb248843009 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -79,6 +79,7 @@
 #include <linux/mutex.h>
 #include <linux/posix-timers.h>
 #include <linux/syslog.h>
+#include <linux/user_namespace.h>
 #include "avc.h"
 #include "objsec.h"
@@ -1445,8 +1446,11 @@ static int task_has_capability(struct task_struct *tsk,
        }
        rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
-        if (audit == SECURITY_CAP_AUDIT)
+        if (audit == SECURITY_CAP_AUDIT) {
-                avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
+                int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
+                if (rc2)
+                        return rc2;
+        }
        return rc;
 }
@@ -1466,7 +1470,8 @@ static int task_has_system(struct task_struct *tsk,
 static int inode_has_perm(const struct cred *cred,
                          struct inode *inode,
                          u32 perms,
-                          struct common_audit_data *adp)
+                          struct common_audit_data *adp,
+                          unsigned flags)
 {
        struct inode_security_struct *isec;
        struct common_audit_data ad;
@@ -1486,7 +1491,7 @@ static int inode_has_perm(const struct cred *cred,
                ad.u.fs.inode = inode;
        }
-        return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
+        return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
 }
 /* Same as inode_has_perm, but pass explicit audit data containing
@@ -1503,7 +1508,7 @@ static inline int dentry_has_perm(const struct cred *cred,
        COMMON_AUDIT_DATA_INIT(&ad, FS);
        ad.u.fs.path.mnt = mnt;
        ad.u.fs.path.dentry = dentry;
-        return inode_has_perm(cred, inode, av, &ad);
+        return inode_has_perm(cred, inode, av, &ad, 0);
 }
 /* Check whether a task can use an open file descriptor to
@@ -1539,7 +1544,7 @@ static int file_has_perm(const struct cred *cred,
        /* av is zero if only checking access to the descriptor. */
        rc = 0;
        if (av)
-                rc = inode_has_perm(cred, inode, av, &ad);
+                rc = inode_has_perm(cred, inode, av, &ad, 0);
 out:
        return rc;
@@ -1847,11 +1852,11 @@ static int selinux_capset(struct cred *new, const struct cred *old,
 */
 static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
-                           int cap, int audit)
+                           struct user_namespace *ns, int cap, int audit)
 {
        int rc;
-        rc = cap_capable(tsk, cred, cap, audit);
+        rc = cap_capable(tsk, cred, ns, cap, audit);
        if (rc)
                return rc;
@@ -1932,7 +1937,8 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
 {
        int rc, cap_sys_admin = 0;
-        rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
+        rc = selinux_capable(current, current_cred(),
+                             &init_user_ns, CAP_SYS_ADMIN,
                             SECURITY_CAP_NOAUDIT);
        if (rc == 0)
                cap_sys_admin = 1;
@@ -2102,7 +2108,7 @@ static inline void flush_unauthorized_files(const struct cred *cred,
                        file = file_priv->file;
                        inode = file->f_path.dentry->d_inode;
                        if (inode_has_perm(cred, inode,
-                                           FILE__READ | FILE__WRITE, NULL)) {
+                                           FILE__READ | FILE__WRITE, NULL, 0)) {
                                drop_tty = 1;
                        }
                }
@@ -2634,7 +2640,7 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *na
        return dentry_has_perm(cred, NULL, dentry, FILE__READ);
 }
-static int selinux_inode_permission(struct inode *inode, int mask)
+static int selinux_inode_permission(struct inode *inode, int mask, unsigned flags)
 {
        const struct cred *cred = current_cred();
        struct common_audit_data ad;
@@ -2656,7 +2662,7 @@ static int selinux_inode_permission(struct inode *inode, int mask)
        perms = file_mask_to_av(inode->i_mode, mask);
-        return inode_has_perm(cred, inode, perms, &ad);
+        return inode_has_perm(cred, inode, perms, &ad, flags);
 }
 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
@@ -2724,7 +2730,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
        if (!(sbsec->flags & SE_SBLABELSUPP))
                return -EOPNOTSUPP;
-        if (!is_owner_or_cap(inode))
+        if (!inode_owner_or_capable(inode))
                return -EPERM;
        COMMON_AUDIT_DATA_INIT(&ad, FS);
@@ -2835,7 +2841,8 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
         * and lack of permission just means that we fall back to the
         * in-core context value, not a denial.
