23 files changed, 603 insertions, 114 deletions
diff --git a/security/Kconfig b/security/Kconfig
index 559293922a47..d9f47ce7e207 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -51,6 +51,14 @@ config SECURITY
          If you are unsure how to answer this question, answer N.
+config SECURITYFS
+        bool "Enable the securityfs filesystem"
+        help
+          This will build the securityfs filesystem.  It is currently used by
+          the TPM bios character driver.  It is not used by SELinux or SMACK.
+          If you are unsure how to answer this question, answer N.
 config SECURITY_NETWORK
        bool "Socket and Networking Security Hooks"
        depends on SECURITY
diff --git a/security/Makefile b/security/Makefile
index f65426099aa6..c05c127fff9a 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -10,7 +10,8 @@ subdir-$(CONFIG_SECURITY_SMACK)		+= smack
 obj-y           += commoncap.o
 # Object file lists
-obj-$(CONFIG_SECURITY)                  += security.o capability.o inode.o
+obj-$(CONFIG_SECURITY)                  += security.o capability.o
+obj-$(CONFIG_SECURITYFS)                += inode.o
 # Must precede capability.o in order to stack properly.
 obj-$(CONFIG_SECURITY_SELINUX)          += selinux/built-in.o
 obj-$(CONFIG_SECURITY_SMACK)            += smack/built-in.o
diff --git a/security/commoncap.c b/security/commoncap.c
index e4c4b3fc0c04..399bfdb9e2da 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -541,7 +541,7 @@ int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid,
 * yet with increased caps.
 * So we check for increased caps on the target process.
 */
-static inline int cap_safe_nice(struct task_struct *p)
+static int cap_safe_nice(struct task_struct *p)
 {
        if (!cap_issubset(p->cap_permitted, current->cap_permitted) &&
            !capable(CAP_SYS_NICE))
diff --git a/security/inode.c b/security/inode.c
index acc6cf0d7900..ca4958ebad8d 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -190,7 +190,7 @@ static int create_by_name(const char *name, mode_t mode,
 * @name: a pointer to a string containing the name of the file to create.
 * @mode: the permission that the file should have
 * @parent: a pointer to the parent dentry for this file.  This should be a
- *          directory dentry if set.  If this paramater is NULL, then the
+ *          directory dentry if set.  If this parameter is %NULL, then the
 *          file will be created in the root of the securityfs filesystem.
 * @data: a pointer to something that the caller will want to get to later
 *        on.  The inode.i_private pointer will point to this value on
@@ -199,18 +199,18 @@ static int create_by_name(const char *name, mode_t mode,
 *        this file.
 *
 * This is the basic "create a file" function for securityfs.  It allows for a
- * wide range of flexibility in createing a file, or a directory (if you
+ * wide range of flexibility in creating a file, or a directory (if you
 * want to create a directory, the securityfs_create_dir() function is
- * recommended to be used instead.)
+ * recommended to be used instead).
 *
- * This function will return a pointer to a dentry if it succeeds.  This
+ * This function returns a pointer to a dentry if it succeeds.  This
 * pointer must be passed to the securityfs_remove() function when the file is
 * to be removed (no automatic cleanup happens if your module is unloaded,
- * you are responsible here.)  If an error occurs, NULL will be returned.
+ * you are responsible here).  If an error occurs, %NULL is returned.
 *
- * If securityfs is not enabled in the kernel, the value -ENODEV will be
+ * If securityfs is not enabled in the kernel, the value %-ENODEV is
 * returned.  It is not wise to check for this value, but rather, check for
- * NULL or !NULL instead as to eliminate the need for #ifdef in the calling
+ * %NULL or !%NULL instead as to eliminate the need for #ifdef in the calling
 * code.
 */
 struct dentry *securityfs_create_file(const char *name, mode_t mode,
@@ -252,19 +252,19 @@ EXPORT_SYMBOL_GPL(securityfs_create_file);
 * @name: a pointer to a string containing the name of the directory to
 *        create.
 * @parent: a pointer to the parent dentry for this file.  This should be a
- *          directory dentry if set.  If this paramater is NULL, then the
+ *          directory dentry if set.  If this parameter is %NULL, then the
 *          directory will be created in the root of the securityfs filesystem.
 *
- * This function creates a directory in securityfs with the given name.
+ * This function creates a directory in securityfs with the given @name.
 *
- * This function will return a pointer to a dentry if it succeeds.  This
+ * This function returns a pointer to a dentry if it succeeds.  This
 * pointer must be passed to the securityfs_remove() function when the file is
 * to be removed (no automatic cleanup happens if your module is unloaded,
- * you are responsible here.)  If an error occurs, NULL will be returned.
+ * you are responsible here).  If an error occurs, %NULL will be returned.
 *
- * If securityfs is not enabled in the kernel, the value -ENODEV will be
+ * If securityfs is not enabled in the kernel, the value %-ENODEV is
 * returned.  It is not wise to check for this value, but rather, check for
- * NULL or !NULL instead as to eliminate the need for #ifdef in the calling
+ * %NULL or !%NULL instead as to eliminate the need for #ifdef in the calling
 * code.
 */
 struct dentry *securityfs_create_dir(const char *name, struct dentry *parent)
@@ -278,16 +278,15 @@ EXPORT_SYMBOL_GPL(securityfs_create_dir);
 /**
 * securityfs_remove - removes a file or directory from the securityfs filesystem
 *
- * @dentry: a pointer to a the dentry of the file or directory to be
+ * @dentry: a pointer to a the dentry of the file or directory to be removed.
- *          removed.
 *
 * This function removes a file or directory in securityfs that was previously
 * created with a call to another securityfs function (like
 * securityfs_create_file() or variants thereof.)
 *
 * This function is required to be called in order for the file to be
- * removed, no automatic cleanup of files will happen when a module is
+ * removed. No automatic cleanup of files will happen when a module is
- * removed, you are responsible here.
+ * removed; you are responsible here.
 */
 void securityfs_remove(struct dentry *dentry)
 {
diff --git a/security/security.c b/security/security.c
index 3a4b4f55b33f..255b08559b2b 100644
--- a/security/security.c
+++ b/security/security.c
@@ -82,8 +82,8 @@ __setup("security=", choose_lsm);
 *
 * Return true if:
 *      -The passed LSM is the one chosen by user at boot time,
- *      -or user didsn't specify a specific LSM and we're the first to ask
+ *      -or user didn't specify a specific LSM and we're the first to ask
- *       for registeration permissoin,
+ *       for registration permission,
 *      -or the passed LSM is currently loaded.
