aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/Makefile38
-rw-r--r--security/apparmor/lsm.c7
-rw-r--r--security/apparmor/match.c2
-rw-r--r--security/apparmor/policy_unpack.c2
-rw-r--r--security/capability.c2
-rw-r--r--security/commoncap.c83
-rw-r--r--security/security.c25
-rw-r--r--security/selinux/hooks.c23
-rw-r--r--security/selinux/include/xfrm.h2
-rw-r--r--security/selinux/netlabel.c2
-rw-r--r--security/selinux/ss/services.c4
-rw-r--r--security/selinux/xfrm.c6
-rw-r--r--security/smack/smack_access.c2
-rw-r--r--security/smack/smack_lsm.c6
-rw-r--r--security/smack/smackfs.c6
-rw-r--r--security/tomoyo/load_policy.c2
16 files changed, 148 insertions, 64 deletions
diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
index f204869399ea..2dafe50a2e25 100644
--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
@@ -6,19 +6,47 @@ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
6 path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ 6 path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
7 resource.o sid.o file.o 7 resource.o sid.o file.o
8 8
9clean-files: capability_names.h af_names.h 9clean-files := capability_names.h rlim_names.h
10 10
11
12# Build a lower case string table of capability names
13# Transforms lines from
14# #define CAP_DAC_OVERRIDE 1
15# to
16# [1] = "dac_override",
11quiet_cmd_make-caps = GEN $@ 17quiet_cmd_make-caps = GEN $@
12cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ; sed -n -e "/CAP_FS_MASK/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@ 18cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ;\
19 sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \
20 -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\
21 echo "};" >> $@
22
13 23
24# Build a lower case string table of rlimit names.
25# Transforms lines from
26# #define RLIMIT_STACK 3 /* max stack size */
27# to
28# [RLIMIT_STACK] = "stack",
29#
30# and build a second integer table (with the second sed cmd), that maps
31# RLIMIT defines to the order defined in asm-generic/resource.h Thi is
32# required by policy load to map policy ordering of RLIMITs to internal
33# ordering for architectures that redefine an RLIMIT.
34# Transforms lines from
35# #define RLIMIT_STACK 3 /* max stack size */
36# to
37# RLIMIT_STACK,
14quiet_cmd_make-rlim = GEN $@ 38quiet_cmd_make-rlim = GEN $@
15cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ; sed -n --e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+RLIMIT_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@ ; echo "static const int rlim_map[] = {" >> $@ ; sed -n -e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+\\(RLIMIT_[A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/\\1,/p" $< >> $@ ; echo "};" >> $@ 39cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
40 sed $< >> $@ -r -n \
41 -e 's/^\# ?define[ \t]+(RLIMIT_([A-Z0-9_]+)).*/[\1] = "\L\2",/p';\
42 echo "};" >> $@ ;\
43 echo "static const int rlim_map[] = {" >> $@ ;\
44 sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
45 echo "};" >> $@
16 46
17$(obj)/capability.o : $(obj)/capability_names.h 47$(obj)/capability.o : $(obj)/capability_names.h
18$(obj)/resource.o : $(obj)/rlim_names.h 48$(obj)/resource.o : $(obj)/rlim_names.h
19$(obj)/capability_names.h : $(srctree)/include/linux/capability.h 49$(obj)/capability_names.h : $(srctree)/include/linux/capability.h
20 $(call cmd,make-caps) 50 $(call cmd,make-caps)
21$(obj)/af_names.h : $(srctree)/include/linux/socket.h
22 $(call cmd,make-af)
23$(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h 51$(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
24 $(call cmd,make-rlim) 52 $(call cmd,make-rlim)
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index b7106f192b75..ae3a698415e6 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -22,6 +22,7 @@
22#include <linux/ctype.h> 22#include <linux/ctype.h>
23#include <linux/sysctl.h> 23#include <linux/sysctl.h>
24#include <linux/audit.h> 24#include <linux/audit.h>
25#include <linux/user_namespace.h>
25#include <net/sock.h> 26#include <net/sock.h>
26 27
27#include "include/apparmor.h" 28#include "include/apparmor.h"
@@ -136,11 +137,11 @@ static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
136} 137}
137 138
138static int apparmor_capable(struct task_struct *task, const struct cred *cred, 139static int apparmor_capable(struct task_struct *task, const struct cred *cred,
139 int cap, int audit) 140 struct user_namespace *ns, int cap, int audit)
140{ 141{
141 struct aa_profile *profile; 142 struct aa_profile *profile;
142 /* cap_capable returns 0 on success, else -EPERM */ 143 /* cap_capable returns 0 on success, else -EPERM */
143 int error = cap_capable(task, cred, cap, audit); 144 int error = cap_capable(task, cred, ns, cap, audit);
144 if (!error) { 145 if (!error) {
145 profile = aa_cred_profile(cred); 146 profile = aa_cred_profile(cred);
146 if (!unconfined(profile)) 147 if (!unconfined(profile))
@@ -693,11 +694,9 @@ static struct kernel_param_ops param_ops_aalockpolicy = {
