2 files changed, 25 insertions, 17 deletions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3ae9bec5a508..03fc6a81ae32 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1738,24 +1738,34 @@ static inline u32 file_to_av(struct file *file)
 
 /* Hook functions begin here. */
 
-static int selinux_ptrace(struct task_struct *parent,
-                          struct task_struct *child,
-                          unsigned int mode)
+static int selinux_ptrace_may_access(struct task_struct *child,
+                                     unsigned int mode)
 {
         int rc;
 
-        rc = secondary_ops->ptrace(parent, child, mode);
+        rc = secondary_ops->ptrace_may_access(child, mode);
         if (rc)
                 return rc;
 
         if (mode == PTRACE_MODE_READ) {
-                struct task_security_struct *tsec = parent->security;
+                struct task_security_struct *tsec = current->security;
                 struct task_security_struct *csec = child->security;
                 return avc_has_perm(tsec->sid, csec->sid,
                                     SECCLASS_FILE, FILE__READ, NULL);
         }
 
-        return task_has_perm(parent, child, PROCESS__PTRACE);
+        return task_has_perm(current, child, PROCESS__PTRACE);
+}
+
+static int selinux_ptrace_traceme(struct task_struct *parent)
+{
+        int rc;
+
+        rc = secondary_ops->ptrace_traceme(parent);
+        if (rc)
+                return rc;
+
+        return task_has_perm(parent, current, PROCESS__PTRACE);
 }
 
 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
@@ -5346,7 +5356,8 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
 static struct security_operations selinux_ops = {
         .name =                         "selinux",
 
-        .ptrace =                       selinux_ptrace,
+        .ptrace_may_access =            selinux_ptrace_may_access,
+        .ptrace_traceme =               selinux_ptrace_traceme,
         .capget =                       selinux_capget,
         .capset_check =                 selinux_capset_check,
         .capset_set =                   selinux_capset_set,
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b52f923ce680..8551952ef329 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -811,11 +811,12 @@ static int string_to_context_struct(struct policydb *pol,
         /* Check the validity of the new context. */
         if (!policydb_context_isvalid(pol, ctx)) {
                 rc = -EINVAL;
-                context_destroy(ctx);
                 goto out;
         }
         rc = 0;
 out:
+        if (rc)
+                context_destroy(ctx);
         return rc;
 }
 
@@ -868,8 +869,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
         } else if (rc)
                 goto out;
         rc = sidtab_context_to_sid(&sidtab, &context, sid);
-        if (rc)
-                context_destroy(&context);
+        context_destroy(&context);
 out:
         read_unlock(&policy_rwlock);
         kfree(scontext2);
@@ -2737,6 +2737,7 @@ int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
                 if (ctx == NULL)
                         goto netlbl_secattr_to_sid_return;
 
+                context_init(&ctx_new);
                 ctx_new.user = ctx->user;
                 ctx_new.role = ctx->role;
                 ctx_new.type = ctx->type;
@@ -2745,13 +2746,9 @@ int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
                         if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat,
                                                   secattr->attr.mls.cat) != 0)
                                 goto netlbl_secattr_to_sid_return;
-                        ctx_new.range.level[1].cat.highbit =
-                                ctx_new.range.level[0].cat.highbit;
-                        ctx_new.range.level[1].cat.node =
-                                ctx_new.range.level[0].cat.node;
-                } else {
-                        ebitmap_init(&ctx_new.range.level[0].cat);
-                        ebitmap_init(&ctx_new.range.level[1].cat);
+                        memcpy(&ctx_new.range.level[1].cat,
+                               &ctx_new.range.level[0].cat,
+                               sizeof(ctx_new.range.level[0].cat));
                 }
                 if (mls_context_isvalid(&policydb, &ctx_new) != 1)
                         goto netlbl_secattr_to_sid_return_cleanup;