 * Otherwise, return false.
 */
@@ -101,13 +101,13 @@ int __init security_module_enable(struct security_operations *ops)
 * register_security - registers a security framework with the kernel
 * @ops: a pointer to the struct security_options that is to be registered
 *
- * This function is to allow a security module to register itself with the
+ * This function allows a security module to register itself with the
 * kernel security subsystem.  Some rudimentary checking is done on the @ops
 * value passed to this function. You'll need to check first if your LSM
 * is allowed to register its @ops by calling security_module_enable(@ops).
 *
 * If there is already a security module registered with the kernel,
- * an error will be returned.  Otherwise 0 is returned on success.
+ * an error will be returned.  Otherwise %0 is returned on success.
 */
 int register_security(struct security_operations *ops)
 {
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index a436d1cfa88b..26301dd651d3 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -6,9 +6,6 @@ config SECURITY_SELINUX
        help
          This selects NSA Security-Enhanced Linux (SELinux).
          You will also need a policy configuration and a labeled filesystem.
-          You can obtain the policy compiler (checkpolicy), the utility for
-          labeling filesystems (setfiles), and an example policy configuration
-          from <http://www.nsa.gov/selinux/>.
          If you are unsure how to answer this question, answer N.
 config SECURITY_SELINUX_BOOTPARAM
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 114b4b4c97b2..cb30c7e350b3 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -136,7 +136,7 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
 * @tclass: target security class
 * @av: access vector
 */
-static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
+void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
 {
        const char **common_pts = NULL;
        u32 common_base = 0;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 03fc6a81ae32..4a7374c12d9c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -957,7 +957,8 @@ out_err:
        return rc;
 }
-void selinux_write_opts(struct seq_file *m, struct security_mnt_opts *opts)
+static void selinux_write_opts(struct seq_file *m,
+                               struct security_mnt_opts *opts)
 {
        int i;
        char *prefix;
@@ -1290,7 +1291,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                /* Default to the fs superblock SID. */
                isec->sid = sbsec->sid;
-                if (sbsec->proc) {
+                if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
                        struct proc_inode *proci = PROC_I(inode);
                        if (proci->pde) {
                                isec->sclass = inode_mode_to_security_class(inode->i_mode);
@@ -3548,38 +3549,44 @@ out:
 #endif /* IPV6 */
 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
-                             char **addrp, int src, u8 *proto)
+                             char **_addrp, int src, u8 *proto)
 {
-        int ret = 0;
+        char *addrp;
+        int ret;
        switch (ad->u.net.family) {
        case PF_INET:
                ret = selinux_parse_skb_ipv4(skb, ad, proto);
-                if (ret || !addrp)
+                if (ret)
-                        break;
+                        goto parse_error;
-                *addrp = (char *)(src ? &ad->u.net.v4info.saddr :
+                addrp = (char *)(src ? &ad->u.net.v4info.saddr :
-                                        &ad->u.net.v4info.daddr);
+                                       &ad->u.net.v4info.daddr);
-                break;
+                goto okay;
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
        case PF_INET6:
                ret = selinux_parse_skb_ipv6(skb, ad, proto);
-                if (ret || !addrp)
+                if (ret)
-                        break;
+                        goto parse_error;
-                *addrp = (char *)(src ? &ad->u.net.v6info.saddr :
+                addrp = (char *)(src ? &ad->u.net.v6info.saddr :
-                                        &ad->u.net.v6info.daddr);
+                                       &ad->u.net.v6info.daddr);
-                break;
+                goto okay;
 #endif  /* IPV6 */
        default:
-                break;
+                addrp = NULL;
+                goto okay;
        }
-        if (unlikely(ret))
+parse_error:
-                printk(KERN_WARNING
+        printk(KERN_WARNING
-                       "SELinux: failure in selinux_parse_skb(),"
+               "SELinux: failure in selinux_parse_skb(),"
-                       " unable to parse packet\n");
+               " unable to parse packet\n");
        return ret;
+okay:
+        if (_addrp)
+                *_addrp = addrp;
+        return 0;
 }
 /**
@@ -5219,8 +5226,12 @@ static int selinux_setprocattr(struct task_struct *p,
                if (sid == 0)
                        return -EINVAL;
+                /*
-                /* Only allow single threaded processes to change context */
+                 * SELinux allows to change context in the following case only.
+                 *  - Single threaded processes.
+                 *  - Multi threaded processes intend to change its context into
+                 *    more restricted domain (defined by TYPEBOUNDS statement).