693 694
694static int param_set_audit(const char *val, struct kernel_param *kp); 695static int param_set_audit(const char *val, struct kernel_param *kp);
695static int param_get_audit(char *buffer, struct kernel_param *kp); 696static int param_get_audit(char *buffer, struct kernel_param *kp);
696#define param_check_audit(name, p) __param_check(name, p, int)
697 697
698static int param_set_mode(const char *val, struct kernel_param *kp); 698static int param_set_mode(const char *val, struct kernel_param *kp);
699static int param_get_mode(char *buffer, struct kernel_param *kp); 699static int param_get_mode(char *buffer, struct kernel_param *kp);
700#define param_check_mode(name, p) __param_check(name, p, int)
701 700
702/* Flag values, also controllable via /sys/module/apparmor/parameters 701/* Flag values, also controllable via /sys/module/apparmor/parameters
703 * We define special types as we want to do additional mediation. 702 * We define special types as we want to do additional mediation.
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 5cb4dc1f6992..06d764ccbbe5 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -195,7 +195,7 @@ void aa_dfa_free_kref(struct kref *kref)
195 * 195 *
196 * Unpack a dfa that has been serialized. To find information on the dfa 196 * Unpack a dfa that has been serialized. To find information on the dfa
197 * format look in Documentation/apparmor.txt 197 * format look in Documentation/apparmor.txt
198 * Assumes the dfa @blob stream has been aligned on a 8 byte boundry 198 * Assumes the dfa @blob stream has been aligned on a 8 byte boundary
199 * 199 *
200 * Returns: an unpacked dfa ready for matching or ERR_PTR on failure 200 * Returns: an unpacked dfa ready for matching or ERR_PTR on failure
201 */ 201 */
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index eb3700e9fd37..e33aaf7e5744 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -359,7 +359,7 @@ fail:
359 * @e: serialized data extent information (NOT NULL) 359 * @e: serialized data extent information (NOT NULL)
360 * @profile: profile to add the accept table to (NOT NULL) 360 * @profile: profile to add the accept table to (NOT NULL)
361 * 361 *
362 * Returns: 1 if table succesfully unpacked 362 * Returns: 1 if table successfully unpacked
363 */ 363 */
364static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) 364static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
365{ 365{
diff --git a/security/capability.c b/security/capability.c
index 56bb1605fd79..bbb51156261b 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -761,7 +761,7 @@ static int cap_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 sk_sid, u8 dir)
761 761
762static int cap_xfrm_state_pol_flow_match(struct xfrm_state *x, 762static int cap_xfrm_state_pol_flow_match(struct xfrm_state *x,
763 struct xfrm_policy *xp, 763 struct xfrm_policy *xp,
764 struct flowi *fl) 764 const struct flowi *fl)
765{ 765{
766 return 1; 766 return 1;
767} 767}
diff --git a/security/commoncap.c b/security/commoncap.c
index 64c2ed9c9015..f20e984ccfb4 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -27,6 +27,7 @@
27#include <linux/sched.h> 27#include <linux/sched.h>
28#include <linux/prctl.h> 28#include <linux/prctl.h>
29#include <linux/securebits.h> 29#include <linux/securebits.h>
30#include <linux/user_namespace.h>
30 31
31/* 32/*
32 * If a non-root user executes a setuid-root binary in 33 * If a non-root user executes a setuid-root binary in
@@ -52,13 +53,12 @@ static void warn_setuid_and_fcaps_mixed(const char *fname)
52 53
53int cap_netlink_send(struct sock *sk, struct sk_buff *skb) 54int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
54{ 55{
55 NETLINK_CB(skb).eff_cap = current_cap();
56 return 0; 56 return 0;
57} 57}
58 58
59int cap_netlink_recv(struct sk_buff *skb, int cap) 59int cap_netlink_recv(struct sk_buff *skb, int cap)
60{ 60{
61 if (!cap_raised(NETLINK_CB(skb).eff_cap, cap)) 61 if (!cap_raised(current_cap(), cap))
62 return -EPERM; 62 return -EPERM;
63 return 0; 63 return 0;
64} 64}
@@ -68,6 +68,7 @@ EXPORT_SYMBOL(cap_netlink_recv);
68 * cap_capable - Determine whether a task has a particular effective capability 68 * cap_capable - Determine whether a task has a particular effective capability
69 * @tsk: The task to query 69 * @tsk: The task to query
70 * @cred: The credentials to use 70 * @cred: The credentials to use
71 * @ns: The user namespace in which we need the capability
71 * @cap: The capability to check for 72 * @cap: The capability to check for
72 * @audit: Whether to write an audit message or not 73 * @audit: Whether to write an audit message or not
73 * 74 *
@@ -79,10 +80,30 @@ EXPORT_SYMBOL(cap_netlink_recv);
79 * cap_has_capability() returns 0 when a task has a capability, but the 80 * cap_has_capability() returns 0 when a task has a capability, but the
80 * kernel's capable() and has_capability() returns 1 for this case. 81 * kernel's capable() and has_capability() returns 1 for this case.