         */
-        error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
+        error = selinux_capable(current, current_cred(),
+                                &init_user_ns, CAP_MAC_ADMIN,
                                SECURITY_CAP_NOAUDIT);
        if (!error)
                error = security_sid_to_context_force(isec->sid, &context,
@@ -2969,7 +2976,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
        case KDSKBENT:
        case KDSKBSENT:
                error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
-                                            SECURITY_CAP_AUDIT);
+                                        SECURITY_CAP_AUDIT);
                break;
        /* default case assumes that the command will go
@@ -3203,7 +3210,7 @@ static int selinux_dentry_open(struct file *file, const struct cred *cred)
         * new inode label or new policy.
         * This check is not redundant - do not remove.
         */
-        return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
+        return inode_has_perm(cred, inode, open_file_to_av(file), NULL, 0);
 }
 /* task security operations */
@@ -4347,7 +4354,7 @@ static void selinux_secmark_refcount_dec(void)
 static void selinux_req_classify_flow(const struct request_sock *req,
                                      struct flowi *fl)
 {
-        fl->secid = req->secid;
+        fl->flowi_secid = req->secid;
 }
 static int selinux_tun_dev_create(void)
@@ -4696,6 +4703,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
 {
        int err;
        struct common_audit_data ad;
+        u32 sid;
        err = cap_netlink_recv(skb, capability);
        if (err)
@@ -4704,8 +4712,9 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
        COMMON_AUDIT_DATA_INIT(&ad, CAP);
        ad.u.cap = capability;
-        return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
+        security_task_getsecid(current, &sid);
-                            SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
+        return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
+                            CAP_TO_MASK(capability), &ad);
 }
 static int ipc_alloc_security(struct task_struct *task,
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 5615081b73ec..e77b2ac2908b 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -54,11 +54,11 @@ struct avc_cache_stats {
 void __init avc_init(void);
-void avc_audit(u32 ssid, u32 tsid,
+int avc_audit(u32 ssid, u32 tsid,
               u16 tclass, u32 requested,
               struct av_decision *avd,
               int result,
-               struct common_audit_data *a);
+              struct common_audit_data *a, unsigned flags);
 #define AVC_STRICT 1 /* Ignore permissive mode. */
 int avc_has_perm_noaudit(u32 ssid, u32 tsid,
@@ -66,9 +66,17 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
                         unsigned flags,
                         struct av_decision *avd);
-int avc_has_perm(u32 ssid, u32 tsid,
+int avc_has_perm_flags(u32 ssid, u32 tsid,
-                 u16 tclass, u32 requested,
+                       u16 tclass, u32 requested,
-                 struct common_audit_data *auditdata);
+                       struct common_audit_data *auditdata,
+                       unsigned);
+static inline int avc_has_perm(u32 ssid, u32 tsid,
+                               u16 tclass, u32 requested,
+                               struct common_audit_data *auditdata)
+{
+        return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0);
+}
 u32 avc_policy_seqno(void);
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 13128f9a3e5a..b43813c9e049 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -19,7 +19,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x);
 int selinux_xfrm_state_delete(struct xfrm_state *x);
 int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
 int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
-                        struct xfrm_policy *xp, struct flowi *fl);
+                        struct xfrm_policy *xp, const struct flowi *fl);
 /*
 * Extract the security blob from the sock (it's actually on the socket)
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 1c2fc46544bf..c3bf3ed07b06 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -151,7 +151,7 @@ void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec)
 *
 * Description:
 * Called when the NetLabel state of a sk_security_struct needs to be reset.