+                 */
                if (atomic_read(&p->mm->mm_users) != 1) {
                        struct task_struct *g, *t;
                        struct mm_struct *mm = p->mm;
@@ -5228,11 +5239,16 @@ static int selinux_setprocattr(struct task_struct *p,
                        do_each_thread(g, t) {
                                if (t->mm == mm && t != p) {
                                        read_unlock(&tasklist_lock);
-                                        return -EPERM;
+                                        error = security_bounded_transition(tsec->sid, sid);
+                                        if (!error)
+                                                goto boundary_ok;
+                                        return error;
                                }
                        } while_each_thread(g, t);
                        read_unlock(&tasklist_lock);
                }
+boundary_ok:
                /* Check permissions for the transition. */
                error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 7b9769f5e775..d12ff1a9c0aa 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -12,6 +12,7 @@
 #include <linux/kdev_t.h>
 #include <linux/spinlock.h>
 #include <linux/init.h>
+#include <linux/audit.h>
 #include <linux/in6.h>
 #include <linux/path.h>
 #include <asm/system.h>
@@ -126,6 +127,9 @@ int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
                     u32 events, u32 ssid, u32 tsid,
                     u16 tclass, u32 perms);
+/* Shows permission in human readable form */
+void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av);
 /* Exported to selinuxfs */
 int avc_get_hash_stats(char *page);
 extern unsigned int avc_cache_threshold;
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 7c543003d653..72447370bc95 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -27,13 +27,14 @@
 #define POLICYDB_VERSION_RANGETRANS     21
 #define POLICYDB_VERSION_POLCAP         22
 #define POLICYDB_VERSION_PERMISSIVE     23
+#define POLICYDB_VERSION_BOUNDARY       24
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
 #define POLICYDB_VERSION_MAX    CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 #else
-#define POLICYDB_VERSION_MAX    POLICYDB_VERSION_PERMISSIVE
+#define POLICYDB_VERSION_MAX    POLICYDB_VERSION_BOUNDARY
 #endif
 #define CONTEXT_MNT     0x01
@@ -62,6 +63,16 @@ enum {
 extern int selinux_policycap_netpeer;
 extern int selinux_policycap_openperm;
+/*
+ * type_datum properties
+ * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY
+ */
+#define TYPEDATUM_PROPERTY_PRIMARY      0x0001
+#define TYPEDATUM_PROPERTY_ATTRIBUTE    0x0002
+/* limitation of boundary depth  */
+#define POLICYDB_BOUNDS_MAXDEPTH        4
 int security_load_policy(void *data, size_t len);
 int security_policycap_supported(unsigned int req_cap);
@@ -117,6 +128,8 @@ int security_node_sid(u16 domain, void *addr, u32 addrlen,
 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
                                 u16 tclass);
+int security_bounded_transition(u32 oldsid, u32 newsid);
 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);
 int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
index a1be97f8beea..1215b8e47dba 100644
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -98,7 +98,7 @@ struct avtab_node *
 avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datum *datum)
 {
        int hvalue;
-        struct avtab_node *prev, *cur, *newnode;
+        struct avtab_node *prev, *cur;
        u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
        if (!h || !h->htable)
@@ -122,9 +122,7 @@ avtab_insert_nonunique(struct avtab *h, struct avtab_key *key, struct avtab_datu
                    key->target_class < cur->key.target_class)
                        break;
        }
-        newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum);
+        return avtab_insert_node(h, hvalue, prev, cur, key, datum);
-        return newnode;
 }
 struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *key)
@@ -231,7 +229,7 @@ void avtab_destroy(struct avtab *h)
        for (i = 0; i < h->nslot; i++) {
                cur = h->htable[i];
-                while (cur != NULL) {
+                while (cur) {
                        temp = cur;
                        cur = cur->next;
                        kmem_cache_free(avtab_node_cachep, temp);
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index fb4efe4f4bc8..4a4e35cac22b 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -29,7 +29,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
        int s[COND_EXPR_MAXDEPTH];
        int sp = -1;
-        for (cur = expr; cur != NULL; cur = cur->next) {
+        for (cur = expr; cur; cur = cur->next) {
                switch (cur->expr_type) {
                case COND_BOOL:
                        if (sp == (COND_EXPR_MAXDEPTH - 1))
@@ -97,14 +97,14 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)
                if (new_state == -1)
                        printk(KERN_ERR "SELinux: expression result was undefined - disabling all rules.\n");
                /* turn the rules on or off */
-                for (cur = node->true_list; cur != NULL; cur = cur->next) {
+                for (cur = node->true_list; cur; cur = cur->next) {
                        if (new_state <= 0)
                                cur->node->key.specified &= ~AVTAB_ENABLED;
                        else
                                cur->node->key.specified |= AVTAB_ENABLED;
                }
-                for (cur = node->false_list; cur != NULL; cur = cur->next) {
+                for (cur = node->false_list; cur; cur = cur->next) {
                        /* -1 or 1 */
                        if (new_state)
                                cur->node->key.specified &= ~AVTAB_ENABLED;
@@ -128,7 +128,7 @@ int cond_policydb_init(struct policydb *p)
 static void cond_av_list_destroy(struct cond_av_list *list)
 {
        struct cond_av_list *cur, *next;
-        for (cur = list; cur != NULL; cur = next) {
+        for (cur = list; cur; cur = next) {
                next = cur->next;
                /* the avtab_ptr_t node is destroy by the avtab */
                kfree(cur);
@@ -139,7 +139,7 @@ static void cond_node_destroy(struct cond_node *node)
 {
        struct cond_expr *cur_expr, *next_expr;
-        for (cur_expr = node->expr; cur_expr != NULL; cur_expr = next_expr) {
+        for (cur_expr = node->expr; cur_expr; cur_expr = next_expr) {
                next_expr = cur_expr->next;
                kfree(cur_expr);
        }
@@ -155,7 +155,7 @@ static void cond_list_destroy(struct cond_node *list)
        if (list == NULL)
                return;
-        for (cur = list; cur != NULL; cur = next) {
+        for (cur = list; cur; cur = next) {
                next = cur->next;
                cond_node_destroy(cur);
        }
@@ -239,7 +239,7 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp)
        rc = next_entry(key, fp, len);
        if (rc < 0)
                goto err;
-        key[len] = 0;
+        key[len] = '\0';
        if (hashtab_insert(h, key, booldatum))
                goto err;
@@ -291,7 +291,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
                                        goto err;
                                }
                                found = 0;
-                                for (cur = other; cur != NULL; cur = cur->next) {
+                                for (cur = other; cur; cur = cur->next) {
                                        if (cur->node == node_ptr) {
                                                found = 1;
                                                break;
@@ -485,7 +485,7 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decisi