81 */ 82 */
82int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap, 83int cap_capable(struct task_struct *tsk, const struct cred *cred,
83 int audit) 84 struct user_namespace *targ_ns, int cap, int audit)
84{ 85{
85 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM; 86 for (;;) {
87 /* The creator of the user namespace has all caps. */
88 if (targ_ns != &init_user_ns && targ_ns->creator == cred->user)
89 return 0;
90
91 /* Do we have the necessary capabilities? */
92 if (targ_ns == cred->user->user_ns)
93 return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
94
95 /* Have we tried all of the parent namespaces? */
96 if (targ_ns == &init_user_ns)
97 return -EPERM;
98
99 /*
100 *If you have a capability in a parent user ns, then you have
101 * it over all children user namespaces as well.
102 */
103 targ_ns = targ_ns->creator->user_ns;
104 }
105
106 /* We never get here */
86} 107}
87 108
88/** 109/**
@@ -93,7 +114,7 @@ int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap,
93 * Determine whether the current process may set the system clock and timezone 114 * Determine whether the current process may set the system clock and timezone
94 * information, returning 0 if permission granted, -ve if denied. 115 * information, returning 0 if permission granted, -ve if denied.
95 */ 116 */
96int cap_settime(struct timespec *ts, struct timezone *tz) 117int cap_settime(const struct timespec *ts, const struct timezone *tz)
97{ 118{
98 if (!capable(CAP_SYS_TIME)) 119 if (!capable(CAP_SYS_TIME))
99 return -EPERM; 120 return -EPERM;
@@ -106,18 +127,30 @@ int cap_settime(struct timespec *ts, struct timezone *tz)
106 * @child: The process to be accessed 127 * @child: The process to be accessed
107 * @mode: The mode of attachment. 128 * @mode: The mode of attachment.
108 * 129 *
130 * If we are in the same or an ancestor user_ns and have all the target
131 * task's capabilities, then ptrace access is allowed.
132 * If we have the ptrace capability to the target user_ns, then ptrace
133 * access is allowed.
134 * Else denied.
135 *
109 * Determine whether a process may access another, returning 0 if permission 136 * Determine whether a process may access another, returning 0 if permission
110 * granted, -ve if denied. 137 * granted, -ve if denied.
111 */ 138 */
112int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) 139int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
113{ 140{
114 int ret = 0; 141 int ret = 0;
142 const struct cred *cred, *child_cred;
115 143
116 rcu_read_lock(); 144 rcu_read_lock();
117 if (!cap_issubset(__task_cred(child)->cap_permitted, 145 cred = current_cred();
118 current_cred()->cap_permitted) && 146 child_cred = __task_cred(child);
119 !capable(CAP_SYS_PTRACE)) 147 if (cred->user->user_ns == child_cred->user->user_ns &&
120 ret = -EPERM; 148 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
149 goto out;
150 if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE))
151 goto out;
152 ret = -EPERM;
153out:
121 rcu_read_unlock(); 154 rcu_read_unlock();
122 return ret; 155 return ret;
123} 156}
@@ -126,18 +159,30 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
126 * cap_ptrace_traceme - Determine whether another process may trace the current 159 * cap_ptrace_traceme - Determine whether another process may trace the current
127 * @parent: The task proposed to be the tracer 160 * @parent: The task proposed to be the tracer
128 * 161 *
162 * If parent is in the same or an ancestor user_ns and has all current's
163 * capabilities, then ptrace access is allowed.