- * The caller is responsibile for all the NetLabel sk_security_struct locking.
+ * The caller is responsible for all the NetLabel sk_security_struct locking.
 *
 */
 void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 3e7544d2a07b..6ef4af47dac4 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -213,7 +213,7 @@ static u16 map_class(u16 pol_value)
                        return i;
        }
-        return pol_value;
+        return SECCLASS_NULL;
 }
 static void map_decision(u16 tclass, struct av_decision *avd,
@@ -2806,7 +2806,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
        case AUDIT_SUBJ_CLR:
        case AUDIT_OBJ_LEV_LOW:
        case AUDIT_OBJ_LEV_HIGH:
-                /* we do not allow a range, indicated by the presense of '-' */
+                /* we do not allow a range, indicated by the presence of '-' */
                if (strchr(rulestr, '-'))
                        return -EINVAL;
                break;
@@ -3075,7 +3075,7 @@ static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
 * Description:
 * Convert the given NetLabel security attributes in @secattr into a
 * SELinux SID.  If the @secattr field does not contain a full SELinux
- * SID/context then use SECINITSID_NETMSG as the foundation.  If possibile the
+ * SID/context then use SECINITSID_NETMSG as the foundation.  If possible the
 * 'cache' field of @secattr is set and the CACHE flag is set; this is to
 * allow the @secattr to be used by NetLabel to cache the secattr to SID
 * conversion for future lookups.  Returns zero on success, negative values on
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 728c57e3d65d..68178b76a2b3 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -112,7 +112,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
 */
 int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
-                        struct flowi *fl)
+                        const struct flowi *fl)
 {
        u32 state_sid;
        int rc;
@@ -135,10 +135,10 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
        state_sid = x->security->ctx_sid;
-        if (fl->secid != state_sid)
+        if (fl->flowi_secid != state_sid)
                return 0;
-        rc = avc_has_perm(fl->secid, state_sid, SECCLASS_ASSOCIATION,
+        rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION,
                          ASSOCIATION__SENDTO,
                          NULL)? 0:1;

diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 9da6420e2056..1d027e29ce8d 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c
@@ -471,6 +471,7 @@ static void avc_audit_post_callback(struct audit_buffer ab, void a)
471	* @avd: access vector decisions	471	* @avd: access vector decisions
472	* @result: result from avc_has_perm_noaudit	472	* @result: result from avc_has_perm_noaudit
473	* @a: auxiliary audit data	473	* @a: auxiliary audit data
		474	* @flags: VFS walk flags
474	*	475	*
475	* Audit the granting or denial of permissions in accordance	476	* Audit the granting or denial of permissions in accordance
476	* with the policy. This function is typically called by	477	* with the policy. This function is typically called by
@@ -481,9 +482,10 @@ static void avc_audit_post_callback(struct audit_buffer ab, void a)
481	* be performed under a lock, to allow the lock to be released	482	* be performed under a lock, to allow the lock to be released
482	* before calling the auditing code.	483	* before calling the auditing code.
483	*/	484	*/
484	void avc_audit(u32 ssid, u32 tsid,	485	int avc_audit(u32 ssid, u32 tsid,
485	u16 tclass, u32 requested,	486	u16 tclass, u32 requested,
486	struct av_decision avd, int result, struct common_audit_data a)	487	struct av_decision avd, int result, struct common_audit_data a,
		488	unsigned flags)
487	{	489	{
488	struct common_audit_data stack_data;	490	struct common_audit_data stack_data;
489	u32 denied, audited;	491	u32 denied, audited;
@@ -515,11 +517,24 @@ void avc_audit(u32 ssid, u32 tsid,
515	else	517	else
516	audited = requested & avd->auditallow;	518	audited = requested & avd->auditallow;
517	if (!audited)	519	if (!audited)
518	return;	520	return 0;
		521
519	if (!a) {	522	if (!a) {
520	a = &stack_data;	523	a = &stack_data;
521	COMMON_AUDIT_DATA_INIT(a, NONE);	524	COMMON_AUDIT_DATA_INIT(a, NONE);
522	}	525	}
		526
		527	/*
		528	* When in a RCU walk do the audit on the RCU retry. This is because
		529	* the collection of the dname in an inode audit message is not RCU
		530	* safe. Note this may drop some audits when the situation changes
		531	* during retry. However this is logically just as if the operation
		532	* happened a little later.