        if (!ctab || !key || !avd)
                return;
-        for (node = avtab_search_node(ctab, key); node != NULL;
+        for (node = avtab_search_node(ctab, key); node;
                                node = avtab_search_node_next(node, key->specified)) {
                if ((u16)(AVTAB_ALLOWED|AVTAB_ENABLED) ==
                    (node->key.specified & (AVTAB_ALLOWED|AVTAB_ENABLED)))
diff --git a/security/selinux/ss/conditional.h b/security/selinux/ss/conditional.h
index 65b9f8366e9c..53ddb013ae57 100644
--- a/security/selinux/ss/conditional.h
+++ b/security/selinux/ss/conditional.h
@@ -28,7 +28,7 @@ struct cond_expr {
 #define COND_XOR        5 /* bool ^ bool */
 #define COND_EQ         6 /* bool == bool */
 #define COND_NEQ        7 /* bool != bool */
-#define COND_LAST       8
+#define COND_LAST       COND_NEQ
        __u32 expr_type;
        __u32 bool;
        struct cond_expr *next;
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index ddc275490af8..68c7348d1acc 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -109,7 +109,7 @@ int ebitmap_netlbl_export(struct ebitmap *ebmap,
        *catmap = c_iter;
        c_iter->startbit = e_iter->startbit & ~(NETLBL_CATMAP_SIZE - 1);
-        while (e_iter != NULL) {
+        while (e_iter) {
                for (i = 0; i < EBITMAP_UNIT_NUMS; i++) {
                        unsigned int delta, e_startbit, c_endbit;
@@ -197,7 +197,7 @@ int ebitmap_netlbl_import(struct ebitmap *ebmap,
                        }
                }
                c_iter = c_iter->next;
-        } while (c_iter != NULL);
+        } while (c_iter);
        if (e_iter != NULL)
                ebmap->highbit = e_iter->startbit + EBITMAP_SIZE;
        else
diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c
index 2e7788e13213..933e735bb185 100644
--- a/security/selinux/ss/hashtab.c
+++ b/security/selinux/ss/hashtab.c
@@ -81,7 +81,7 @@ void *hashtab_search(struct hashtab *h, const void *key)
        hvalue = h->hash_value(h, key);
        cur = h->htable[hvalue];
-        while (cur != NULL && h->keycmp(h, key, cur->key) > 0)
+        while (cur && h->keycmp(h, key, cur->key) > 0)
                cur = cur->next;
        if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
@@ -100,7 +100,7 @@ void hashtab_destroy(struct hashtab *h)
        for (i = 0; i < h->size; i++) {
                cur = h->htable[i];
-                while (cur != NULL) {
+                while (cur) {
                        temp = cur;
                        cur = cur->next;
                        kfree(temp);
@@ -127,7 +127,7 @@ int hashtab_map(struct hashtab *h,
        for (i = 0; i < h->size; i++) {
                cur = h->htable[i];
-                while (cur != NULL) {
+                while (cur) {
                        ret = apply(cur->key, cur->datum, args);
                        if (ret)
                                return ret;
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 77d745da48bb..b5407f16c2a4 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -283,8 +283,8 @@ int mls_context_to_sid(struct policydb *pol,
                p++;
        delim = *p;
-        if (delim != 0)
+        if (delim != '\0')
-                *p++ = 0;
+                *p++ = '\0';
        for (l = 0; l < 2; l++) {
                levdatum = hashtab_search(pol->p_levels.table, scontextp);
@@ -302,14 +302,14 @@ int mls_context_to_sid(struct policydb *pol,
                                while (*p && *p != ',' && *p != '-')
                                        p++;
                                delim = *p;
-                                if (delim != 0)
+                                if (delim != '\0')
-                                        *p++ = 0;
+                                        *p++ = '\0';
                                /* Separate into range if exists */
                                rngptr = strchr(scontextp, '.');
                                if (rngptr != NULL) {
                                        /* Remove '.' */
-                                        *rngptr++ = 0;
+                                        *rngptr++ = '\0';
                                }
                                catdatum = hashtab_search(pol->p_cats.table,
@@ -357,8 +357,8 @@ int mls_context_to_sid(struct policydb *pol,
                                p++;
                        delim = *p;
-                        if (delim != 0)
+                        if (delim != '\0')
-                                *p++ = 0;
+                                *p++ = '\0';
                } else
                        break;
        }
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 2391761ae422..72e4a54973aa 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -30,6 +30,7 @@
 #include <linux/slab.h>
 #include <linux/string.h>
 #include <linux/errno.h>
+#include <linux/audit.h>
 #include "security.h"
 #include "policydb.h"
@@ -116,7 +117,12 @@ static struct policydb_compat_info policydb_compat[] = {
                .version        = POLICYDB_VERSION_PERMISSIVE,
                .sym_num        = SYM_NUM,
                .ocon_num       = OCON_NUM,
-        }
+        },
+        {
+                .version        = POLICYDB_VERSION_BOUNDARY,
+                .sym_num        = SYM_NUM,
+                .ocon_num       = OCON_NUM,
+        },
 };
 static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -254,7 +260,9 @@ static int role_index(void *key, void *datum, void *datap)
        role = datum;
        p = datap;
-        if (!role->value || role->value > p->p_roles.nprim)
+        if (!role->value
+            || role->value > p->p_roles.nprim
+            || role->bounds > p->p_roles.nprim)
                return -EINVAL;
        p->p_role_val_to_name[role->value - 1] = key;
        p->role_val_to_struct[role->value - 1] = role;
@@ -270,9 +278,12 @@ static int type_index(void *key, void *datum, void *datap)
        p = datap;
        if (typdatum->primary) {
-                if (!typdatum->value || typdatum->value > p->p_types.nprim)
+                if (!typdatum->value
+                    || typdatum->value > p->p_types.nprim
+                    || typdatum->bounds > p->p_types.nprim)
                        return -EINVAL;
                p->p_type_val_to_name[typdatum->value - 1] = key;
+                p->type_val_to_struct[typdatum->value - 1] = typdatum;
        }
        return 0;
@@ -285,7 +296,9 @@ static int user_index(void *key, void *datum, void *datap)
        usrdatum = datum;
        p = datap;
-        if (!usrdatum->value || usrdatum->value > p->p_users.nprim)
+        if (!usrdatum->value
+            || usrdatum->value > p->p_users.nprim
+            || usrdatum->bounds > p->p_users.nprim)
                return -EINVAL;
        p->p_user_val_to_name[usrdatum->value - 1] = key;
        p->user_val_to_struct[usrdatum->value - 1] = usrdatum;
@@ -438,6 +451,14 @@ static int policydb_index_others(struct policydb *p)
                goto out;
        }
+        p->type_val_to_struct =
+                kmalloc(p->p_types.nprim * sizeof(*(p->type_val_to_struct)),
+                        GFP_KERNEL);
+        if (!p->type_val_to_struct) {
+                rc = -ENOMEM;
+                goto out;
+        }
        if (cond_init_bool_indexes(p)) {
                rc = -ENOMEM;
                goto out;
@@ -625,6 +646,7 @@ void policydb_destroy(struct policydb *p)
        kfree(p->class_val_to_struct);
        kfree(p->role_val_to_struct);
        kfree(p->user_val_to_struct);
+        kfree(p->type_val_to_struct);
        avtab_destroy(&p->te_avtab);
@@ -932,7 +954,7 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
        rc = next_entry(key, fp, len);