164 * If parent has the ptrace capability to current's user_ns, then ptrace
165 * access is allowed.
166 * Else denied.
167 *
129 * Determine whether the nominated task is permitted to trace the current 168 * Determine whether the nominated task is permitted to trace the current
130 * process, returning 0 if permission is granted, -ve if denied. 169 * process, returning 0 if permission is granted, -ve if denied.
131 */ 170 */
132int cap_ptrace_traceme(struct task_struct *parent) 171int cap_ptrace_traceme(struct task_struct *parent)
133{ 172{
134 int ret = 0; 173 int ret = 0;
174 const struct cred *cred, *child_cred;
135 175
136 rcu_read_lock(); 176 rcu_read_lock();
137 if (!cap_issubset(current_cred()->cap_permitted, 177 cred = __task_cred(parent);
138 __task_cred(parent)->cap_permitted) && 178 child_cred = current_cred();
139 !has_capability(parent, CAP_SYS_PTRACE)) 179 if (cred->user->user_ns == child_cred->user->user_ns &&
140 ret = -EPERM; 180 cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
181 goto out;
182 if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE))
183 goto out;
184 ret = -EPERM;
185out:
141 rcu_read_unlock(); 186 rcu_read_unlock();
142 return ret; 187 return ret;
143} 188}
@@ -177,7 +222,8 @@ static inline int cap_inh_is_capped(void)
177 /* they are so limited unless the current task has the CAP_SETPCAP 222 /* they are so limited unless the current task has the CAP_SETPCAP
178 * capability 223 * capability
179 */ 224 */
180 if (cap_capable(current, current_cred(), CAP_SETPCAP, 225 if (cap_capable(current, current_cred(),
226 current_cred()->user->user_ns, CAP_SETPCAP,
181 SECURITY_CAP_AUDIT) == 0) 227 SECURITY_CAP_AUDIT) == 0)
182 return 0; 228 return 0;
183 return 1; 229 return 1;
@@ -829,7 +875,8 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
829 & (new->securebits ^ arg2)) /*[1]*/ 875 & (new->securebits ^ arg2)) /*[1]*/
830 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ 876 || ((new->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
831 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ 877 || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
832 || (cap_capable(current, current_cred(), CAP_SETPCAP, 878 || (cap_capable(current, current_cred(),
879 current_cred()->user->user_ns, CAP_SETPCAP,
833 SECURITY_CAP_AUDIT) != 0) /*[4]*/ 880 SECURITY_CAP_AUDIT) != 0) /*[4]*/
834 /* 881 /*
835 * [1] no changing of bits that are locked 882 * [1] no changing of bits that are locked
@@ -894,7 +941,7 @@ int cap_vm_enough_memory(struct mm_struct *mm, long pages)
894{ 941{
895 int cap_sys_admin = 0; 942 int cap_sys_admin = 0;
896 943
897 if (cap_capable(current, current_cred(), CAP_SYS_ADMIN, 944 if (cap_capable(current, current_cred(), &init_user_ns, CAP_SYS_ADMIN,
898 SECURITY_CAP_NOAUDIT) == 0) 945 SECURITY_CAP_NOAUDIT) == 0)
899 cap_sys_admin = 1; 946 cap_sys_admin = 1;
900 return __vm_enough_memory(mm, pages, cap_sys_admin); 947 return __vm_enough_memory(mm, pages, cap_sys_admin);
@@ -921,7 +968,7 @@ int cap_file_mmap(struct file *file, unsigned long reqprot,
921 int ret = 0; 968 int ret = 0;
922 969
923 if (addr < dac_mmap_min_addr) { 970 if (addr < dac_mmap_min_addr) {
924 ret = cap_capable(current, current_cred(), CAP_SYS_RAWIO, 971 ret = cap_capable(current, current_cred(), &init_user_ns, CAP_SYS_RAWIO,
925 SECURITY_CAP_AUDIT); 972 SECURITY_CAP_AUDIT);
926 /* set PF_SUPERPRIV if it turns out we allow the low mmap */ 973 /* set PF_SUPERPRIV if it turns out we allow the low mmap */
927 if (ret == 0) 974 if (ret == 0)
diff --git a/security/security.c b/security/security.c
index 7e34f98bf433..4ba6d4cc061f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -154,29 +154,33 @@ int security_capset(struct cred *new, const struct cred *old,
154 effective, inheritable, permitted); 154 effective, inheritable, permitted);
155} 155}
156 156
157int security_capable(const struct cred *cred, int cap) 157int security_capable(struct user_namespace *ns, const struct cred *cred,
158 int cap)
158{ 159{
159 return security_ops->capable(current, cred, cap, SECURITY_CAP_AUDIT); 160 return security_ops->capable(current, cred, ns, cap,
161 SECURITY_CAP_AUDIT);
160} 162}
161 163