		533	*/
		534	if ((a->type == LSM_AUDIT_DATA_FS) &&
		535	(flags & IPERM_FLAG_RCU))
		536	return -ECHILD;
		537
523	a->selinux_audit_data.tclass = tclass;	538	a->selinux_audit_data.tclass = tclass;
524	a->selinux_audit_data.requested = requested;	539	a->selinux_audit_data.requested = requested;
525	a->selinux_audit_data.ssid = ssid;	540	a->selinux_audit_data.ssid = ssid;
@@ -529,6 +544,7 @@ void avc_audit(u32 ssid, u32 tsid,
529	a->lsm_pre_audit = avc_audit_pre_callback;	544	a->lsm_pre_audit = avc_audit_pre_callback;
530	a->lsm_post_audit = avc_audit_post_callback;	545	a->lsm_post_audit = avc_audit_post_callback;
531	common_lsm_audit(a);	546	common_lsm_audit(a);
		547	return 0;
532	}	548	}
533		549
534	/**	550	/**
@@ -793,6 +809,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
793	* @tclass: target security class	809	* @tclass: target security class
794	* @requested: requested permissions, interpreted based on @tclass	810	* @requested: requested permissions, interpreted based on @tclass
795	* @auditdata: auxiliary audit data	811	* @auditdata: auxiliary audit data
		812	* @flags: VFS walk flags
796	*	813	*
797	* Check the AVC to determine whether the @requested permissions are granted	814	* Check the AVC to determine whether the @requested permissions are granted
798	* for the SID pair (@ssid, @tsid), interpreting the permissions	815	* for the SID pair (@ssid, @tsid), interpreting the permissions
@@ -802,14 +819,19 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
802	* permissions are granted, -%EACCES if any permissions are denied, or	819	* permissions are granted, -%EACCES if any permissions are denied, or
803	* another -errno upon other errors.	820	* another -errno upon other errors.
804	*/	821	*/
805	int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,	822	int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass,
806	u32 requested, struct common_audit_data *auditdata)	823	u32 requested, struct common_audit_data *auditdata,
		824	unsigned flags)
807	{	825	{
808	struct av_decision avd;	826	struct av_decision avd;
809	int rc;	827	int rc, rc2;
810		828
811	rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);	829	rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);
812	avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);	830
		831	rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata,
		832	flags);
		833	if (rc2)
		834	return rc2;
813	return rc;	835	return rc;
814	}	836	}
815		837


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9a93af81a0c3..8fb248843009 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -79,6 +79,7 @@
79	#include <linux/mutex.h>	79	#include <linux/mutex.h>
80	#include <linux/posix-timers.h>	80	#include <linux/posix-timers.h>
81	#include <linux/syslog.h>	81	#include <linux/syslog.h>
		82	#include <linux/user_namespace.h>
82		83
83	#include "avc.h"	84	#include "avc.h"
84	#include "objsec.h"	85	#include "objsec.h"
@@ -1445,8 +1446,11 @@ static int task_has_capability(struct task_struct *tsk,
1445	}	1446	}
1446		1447
1447	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);	1448	rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1448	if (audit == SECURITY_CAP_AUDIT)	1449	if (audit == SECURITY_CAP_AUDIT) {
1449	avc_audit(sid, sid, sclass, av, &avd, rc, &ad);	1450	int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