        if (rc < 0)
                goto bad;
-        key[len] = 0;
+        key[len] = '\0';
        rc = hashtab_insert(h, key, perdatum);
        if (rc)
@@ -979,7 +1001,7 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
        rc = next_entry(key, fp, len);
        if (rc < 0)
                goto bad;
-        key[len] = 0;
+        key[len] = '\0';
        for (i = 0; i < nel; i++) {
                rc = perm_read(p, comdatum->permissions.table, fp);
@@ -1117,7 +1139,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
        rc = next_entry(key, fp, len);
        if (rc < 0)
                goto bad;
-        key[len] = 0;
+        key[len] = '\0';
        if (len2) {
                cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL);
@@ -1128,7 +1150,7 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
                rc = next_entry(cladatum->comkey, fp, len2);
                if (rc < 0)
                        goto bad;
-                cladatum->comkey[len2] = 0;
+                cladatum->comkey[len2] = '\0';
                cladatum->comdatum = hashtab_search(p->p_commons.table,
                                                    cladatum->comkey);
@@ -1176,8 +1198,8 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
 {
        char *key = NULL;
        struct role_datum *role;
-        int rc;
+        int rc, to_read = 2;
-        __le32 buf[2];
+        __le32 buf[3];
        u32 len;
        role = kzalloc(sizeof(*role), GFP_KERNEL);
@@ -1186,12 +1208,17 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
                goto out;
        }
-        rc = next_entry(buf, fp, sizeof buf);
+        if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
+                to_read = 3;
+        rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
        if (rc < 0)
                goto bad;
        len = le32_to_cpu(buf[0]);
        role->value = le32_to_cpu(buf[1]);
+        if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
+                role->bounds = le32_to_cpu(buf[2]);
        key = kmalloc(len + 1, GFP_KERNEL);
        if (!key) {
@@ -1201,7 +1228,7 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
        rc = next_entry(key, fp, len);
        if (rc < 0)
                goto bad;
-        key[len] = 0;
+        key[len] = '\0';
        rc = ebitmap_read(&role->dominates, fp);
        if (rc)
@@ -1236,8 +1263,8 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
 {
        char *key = NULL;
        struct type_datum *typdatum;
-        int rc;
+        int rc, to_read = 3;
-        __le32 buf[3];
+        __le32 buf[4];
        u32 len;
        typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
@@ -1246,13 +1273,27 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
                return rc;
        }
-        rc = next_entry(buf, fp, sizeof buf);
+        if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
+                to_read = 4;
+        rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
        if (rc < 0)
                goto bad;
        len = le32_to_cpu(buf[0]);
        typdatum->value = le32_to_cpu(buf[1]);
-        typdatum->primary = le32_to_cpu(buf[2]);
+        if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) {
+                u32 prop = le32_to_cpu(buf[2]);
+                if (prop & TYPEDATUM_PROPERTY_PRIMARY)
+                        typdatum->primary = 1;
+                if (prop & TYPEDATUM_PROPERTY_ATTRIBUTE)
+                        typdatum->attribute = 1;
+                typdatum->bounds = le32_to_cpu(buf[3]);
+        } else {
+                typdatum->primary = le32_to_cpu(buf[2]);
+        }
        key = kmalloc(len + 1, GFP_KERNEL);
        if (!key) {
@@ -1262,7 +1303,7 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
        rc = next_entry(key, fp, len);
        if (rc < 0)
                goto bad;
-        key[len] = 0;
+        key[len] = '\0';
        rc = hashtab_insert(h, key, typdatum);
        if (rc)
@@ -1309,8 +1350,8 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp)
 {
        char *key = NULL;
        struct user_datum *usrdatum;
-        int rc;
+        int rc, to_read = 2;
-        __le32 buf[2];
+        __le32 buf[3];
        u32 len;
        usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL);
@@ -1319,12 +1360,17 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp)
                goto out;
        }
-        rc = next_entry(buf, fp, sizeof buf);
+        if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
+                to_read = 3;
+        rc = next_entry(buf, fp, sizeof(buf[0]) * to_read);
        if (rc < 0)
                goto bad;
        len = le32_to_cpu(buf[0]);
        usrdatum->value = le32_to_cpu(buf[1]);
+        if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
+                usrdatum->bounds = le32_to_cpu(buf[2]);
        key = kmalloc(len + 1, GFP_KERNEL);
        if (!key) {
@@ -1334,7 +1380,7 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp)
        rc = next_entry(key, fp, len);
        if (rc < 0)
                goto bad;
-        key[len] = 0;
+        key[len] = '\0';
        rc = ebitmap_read(&usrdatum->roles, fp);
        if (rc)
@@ -1388,7 +1434,7 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
        rc = next_entry(key, fp, len);
        if (rc < 0)
                goto bad;
-        key[len] = 0;
+        key[len] = '\0';
        levdatum->level = kmalloc(sizeof(struct mls_level), GFP_ATOMIC);
        if (!levdatum->level) {
@@ -1440,7 +1486,7 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
        rc = next_entry(key, fp, len);
        if (rc < 0)
                goto bad;
-        key[len] = 0;
+        key[len] = '\0';
        rc = hashtab_insert(h, key, catdatum);
        if (rc)
@@ -1465,6 +1511,133 @@ static int (*read_f[SYM_NUM]) (struct policydb *p, struct hashtab *h, void *fp)
        cat_read,
 };
+static int user_bounds_sanity_check(void *key, void *datum, void *datap)
+{
+        struct user_datum *upper, *user;
+        struct policydb *p = datap;
+        int depth = 0;
+        upper = user = datum;
+        while (upper->bounds) {
+                struct ebitmap_node *node;
+                unsigned long bit;
+                if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
+                        printk(KERN_ERR "SELinux: user %s: "
+                               "too deep or looped boundary",
+                               (char *) key);
+                        return -EINVAL;
+                }
+                upper = p->user_val_to_struct[upper->bounds - 1];
+                ebitmap_for_each_positive_bit(&user->roles, node, bit) {
+                        if (ebitmap_get_bit(&upper->roles, bit))
+                                continue;
+                        printk(KERN_ERR
+                               "SELinux: boundary violated policy: "
+                               "user=%s role=%s bounds=%s\n",
+                               p->p_user_val_to_name[user->value - 1],
+                               p->p_role_val_to_name[bit],
+                               p->p_user_val_to_name[upper->value - 1]);
+                        return -EINVAL;
+                }
+        }
+        return 0;
+}
+static int role_bounds_sanity_check(void *key, void *datum, void *datap)
+{
+        struct role_datum *upper, *role;
+        struct policydb *p = datap;
+        int depth = 0;
+        upper = role = datum;
+        while (upper->bounds) {
+                struct ebitmap_node *node;
+                unsigned long bit;
+                if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
+                        printk(KERN_ERR "SELinux: role %s: "