162int security_real_capable(struct task_struct *tsk, int cap) 164int security_real_capable(struct task_struct *tsk, struct user_namespace *ns,
165 int cap)
163{ 166{
164 const struct cred *cred; 167 const struct cred *cred;
165 int ret; 168 int ret;
166 169
167 cred = get_task_cred(tsk); 170 cred = get_task_cred(tsk);
168 ret = security_ops->capable(tsk, cred, cap, SECURITY_CAP_AUDIT); 171 ret = security_ops->capable(tsk, cred, ns, cap, SECURITY_CAP_AUDIT);
169 put_cred(cred); 172 put_cred(cred);
170 return ret; 173 return ret;
171} 174}
172 175
173int security_real_capable_noaudit(struct task_struct *tsk, int cap) 176int security_real_capable_noaudit(struct task_struct *tsk,
177 struct user_namespace *ns, int cap)
174{ 178{
175 const struct cred *cred; 179 const struct cred *cred;
176 int ret; 180 int ret;
177 181
178 cred = get_task_cred(tsk); 182 cred = get_task_cred(tsk);
179 ret = security_ops->capable(tsk, cred, cap, SECURITY_CAP_NOAUDIT); 183 ret = security_ops->capable(tsk, cred, ns, cap, SECURITY_CAP_NOAUDIT);
180 put_cred(cred); 184 put_cred(cred);
181 return ret; 185 return ret;
182} 186}
@@ -196,7 +200,7 @@ int security_syslog(int type)
196 return security_ops->syslog(type); 200 return security_ops->syslog(type);
197} 201}
198 202
199int security_settime(struct timespec *ts, struct timezone *tz) 203int security_settime(const struct timespec *ts, const struct timezone *tz)
200{ 204{
201 return security_ops->settime(ts, tz); 205 return security_ops->settime(ts, tz);
202} 206}
@@ -1103,7 +1107,7 @@ void security_sk_clone(const struct sock *sk, struct sock *newsk)
1103 1107
1104void security_sk_classify_flow(struct sock *sk, struct flowi *fl) 1108void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
1105{ 1109{
1106 security_ops->sk_getsecid(sk, &fl->secid); 1110 security_ops->sk_getsecid(sk, &fl->flowi_secid);
1107} 1111}
1108EXPORT_SYMBOL(security_sk_classify_flow); 1112EXPORT_SYMBOL(security_sk_classify_flow);
1109 1113
@@ -1236,7 +1240,8 @@ int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
1236} 1240}
1237 1241
1238int security_xfrm_state_pol_flow_match(struct xfrm_state *x, 1242int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
1239 struct xfrm_policy *xp, struct flowi *fl) 1243 struct xfrm_policy *xp,
1244 const struct flowi *fl)
1240{ 1245{
1241 return security_ops->xfrm_state_pol_flow_match(x, xp, fl); 1246 return security_ops->xfrm_state_pol_flow_match(x, xp, fl);
1242} 1247}
@@ -1248,7 +1253,7 @@ int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
1248 1253
1249void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) 1254void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
1250{ 1255{
1251 int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0); 1256 int rc = security_ops->xfrm_decode_session(skb, &fl->flowi_secid, 0);
1252 1257
1253 BUG_ON(rc); 1258 BUG_ON(rc);
1254} 1259}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9f426b8a12b5..a0d38459d650 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -79,6 +79,7 @@
79#include <linux/mutex.h> 79#include <linux/mutex.h>
80#include <linux/posix-timers.h> 80#include <linux/posix-timers.h>
81#include <linux/syslog.h> 81#include <linux/syslog.h>
82#include <linux/user_namespace.h>
82 83
83#include "avc.h" 84#include "avc.h"
84#include "objsec.h" 85#include "objsec.h"
@@ -1866,11 +1867,11 @@ static int selinux_capset(struct cred *new, const struct cred *old,
1866 */ 1867 */
1867 1868
1868static int selinux_capable(struct task_struct *tsk, const struct cred *cred, 1869static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
1869 int cap, int audit) 1870 struct user_namespace *ns, int cap, int audit)
1870{ 1871{
1871 int rc; 1872 int rc;
1872 1873
1873 rc = cap_capable(tsk, cred, cap, audit); 1874 rc = cap_capable(tsk, cred, ns, cap, audit);
1874 if (rc) 1875 if (rc)
1875 return rc; 1876 return rc;
1876 1877
@@ -1951,7 +1952,8 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
1951{ 1952{
1952 int rc, cap_sys_admin = 0; 1953 int rc, cap_sys_admin = 0;
1953 1954
1954 rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN, 1955 rc = selinux_capable(current, current_cred(),
1956 &init_user_ns, CAP_SYS_ADMIN,
1955 SECURITY_CAP_NOAUDIT); 1957 SECURITY_CAP_NOAUDIT);
1956 if (rc == 0) 1958 if (rc == 0)
1957 cap_sys_admin = 1; 1959 cap_sys_admin = 1;