		1451	if (rc2)
		1452	return rc2;
		1453	}
1450	return rc;	1454	return rc;
1451	}	1455	}
1452		1456
@@ -1466,7 +1470,8 @@ static int task_has_system(struct task_struct *tsk,
1466	static int inode_has_perm(const struct cred *cred,	1470	static int inode_has_perm(const struct cred *cred,
1467	struct inode *inode,	1471	struct inode *inode,
1468	u32 perms,	1472	u32 perms,
1469	struct common_audit_data *adp)	1473	struct common_audit_data *adp,
		1474	unsigned flags)
1470	{	1475	{
1471	struct inode_security_struct *isec;	1476	struct inode_security_struct *isec;
1472	struct common_audit_data ad;	1477	struct common_audit_data ad;
@@ -1486,7 +1491,7 @@ static int inode_has_perm(const struct cred *cred,
1486	ad.u.fs.inode = inode;	1491	ad.u.fs.inode = inode;
1487	}	1492	}
1488		1493
1489	return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);	1494	return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
1490	}	1495	}
1491		1496
1492	/* Same as inode_has_perm, but pass explicit audit data containing	1497	/* Same as inode_has_perm, but pass explicit audit data containing
@@ -1503,7 +1508,7 @@ static inline int dentry_has_perm(const struct cred *cred,
1503	COMMON_AUDIT_DATA_INIT(&ad, FS);	1508	COMMON_AUDIT_DATA_INIT(&ad, FS);
1504	ad.u.fs.path.mnt = mnt;	1509	ad.u.fs.path.mnt = mnt;
1505	ad.u.fs.path.dentry = dentry;	1510	ad.u.fs.path.dentry = dentry;
1506	return inode_has_perm(cred, inode, av, &ad);	1511	return inode_has_perm(cred, inode, av, &ad, 0);
1507	}	1512	}
1508		1513
1509	/* Check whether a task can use an open file descriptor to	1514	/* Check whether a task can use an open file descriptor to
@@ -1539,7 +1544,7 @@ static int file_has_perm(const struct cred *cred,
1539	/* av is zero if only checking access to the descriptor. */	1544	/* av is zero if only checking access to the descriptor. */
1540	rc = 0;	1545	rc = 0;
1541	if (av)	1546	if (av)
1542	rc = inode_has_perm(cred, inode, av, &ad);	1547	rc = inode_has_perm(cred, inode, av, &ad, 0);
1543		1548
1544	out:	1549	out:
1545	return rc;	1550	return rc;
@@ -1847,11 +1852,11 @@ static int selinux_capset(struct cred new, const struct cred old,
1847	*/	1852	*/
1848		1853
1849	static int selinux_capable(struct task_struct tsk, const struct cred cred,	1854	static int selinux_capable(struct task_struct tsk, const struct cred cred,
1850	int cap, int audit)	1855	struct user_namespace *ns, int cap, int audit)
1851	{	1856	{
1852	int rc;	1857	int rc;
1853		1858
1854	rc = cap_capable(tsk, cred, cap, audit);	1859	rc = cap_capable(tsk, cred, ns, cap, audit);
1855	if (rc)	1860	if (rc)
1856	return rc;	1861	return rc;
1857		1862
@@ -1932,7 +1937,8 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1932	{	1937	{
1933	int rc, cap_sys_admin = 0;	1938	int rc, cap_sys_admin = 0;
1934		1939
1935	rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,	1940	rc = selinux_capable(current, current_cred(),
		1941	&init_user_ns, CAP_SYS_ADMIN,
1936	SECURITY_CAP_NOAUDIT);	1942	SECURITY_CAP_NOAUDIT);
1937	if (rc == 0)	1943	if (rc == 0)
1938	cap_sys_admin = 1;	1944	cap_sys_admin = 1;
@@ -2102,7 +2108,7 @@ static inline void flush_unauthorized_files(const struct cred *cred,
2102	file = file_priv->file;	2108	file = file_priv->file;