+                               "too deep or looped bounds\n",
+                               (char *) key);
+                        return -EINVAL;
+                }
+                upper = p->role_val_to_struct[upper->bounds - 1];
+                ebitmap_for_each_positive_bit(&role->types, node, bit) {
+                        if (ebitmap_get_bit(&upper->types, bit))
+                                continue;
+                        printk(KERN_ERR
+                               "SELinux: boundary violated policy: "
+                               "role=%s type=%s bounds=%s\n",
+                               p->p_role_val_to_name[role->value - 1],
+                               p->p_type_val_to_name[bit],
+                               p->p_role_val_to_name[upper->value - 1]);
+                        return -EINVAL;
+                }
+        }
+        return 0;
+}
+static int type_bounds_sanity_check(void *key, void *datum, void *datap)
+{
+        struct type_datum *upper, *type;
+        struct policydb *p = datap;
+        int depth = 0;
+        upper = type = datum;
+        while (upper->bounds) {
+                if (++depth == POLICYDB_BOUNDS_MAXDEPTH) {
+                        printk(KERN_ERR "SELinux: type %s: "
+                               "too deep or looped boundary\n",
+                               (char *) key);
+                        return -EINVAL;
+                }
+                upper = p->type_val_to_struct[upper->bounds - 1];
+                if (upper->attribute) {
+                        printk(KERN_ERR "SELinux: type %s: "
+                               "bounded by attribute %s",
+                               (char *) key,
+                               p->p_type_val_to_name[upper->value - 1]);
+                        return -EINVAL;
+                }
+        }
+        return 0;
+}
+static int policydb_bounds_sanity_check(struct policydb *p)
+{
+        int rc;
+        if (p->policyvers < POLICYDB_VERSION_BOUNDARY)
+                return 0;
+        rc = hashtab_map(p->p_users.table,
+                         user_bounds_sanity_check, p);
+        if (rc)
+                return rc;
+        rc = hashtab_map(p->p_roles.table,
+                         role_bounds_sanity_check, p);
+        if (rc)
+                return rc;
+        rc = hashtab_map(p->p_types.table,
+                         type_bounds_sanity_check, p);
+        if (rc)
+                return rc;
+        return 0;
+}
 extern int ss_initialized;
 /*
@@ -1523,7 +1696,7 @@ int policydb_read(struct policydb *p, void *fp)
                kfree(policydb_str);
                goto bad;
        }
-        policydb_str[len] = 0;
+        policydb_str[len] = '\0';
        if (strcmp(policydb_str, POLICYDB_STRING)) {
                printk(KERN_ERR "SELinux:  policydb string %s does not match "
                       "my string %s\n", policydb_str, POLICYDB_STRING);
@@ -1961,6 +2134,10 @@ int policydb_read(struct policydb *p, void *fp)
                                goto bad;
        }
+        rc = policydb_bounds_sanity_check(p);
+        if (rc)
+                goto bad;
        rc = 0;
 out:
        return rc;
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 4253370fda6a..55152d498b53 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -61,6 +61,7 @@ struct class_datum {
 /* Role attributes */
 struct role_datum {
        u32 value;                      /* internal role value */
+        u32 bounds;                     /* boundary of role */
        struct ebitmap dominates;       /* set of roles dominated by this role */
        struct ebitmap types;           /* set of authorized types for role */
 };
@@ -81,12 +82,15 @@ struct role_allow {
 /* Type attributes */
 struct type_datum {
        u32 value;              /* internal type value */
+        u32 bounds;             /* boundary of type */
        unsigned char primary;  /* primary name? */
+        unsigned char attribute;/* attribute ?*/
 };
 /* User attributes */
 struct user_datum {
        u32 value;                      /* internal user value */
+        u32 bounds;                     /* bounds of user */
        struct ebitmap roles;           /* set of authorized roles for user */
        struct mls_range range;         /* MLS range (min - max) for user */
        struct mls_level dfltlevel;     /* default login MLS level for user */
@@ -209,6 +213,7 @@ struct policydb {
        struct class_datum **class_val_to_struct;
        struct role_datum **role_val_to_struct;
        struct user_datum **user_val_to_struct;
+        struct type_datum **type_val_to_struct;
        /* type enforcement access vectors and transitions */
        struct avtab te_avtab;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 8551952ef329..ab0cc0c7b944 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -88,6 +88,11 @@ static u32 latest_granting;
 static int context_struct_to_string(struct context *context, char **scontext,
                                    u32 *scontext_len);
+static int context_struct_compute_av(struct context *scontext,
+                                     struct context *tcontext,
+                                     u16 tclass,
+                                     u32 requested,
+                                     struct av_decision *avd);
 /*
 * Return the boolean value of a constraint expression
 * when it is applied to the specified source and target
@@ -274,6 +279,100 @@ mls_ops:
 }
 /*
+ * security_boundary_permission - drops violated permissions
+ * on boundary constraint.
+ */
+static void type_attribute_bounds_av(struct context *scontext,
+                                     struct context *tcontext,
+                                     u16 tclass,
+                                     u32 requested,
+                                     struct av_decision *avd)
+{
+        struct context lo_scontext;
+        struct context lo_tcontext;
+        struct av_decision lo_avd;
+        struct type_datum *source
+                = policydb.type_val_to_struct[scontext->type - 1];
+        struct type_datum *target
+                = policydb.type_val_to_struct[tcontext->type - 1];
+        u32 masked = 0;
+        if (source->bounds) {
+                memset(&lo_avd, 0, sizeof(lo_avd));
+                memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
+                lo_scontext.type = source->bounds;
+                context_struct_compute_av(&lo_scontext,
+                                          tcontext,
+                                          tclass,
+                                          requested,
+                                          &lo_avd);
+                if ((lo_avd.allowed & avd->allowed) == avd->allowed)
+                        return;         /* no masked permission */
+                masked = ~lo_avd.allowed & avd->allowed;
+        }
+        if (target->bounds) {
+                memset(&lo_avd, 0, sizeof(lo_avd));
+                memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
+                lo_tcontext.type = target->bounds;
+                context_struct_compute_av(scontext,
+                                          &lo_tcontext,
+                                          tclass,
+                                          requested,
+                                          &lo_avd);
+                if ((lo_avd.allowed & avd->allowed) == avd->allowed)
+                        return;         /* no masked permission */
+                masked = ~lo_avd.allowed & avd->allowed;
+        }
+        if (source->bounds && target->bounds) {
+                memset(&lo_avd, 0, sizeof(lo_avd));
+                /*
+                 * lo_scontext and lo_tcontext are already
+                 * set up.