@@ -2746,7 +2748,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2746 if (!(sbsec->flags & SE_SBLABELSUPP)) 2748 if (!(sbsec->flags & SE_SBLABELSUPP))
2747 return -EOPNOTSUPP; 2749 return -EOPNOTSUPP;
2748 2750
2749 if (!is_owner_or_cap(inode)) 2751 if (!inode_owner_or_capable(inode))
2750 return -EPERM; 2752 return -EPERM;
2751 2753
2752 COMMON_AUDIT_DATA_INIT(&ad, DENTRY); 2754 COMMON_AUDIT_DATA_INIT(&ad, DENTRY);
@@ -2857,7 +2859,8 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
2857 * and lack of permission just means that we fall back to the 2859 * and lack of permission just means that we fall back to the
2858 * in-core context value, not a denial. 2860 * in-core context value, not a denial.
2859 */ 2861 */
2860 error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN, 2862 error = selinux_capable(current, current_cred(),
2863 &init_user_ns, CAP_MAC_ADMIN,
2861 SECURITY_CAP_NOAUDIT); 2864 SECURITY_CAP_NOAUDIT);
2862 if (!error) 2865 if (!error)
2863 error = security_sid_to_context_force(isec->sid, &context, 2866 error = security_sid_to_context_force(isec->sid, &context,
@@ -2991,7 +2994,7 @@ static int selinux_file_ioctl(struct file *file, unsigned int cmd,
2991 case KDSKBENT: 2994 case KDSKBENT:
2992 case KDSKBSENT: 2995 case KDSKBSENT:
2993 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG, 2996 error = task_has_capability(current, cred, CAP_SYS_TTY_CONFIG,
2994 SECURITY_CAP_AUDIT); 2997 SECURITY_CAP_AUDIT);
2995 break; 2998 break;
2996 2999
2997 /* default case assumes that the command will go 3000 /* default case assumes that the command will go
@@ -4369,7 +4372,7 @@ static void selinux_secmark_refcount_dec(void)
4369static void selinux_req_classify_flow(const struct request_sock *req, 4372static void selinux_req_classify_flow(const struct request_sock *req,
4370 struct flowi *fl) 4373 struct flowi *fl)
4371{ 4374{
4372 fl->secid = req->secid; 4375 fl->flowi_secid = req->secid;
4373} 4376}
4374 4377
4375static int selinux_tun_dev_create(void) 4378static int selinux_tun_dev_create(void)
@@ -4718,6 +4721,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4718{ 4721{
4719 int err; 4722 int err;
4720 struct common_audit_data ad; 4723 struct common_audit_data ad;
4724 u32 sid;
4721 4725
4722 err = cap_netlink_recv(skb, capability); 4726 err = cap_netlink_recv(skb, capability);
4723 if (err) 4727 if (err)
@@ -4726,8 +4730,9 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4726 COMMON_AUDIT_DATA_INIT(&ad, CAP); 4730 COMMON_AUDIT_DATA_INIT(&ad, CAP);
4727 ad.u.cap = capability; 4731 ad.u.cap = capability;
4728 4732
4729 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4733 security_task_getsecid(current, &sid);
4730 SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad); 4734 return avc_has_perm(sid, sid, SECCLASS_CAPABILITY,
4735 CAP_TO_MASK(capability), &ad);
4731} 4736}
4732 4737
4733static int ipc_alloc_security(struct task_struct *task, 4738static int ipc_alloc_security(struct task_struct *task,
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 13128f9a3e5a..b43813c9e049 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -19,7 +19,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x);
19int selinux_xfrm_state_delete(struct xfrm_state *x); 19int selinux_xfrm_state_delete(struct xfrm_state *x);
20int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); 20int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
21int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, 21int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
22 struct xfrm_policy *xp, struct flowi *fl); 22 struct xfrm_policy *xp, const struct flowi *fl);
23 23
24/* 24/*
25 * Extract the security blob from the sock (it's actually on the socket) 25 * Extract the security blob from the sock (it's actually on the socket)
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 1c2fc46544bf..c3bf3ed07b06 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -151,7 +151,7 @@ void selinux_netlbl_sk_security_free(struct sk_security_struct *sksec)
151 * 151 *
152 * Description: 152 * Description:
153 * Called when the NetLabel state of a sk_security_struct needs to be reset. 153 * Called when the NetLabel state of a sk_security_struct needs to be reset.