2103	inode = file->f_path.dentry->d_inode;	2109	inode = file->f_path.dentry->d_inode;
2104	if (inode_has_perm(cred, inode,	2110	if (inode_has_perm(cred, inode,
2105	FILE__READ \| FILE__WRITE, NULL)) {	2111	FILE__READ \| FILE__WRITE, NULL, 0)) {
2106	drop_tty = 1;	2112	drop_tty = 1;
2107	}	2113	}
2108	}	2114	}
@@ -2634,7 +2640,7 @@ static int selinux_inode_follow_link(struct dentry dentry, struct nameidata na
2634	return dentry_has_perm(cred, NULL, dentry, FILE__READ);	2640	return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2635	}	2641	}
2636		2642
2637	static int selinux_inode_permission(struct inode *inode, int mask)	2643	static int selinux_inode_permission(struct inode *inode, int mask, unsigned flags)
2638	{	2644	{
2639	const struct cred *cred = current_cred();	2645	const struct cred *cred = current_cred();
2640	struct common_audit_data ad;	2646	struct common_audit_data ad;
@@ -2656,7 +2662,7 @@ static int selinux_inode_permission(struct inode *inode, int mask)
2656		2662
2657	perms = file_mask_to_av(inode->i_mode, mask);	2663	perms = file_mask_to_av(inode->i_mode, mask);
2658		2664
2659	return inode_has_perm(cred, inode, perms, &ad);	2665	return inode_has_perm(cred, inode, perms, &ad, flags);
2660	}	2666	}
2661		2667
2662	static int selinux_inode_setattr(struct dentry dentry, struct iattr iattr)	2668	static int selinux_inode_setattr(struct dentry dentry, struct iattr iattr)
@@ -2724,7 +2730,7 @@ static int selinux_inode_setxattr(struct dentry dentry, const char name,
2724	if (!(sbsec->flags & SE_SBLABELSUPP))	2730	if (!(sbsec->flags & SE_SBLABELSUPP))
2725	return -EOPNOTSUPP;	2731	return -EOPNOTSUPP;
2726		2732
2727	if (!is_owner_or_cap(inode))	2733	if (!inode_owner_or_capable(inode))
2728	return -EPERM;	2734	return -EPERM;
2729		2735
2730	COMMON_AUDIT_DATA_INIT(&ad, FS);	2736	COMMON_AUDIT_DATA_INIT(&ad, FS);
@@ -2835,7 +2841,8 @@ static int selinux_inode_getsecurity(const struct inode inode, const char name
2835	* and lack of permission just means that we fall back to the	2841	* and lack of permission just means that we fall back to the
2836	* in-core context value, not a denial.	2842	* in-core context value, not a denial.
2837	*/	2843	*/
2838	error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,	2844	error = selinux_capable(current, current_cred(),
		2845	&init_user_ns, CAP_MAC_ADMIN,
2839	SECURITY_CAP_NOAUDIT);	2846	SECURITY_CAP_NOAUDIT);
2840	if (!error)	2847	if (!error)
2841	error = security_sid_to_context_force(isec->sid, &context,	2848	error = security_sid_to_context_force(isec->sid, &context,
@@ -2969,7 +2976,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2969	case KDSKBENT:	2976	case KDSKBENT:
2970	case KDSKBSENT:	2977	case KDSKBSENT:
2971	error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,	2978	error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2972	SECURITY_CAP_AUDIT);	2979	SECURITY_CAP_AUDIT);
2973	break;	2980	break;
2974		2981
2975	/* default case assumes that the command will go	2982	/* default case assumes that the command will go
@@ -3203,7 +3210,7 @@ static int selinux_dentry_open(struct file file, const struct cred cred)
3203	* new inode label or new policy.	3210	* new inode label or new policy.
3204	* This check is not redundant - do not remove.	3211	* This check is not redundant - do not remove.