+                 */
+                context_struct_compute_av(&lo_scontext,
+                                          &lo_tcontext,
+                                          tclass,
+                                          requested,
+                                          &lo_avd);
+                if ((lo_avd.allowed & avd->allowed) == avd->allowed)
+                        return;         /* no masked permission */
+                masked = ~lo_avd.allowed & avd->allowed;
+        }
+        if (masked) {
+                struct audit_buffer *ab;
+                char *stype_name
+                        = policydb.p_type_val_to_name[source->value - 1];
+                char *ttype_name
+                        = policydb.p_type_val_to_name[target->value - 1];
+                char *tclass_name
+                        = policydb.p_class_val_to_name[tclass - 1];
+                /* mask violated permissions */
+                avd->allowed &= ~masked;
+                /* notice to userspace via audit message */
+                ab = audit_log_start(current->audit_context,
+                                     GFP_ATOMIC, AUDIT_SELINUX_ERR);
+                if (!ab)
+                        return;
+                audit_log_format(ab, "av boundary violation: "
+                                 "source=%s target=%s tclass=%s",
+                                 stype_name, ttype_name, tclass_name);
+                avc_dump_av(ab, tclass, masked);
+                audit_log_end(ab);
+        }
+}
+/*
 * Compute access vectors based on a context structure pair for
 * the permissions in a particular class.
 */
@@ -356,7 +455,7 @@ static int context_struct_compute_av(struct context *scontext,
                        avkey.source_type = i + 1;
                        avkey.target_type = j + 1;
                        for (node = avtab_search_node(&policydb.te_avtab, &avkey);
-                             node != NULL;
+                             node;
                             node = avtab_search_node_next(node, avkey.specified)) {
                                if (node->key.specified == AVTAB_ALLOWED)
                                        avd->allowed |= node->datum.data;
@@ -404,6 +503,14 @@ static int context_struct_compute_av(struct context *scontext,
                                                        PROCESS__DYNTRANSITION);
        }
+        /*
+         * If the given source and target types have boundary
+         * constraint, lazy checks have to mask any violated
+         * permission and notice it to userspace via audit.
+         */
+        type_attribute_bounds_av(scontext, tcontext,
+                                 tclass, requested, avd);
        return 0;
 inval_class:
@@ -549,6 +656,69 @@ out:
        return rc;
 }
+/*
+ * security_bounded_transition - check whether the given
+ * transition is directed to bounded, or not.
+ * It returns 0, if @newsid is bounded by @oldsid.
+ * Otherwise, it returns error code.
+ *
+ * @oldsid : current security identifier
+ * @newsid : destinated security identifier
+ */
+int security_bounded_transition(u32 old_sid, u32 new_sid)
+{
+        struct context *old_context, *new_context;
+        struct type_datum *type;
+        int index;
+        int rc = -EINVAL;
+        read_lock(&policy_rwlock);
+        old_context = sidtab_search(&sidtab, old_sid);
+        if (!old_context) {
+                printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
+                       __func__, old_sid);
+                goto out;
+        }
+        new_context = sidtab_search(&sidtab, new_sid);
+        if (!new_context) {
+                printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
+                       __func__, new_sid);
+                goto out;
+        }
+        /* type/domain unchaned */
+        if (old_context->type == new_context->type) {
+                rc = 0;
+                goto out;
+        }
+        index = new_context->type;
+        while (true) {
+                type = policydb.type_val_to_struct[index - 1];
+                BUG_ON(!type);
+                /* not bounded anymore */
+                if (!type->bounds) {
+                        rc = -EPERM;
+                        break;
+                }
+                /* @newsid is bounded by @oldsid */
+                if (type->bounds == old_context->type) {
+                        rc = 0;
+                        break;
+                }
+                index = type->bounds;
+        }
+out:
+        read_unlock(&policy_rwlock);
+        return rc;
+}
 /**
 * security_compute_av - Compute access vector decisions.
 * @ssid: source security identifier
@@ -794,7 +964,7 @@ static int string_to_context_struct(struct policydb *pol,
        *p++ = 0;
        typdatum = hashtab_search(pol->p_types.table, scontextp);
-        if (!typdatum)
+        if (!typdatum || typdatum->attribute)
                goto out;
        ctx->type = typdatum->value;
@@ -1037,7 +1207,7 @@ static int security_compute_sid(u32 ssid,
        /* If no permanent rule, also check for enabled conditional rules */
        if (!avdatum) {
                node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
-                for (; node != NULL; node = avtab_search_node_next(node, specified)) {
+                for (; node; node = avtab_search_node_next(node, specified)) {
                        if (node->key.specified & AVTAB_ENABLED) {
                                avdatum = &node->datum;
                                break;
@@ -2050,7 +2220,7 @@ int security_set_bools(int len, int *values)
                        policydb.bool_val_to_struct[i]->state = 0;
        }
-        for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
+        for (cur = policydb.cond_list; cur; cur = cur->next) {
                rc = evaluate_cond_node(&policydb, cur);
                if (rc)
                        goto out;
@@ -2102,7 +2272,7 @@ static int security_preserve_bools(struct policydb *p)
                if (booldatum)
                        booldatum->state = bvalues[i];
        }
-        for (cur = p->cond_list; cur != NULL; cur = cur->next) {
+        for (cur = p->cond_list; cur; cur = cur->next) {
                rc = evaluate_cond_node(p, cur);
                if (rc)
                        goto out;
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index a81ded104129..e817989764cd 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -43,7 +43,7 @@ int sidtab_insert(struct sidtab *s, u32 sid, struct context *context)
        hvalue = SIDTAB_HASH(sid);
        prev = NULL;
        cur = s->htable[hvalue];
-        while (cur != NULL && sid > cur->sid) {
+        while (cur && sid > cur->sid) {
                prev = cur;
                cur = cur->next;
        }
@@ -92,7 +92,7 @@ static struct context *sidtab_search_core(struct sidtab *s, u32 sid, int force)
        hvalue = SIDTAB_HASH(sid);
        cur = s->htable[hvalue];
-        while (cur != NULL && sid > cur->sid)