154 * The caller is responsibile for all the NetLabel sk_security_struct locking. 154 * The caller is responsible for all the NetLabel sk_security_struct locking.
155 * 155 *
156 */ 156 */
157void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec) 157void selinux_netlbl_sk_security_reset(struct sk_security_struct *sksec)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index e11b4b038f4a..c3e4b52699f4 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2814,7 +2814,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
2814 case AUDIT_SUBJ_CLR: 2814 case AUDIT_SUBJ_CLR:
2815 case AUDIT_OBJ_LEV_LOW: 2815 case AUDIT_OBJ_LEV_LOW:
2816 case AUDIT_OBJ_LEV_HIGH: 2816 case AUDIT_OBJ_LEV_HIGH:
2817 /* we do not allow a range, indicated by the presense of '-' */ 2817 /* we do not allow a range, indicated by the presence of '-' */
2818 if (strchr(rulestr, '-')) 2818 if (strchr(rulestr, '-'))
2819 return -EINVAL; 2819 return -EINVAL;
2820 break; 2820 break;
@@ -3083,7 +3083,7 @@ static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
3083 * Description: 3083 * Description:
3084 * Convert the given NetLabel security attributes in @secattr into a 3084 * Convert the given NetLabel security attributes in @secattr into a
3085 * SELinux SID. If the @secattr field does not contain a full SELinux 3085 * SELinux SID. If the @secattr field does not contain a full SELinux
3086 * SID/context then use SECINITSID_NETMSG as the foundation. If possibile the 3086 * SID/context then use SECINITSID_NETMSG as the foundation. If possible the
3087 * 'cache' field of @secattr is set and the CACHE flag is set; this is to 3087 * 'cache' field of @secattr is set and the CACHE flag is set; this is to
3088 * allow the @secattr to be used by NetLabel to cache the secattr to SID 3088 * allow the @secattr to be used by NetLabel to cache the secattr to SID
3089 * conversion for future lookups. Returns zero on success, negative values on 3089 * conversion for future lookups. Returns zero on success, negative values on
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 728c57e3d65d..68178b76a2b3 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -112,7 +112,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
112 */ 112 */
113 113
114int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, 114int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
115 struct flowi *fl) 115 const struct flowi *fl)
116{ 116{
117 u32 state_sid; 117 u32 state_sid;
118 int rc; 118 int rc;
@@ -135,10 +135,10 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
135 135
136 state_sid = x->security->ctx_sid; 136 state_sid = x->security->ctx_sid;
137 137
138 if (fl->secid != state_sid) 138 if (fl->flowi_secid != state_sid)
139 return 0; 139 return 0;
140 140
141 rc = avc_has_perm(fl->secid, state_sid, SECCLASS_ASSOCIATION, 141 rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION,
142 ASSOCIATION__SENDTO, 142 ASSOCIATION__SENDTO,
143 NULL)? 0:1; 143 NULL)? 0:1;
144 144
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 86453db4333d..9637e107f7ea 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -431,7 +431,7 @@ char *smk_import(const char *string, int len)
431 * smack_from_secid - find the Smack label associated with a secid 431 * smack_from_secid - find the Smack label associated with a secid
432 * @secid: an integer that might be associated with a Smack label 432 * @secid: an integer that might be associated with a Smack label
433 * 433 *
434 * Returns a pointer to the appropraite Smack label if there is one, 434 * Returns a pointer to the appropriate Smack label if there is one,
435 * otherwise a pointer to the invalid Smack label. 435 * otherwise a pointer to the invalid Smack label.