3205	*/	3212	*/
3206	return inode_has_perm(cred, inode, open_file_to_av(file), NULL);	3213	return inode_has_perm(cred, inode, open_file_to_av(file), NULL, 0);
3207	}	3214	}
3208		3215
3209	/* task security operations */	3216	/* task security operations */
@@ -4347,7 +4354,7 @@ static void selinux_secmark_refcount_dec(void)
4347	static void selinux_req_classify_flow(const struct request_sock *req,	4354	static void selinux_req_classify_flow(const struct request_sock *req,
4348	struct flowi *fl)	4355	struct flowi *fl)
4349	{	4356	{
4350	fl->secid = req->secid;	4357	fl->flowi_secid = req->secid;
4351	}	4358	}
4352		4359
4353	static int selinux_tun_dev_create(void)	4360	static int selinux_tun_dev_create(void)
@@ -4696,6 +4703,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4696	{	4703	{
4697	int err;	4704	int err;
4698	struct common_audit_data ad;	4705	struct common_audit_data ad;
		4706	u32 sid;
4699		4707
4700	err = cap_netlink_recv(skb, capability);	4708	err = cap_netlink_recv(skb, capability);
4701	if (err)	4709	if (err)
@@ -4704,8 +4712,9 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4704	COMMON_AUDIT_DATA_INIT(&ad, CAP);	4712	COMMON_AUDIT_DATA_INIT(&ad, CAP);
4705	ad.u.cap = capability;	4713	ad.u.cap = capability;
4706		4714
4707	return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,	4715	security_task_getsecid(current, &sid);
4708	SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);	4716	return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
		4717	CAP_TO_MASK(capability), &ad);
4709	}	4718	}
4710		4719
4711	static int ipc_alloc_security(struct task_struct *task,	4720	static int ipc_alloc_security(struct task_struct *task,


diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 5615081b73ec..e77b2ac2908b 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h
@@ -54,11 +54,11 @@ struct avc_cache_stats {
54		54
55	void __init avc_init(void);	55	void __init avc_init(void);
56		56
57	void avc_audit(u32 ssid, u32 tsid,	57	int avc_audit(u32 ssid, u32 tsid,
58	u16 tclass, u32 requested,	58	u16 tclass, u32 requested,
59	struct av_decision *avd,	59	struct av_decision *avd,
60	int result,	60	int result,
61	struct common_audit_data *a);	61	struct common_audit_data *a, unsigned flags);
62		62
63	#define AVC_STRICT 1 /* Ignore permissive mode. */	63	#define AVC_STRICT 1 /* Ignore permissive mode. */
64	int avc_has_perm_noaudit(u32 ssid, u32 tsid,	64	int avc_has_perm_noaudit(u32 ssid, u32 tsid,
@@ -66,9 +66,17 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
66	unsigned flags,	66	unsigned flags,
67	struct av_decision *avd);	67	struct av_decision *avd);
68		68
69	int avc_has_perm(u32 ssid, u32 tsid,	69	int avc_has_perm_flags(u32 ssid, u32 tsid,
70	u16 tclass, u32 requested,	70	u16 tclass, u32 requested,
71	struct common_audit_data *auditdata);	71	struct common_audit_data *auditdata,
		72	unsigned);
		73
		74	static inline int avc_has_perm(u32 ssid, u32 tsid,
		75	u16 tclass, u32 requested,
		76	struct common_audit_data *auditdata)
		77	{
		78	return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0);
		79	}
72		80
73	u32 avc_policy_seqno(void);	81	u32 avc_policy_seqno(void);
74		82


diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index 13128f9a3e5a..b43813c9e049 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h
@@ -19,7 +19,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x);
19	int selinux_xfrm_state_delete(struct xfrm_state *x);	19	int selinux_xfrm_state_delete(struct xfrm_state *x);
20	int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);	20	int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
21	int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,	21	int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
22	struct xfrm_policy xp, struct flowi fl);	22	struct xfrm_policy xp, const struct flowi fl);
23		23
24	/*	24	/*
25	* Extract the security blob from the sock (it's actually on the socket)	25	* Extract the security blob from the sock (it's actually on the socket)


diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 1c2fc46544bf..c3bf3ed07b06 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c
@@ -151,7 +151,7 @@ void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec)
151	*	151	*
152	* Description:	152	* Description:
153	* Called when the NetLabel state of a sk_security_struct needs to be reset.	153	* Called when the NetLabel state of a sk_security_struct needs to be reset.