+        while (cur && sid > cur->sid)
                cur = cur->next;
        if (force && cur && sid == cur->sid && cur->context.len)
@@ -103,7 +103,7 @@ static struct context *sidtab_search_core(struct sidtab *s, u32 sid, int force)
                sid = SECINITSID_UNLABELED;
                hvalue = SIDTAB_HASH(sid);
                cur = s->htable[hvalue];
-                while (cur != NULL && sid > cur->sid)
+                while (cur && sid > cur->sid)
                        cur = cur->next;
                if (!cur || sid != cur->sid)
                        return NULL;
@@ -136,7 +136,7 @@ int sidtab_map(struct sidtab *s,
        for (i = 0; i < SIDTAB_SIZE; i++) {
                cur = s->htable[i];
-                while (cur != NULL) {
+                while (cur) {
                        rc = apply(cur->sid, &cur->context, args);
                        if (rc)
                                goto out;
@@ -155,7 +155,7 @@ static inline u32 sidtab_search_context(struct sidtab *s,
        for (i = 0; i < SIDTAB_SIZE; i++) {
                cur = s->htable[i];
-                while (cur != NULL) {
+                while (cur) {
                        if (context_cmp(&cur->context, context))
                                return cur->sid;
                        cur = cur->next;
@@ -242,7 +242,7 @@ void sidtab_destroy(struct sidtab *s)
        for (i = 0; i < SIDTAB_SIZE; i++) {
                cur = s->htable[i];
-                while (cur != NULL) {
+                while (cur) {
                        temp = cur;
                        cur = cur->next;
                        context_destroy(&temp->context);
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 4a4477f5afdc..31dce559595a 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -178,6 +178,7 @@ u32 smack_to_secid(const char *);
 extern int smack_cipso_direct;
 extern int smack_net_nltype;
 extern char *smack_net_ambient;
+extern char *smack_onlycap;
 extern struct smack_known *smack_known;
 extern struct smack_known smack_known_floor;
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index f6b5f6eed6dd..79ff21ed4c3b 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -157,7 +157,7 @@ int smk_access(char *subject_label, char *object_label, int request)
 *
 * This function checks the current subject label/object label pair
 * in the access rule list and returns 0 if the access is permitted,
- * non zero otherwise. It allows that current my have the capability
+ * non zero otherwise. It allows that current may have the capability
 * to override the rules.
 */
 int smk_curacc(char *obj_label, u32 mode)
@@ -168,6 +168,14 @@ int smk_curacc(char *obj_label, u32 mode)
        if (rc == 0)
                return 0;
+        /*
+         * Return if a specific label has been designated as the
+         * only one that gets privilege and current does not
+         * have that label.
+         */
+        if (smack_onlycap != NULL && smack_onlycap != current->security)
+                return rc;
        if (capable(CAP_MAC_OVERRIDE))
                return 0;
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 271a835fbbe3..e7c642458ec9 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -39,6 +39,7 @@ enum smk_inos {
        SMK_DIRECT      = 6,    /* CIPSO level indicating direct label */
        SMK_AMBIENT     = 7,    /* internet ambient label */
        SMK_NLTYPE      = 8,    /* label scheme to use by default */
+        SMK_ONLYCAP     = 9,    /* the only "capable" label */
 };
 /*
@@ -68,6 +69,16 @@ int smack_net_nltype = NETLBL_NLTYPE_CIPSOV4;
 */
 int smack_cipso_direct = SMACK_CIPSO_DIRECT_DEFAULT;
+/*
+ * Unless a process is running with this label even
+ * having CAP_MAC_OVERRIDE isn't enough to grant
+ * privilege to violate MAC policy. If no label is
+ * designated (the NULL case) capabilities apply to
+ * everyone. It is expected that the hat (^) label
+ * will be used if any label is used.
+ */
+char *smack_onlycap;
 static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
 struct smk_list_entry *smack_list;
@@ -787,6 +798,85 @@ static const struct file_operations smk_ambient_ops = {
        .write          = smk_write_ambient,
 };
+/**
+ * smk_read_onlycap - read() for /smack/onlycap
+ * @filp: file pointer, not actually used
+ * @buf: where to put the result
+ * @cn: maximum to send along
+ * @ppos: where to start
+ *
+ * Returns number of bytes read or error code, as appropriate
+ */
+static ssize_t smk_read_onlycap(struct file *filp, char __user *buf,
+                                size_t cn, loff_t *ppos)
+{
+        char *smack = "";
+        ssize_t rc = -EINVAL;
+        int asize;
+        if (*ppos != 0)
+                return 0;
+        if (smack_onlycap != NULL)
+                smack = smack_onlycap;
+        asize = strlen(smack) + 1;
+        if (cn >= asize)
+                rc = simple_read_from_buffer(buf, cn, ppos, smack, asize);
+        return rc;
+}
+/**
+ * smk_write_onlycap - write() for /smack/onlycap
+ * @filp: file pointer, not actually used
+ * @buf: where to get the data from
+ * @count: bytes sent
+ * @ppos: where to start
+ *
+ * Returns number of bytes written or error code, as appropriate
+ */
+static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
+                                 size_t count, loff_t *ppos)
+{
+        char in[SMK_LABELLEN];
+        char *sp = current->security;
+        if (!capable(CAP_MAC_ADMIN))
+                return -EPERM;
+        /*
+         * This can be done using smk_access() but is done
+         * explicitly for clarity. The smk_access() implementation
+         * would use smk_access(smack_onlycap, MAY_WRITE)
+         */
+        if (smack_onlycap != NULL && smack_onlycap != sp)
+                return -EPERM;
+        if (count >= SMK_LABELLEN)
+                return -EINVAL;
+        if (copy_from_user(in, buf, count) != 0)
+                return -EFAULT;
+        /*
+         * Should the null string be passed in unset the onlycap value.
+         * This seems like something to be careful with as usually
+         * smk_import only expects to return NULL for errors. It
+         * is usually the case that a nullstring or "\n" would be
+         * bad to pass to smk_import but in fact this is useful here.
+         */
+        smack_onlycap = smk_import(in, count);
+        return count;
+}
+static const struct file_operations smk_onlycap_ops = {
+        .read           = smk_read_onlycap,
+        .write          = smk_write_onlycap,
+};
 struct option_names {
        int     o_number;
        char    *o_name;
@@ -919,6 +1009,8 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
                        {"ambient", &smk_ambient_ops, S_IRUGO|S_IWUSR},
                [SMK_NLTYPE]    =
                        {"nltype", &smk_nltype_ops, S_IRUGO|S_IWUSR},
+                [SMK_ONLYCAP]   =
+                        {"onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR},
                /* last one */ {""}
        };