436 */ 436 */
437char *smack_from_secid(const u32 secid) 437char *smack_from_secid(const u32 secid)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 410825a44392..9831a39c11f6 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1804,7 +1804,7 @@ static void smack_set_catset(char *catset, struct netlbl_lsm_secattr *sap)
1804 * Casey says that CIPSO is good enough for now. 1804 * Casey says that CIPSO is good enough for now.
1805 * It can be used to effect. 1805 * It can be used to effect.
1806 * It can also be abused to effect when necessary. 1806 * It can also be abused to effect when necessary.
1807 * Appologies to the TSIG group in general and GW in particular. 1807 * Apologies to the TSIG group in general and GW in particular.
1808 */ 1808 */
1809static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp) 1809static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp)
1810{ 1810{
@@ -2540,7 +2540,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
2540 switch (sbp->s_magic) { 2540 switch (sbp->s_magic) {
2541 case SMACK_MAGIC: 2541 case SMACK_MAGIC:
2542 /* 2542 /*
2543 * Casey says that it's a little embarassing 2543 * Casey says that it's a little embarrassing
2544 * that the smack file system doesn't do 2544 * that the smack file system doesn't do
2545 * extended attributes. 2545 * extended attributes.
2546 */ 2546 */
@@ -3094,7 +3094,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3094 /* 3094 /*
3095 * We need to decide if we want to label the incoming connection here 3095 * We need to decide if we want to label the incoming connection here
3096 * if we do we only need to label the request_sock and the stack will 3096 * if we do we only need to label the request_sock and the stack will
3097 * propogate the wire-label to the sock when it is created. 3097 * propagate the wire-label to the sock when it is created.
3098 */ 3098 */
3099 hdr = ip_hdr(skb); 3099 hdr = ip_hdr(skb);
3100 addr.sin_addr.s_addr = hdr->saddr; 3100 addr.sin_addr.s_addr = hdr->saddr;
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 90d1bbaaa6f3..f93460156dce 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -208,7 +208,7 @@ static ssize_t smk_write_load_list(struct file *file, const char __user *buf,
208 if (*ppos != 0) 208 if (*ppos != 0)
209 return -EINVAL; 209 return -EINVAL;
210 /* 210 /*
211 * Minor hack for backward compatability 211 * Minor hack for backward compatibility
212 */ 212 */
213 if (count < (SMK_OLOADLEN) || count > SMK_LOADLEN) 213 if (count < (SMK_OLOADLEN) || count > SMK_LOADLEN)
214 return -EINVAL; 214 return -EINVAL;
@@ -223,7 +223,7 @@ static ssize_t smk_write_load_list(struct file *file, const char __user *buf,
223 } 223 }
224 224
225 /* 225 /*
226 * More on the minor hack for backward compatability 226 * More on the minor hack for backward compatibility
227 */ 227 */
228 if (count == (SMK_OLOADLEN)) 228 if (count == (SMK_OLOADLEN))
229 data[SMK_OLOADLEN] = '-'; 229 data[SMK_OLOADLEN] = '-';
@@ -927,7 +927,7 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
927 } 927 }
928 } else { 928 } else {
929 /* we delete the unlabeled entry, only if the previous label 929 /* we delete the unlabeled entry, only if the previous label
930 * wasnt the special CIPSO option */ 930 * wasn't the special CIPSO option */
931 if (skp->smk_label != smack_cipso_option) 931 if (skp->smk_label != smack_cipso_option)
932 rc = netlbl_cfg_unlbl_static_del(&init_net, NULL, 932 rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
933 &skp->smk_host.sin_addr, &skp->smk_mask, 933 &skp->smk_host.sin_addr, &skp->smk_mask,
diff --git a/security/tomoyo/load_policy.c b/security/tomoyo/load_policy.c
index bbada7ca1b91..3312e5624f24 100644
--- a/security/tomoyo/load_policy.c
+++ b/security/tomoyo/load_policy.c
@@ -23,7 +23,7 @@ static bool tomoyo_policy_loader_exists(void)
23 * If the initrd includes /sbin/init but real-root-dev has not 23 * If the initrd includes /sbin/init but real-root-dev has not
24 * mounted on / yet, activating MAC will block the system since 24 * mounted on / yet, activating MAC will block the system since
25 * policies are not loaded yet. 25 * policies are not loaded yet.
26 * Thus, let do_execve() call this function everytime. 26 * Thus, let do_execve() call this function every time.
27 */ 27 */
28 struct path path; 28 struct path path;
29 29