154	* The caller is responsibile for all the NetLabel sk_security_struct locking.	154	* The caller is responsible for all the NetLabel sk_security_struct locking.
155	*	155	*
156	*/	156	*/
157	void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec)	157	void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec)


diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 3e7544d2a07b..6ef4af47dac4 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -213,7 +213,7 @@ static u16 map_class(u16 pol_value)
213	return i;	213	return i;
214	}	214	}
215		215
216	return pol_value;	216	return SECCLASS_NULL;
217	}	217	}
218		218
219	static void map_decision(u16 tclass, struct av_decision *avd,	219	static void map_decision(u16 tclass, struct av_decision *avd,
@@ -2806,7 +2806,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char rulestr, void *vrule)
2806	case AUDIT_SUBJ_CLR:	2806	case AUDIT_SUBJ_CLR:
2807	case AUDIT_OBJ_LEV_LOW:	2807	case AUDIT_OBJ_LEV_LOW:
2808	case AUDIT_OBJ_LEV_HIGH:	2808	case AUDIT_OBJ_LEV_HIGH:
2809	/* we do not allow a range, indicated by the presense of '-' */	2809	/* we do not allow a range, indicated by the presence of '-' */
2810	if (strchr(rulestr, '-'))	2810	if (strchr(rulestr, '-'))
2811	return -EINVAL;	2811	return -EINVAL;
2812	break;	2812	break;
@@ -3075,7 +3075,7 @@ static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
3075	* Description:	3075	* Description:
3076	* Convert the given NetLabel security attributes in @secattr into a	3076	* Convert the given NetLabel security attributes in @secattr into a
3077	* SELinux SID. If the @secattr field does not contain a full SELinux	3077	* SELinux SID. If the @secattr field does not contain a full SELinux
3078	* SID/context then use SECINITSID_NETMSG as the foundation. If possibile the	3078	* SID/context then use SECINITSID_NETMSG as the foundation. If possible the
3079	* 'cache' field of @secattr is set and the CACHE flag is set; this is to	3079	* 'cache' field of @secattr is set and the CACHE flag is set; this is to
3080	* allow the @secattr to be used by NetLabel to cache the secattr to SID	3080	* allow the @secattr to be used by NetLabel to cache the secattr to SID
3081	* conversion for future lookups. Returns zero on success, negative values on	3081	* conversion for future lookups. Returns zero on success, negative values on


diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 728c57e3d65d..68178b76a2b3 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c
@@ -112,7 +112,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
112	*/	112	*/
113		113
114	int selinux_xfrm_state_pol_flow_match(struct xfrm_state x, struct xfrm_policy xp,	114	int selinux_xfrm_state_pol_flow_match(struct xfrm_state x, struct xfrm_policy xp,
115	struct flowi *fl)	115	const struct flowi *fl)
116	{	116	{
117	u32 state_sid;	117	u32 state_sid;
118	int rc;	118	int rc;
@@ -135,10 +135,10 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state x, struct xfrm_policy
135		135
136	state_sid = x->security->ctx_sid;	136	state_sid = x->security->ctx_sid;
137		137
138	if (fl->secid != state_sid)	138	if (fl->flowi_secid != state_sid)
139	return 0;	139	return 0;
140		140
141	rc = avc_has_perm(fl->secid, state_sid, SECCLASS_ASSOCIATION,	141	rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION,
142	ASSOCIATION__SENDTO,	142	ASSOCIATION__SENDTO,
143	NULL)? 0:1;	143	NULL)? 0:1;
144		144