38 files changed, 856 insertions, 191 deletions
diff --git a/security/Kconfig b/security/Kconfig
index 51bd5a0b69ae..ccc61f8006b2 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -187,6 +187,7 @@ source security/selinux/Kconfig
 source security/smack/Kconfig
 source security/tomoyo/Kconfig
 source security/apparmor/Kconfig
+source security/yama/Kconfig
 source security/integrity/Kconfig
@@ -196,6 +197,7 @@ choice
        default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
        default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
        default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
+        default DEFAULT_SECURITY_YAMA if SECURITY_YAMA
        default DEFAULT_SECURITY_DAC
        help
@@ -214,6 +216,9 @@ choice
        config DEFAULT_SECURITY_APPARMOR
                bool "AppArmor" if SECURITY_APPARMOR=y
+        config DEFAULT_SECURITY_YAMA
+                bool "Yama" if SECURITY_YAMA=y
        config DEFAULT_SECURITY_DAC
                bool "Unix Discretionary Access Controls"
@@ -225,6 +230,7 @@ config DEFAULT_SECURITY
        default "smack" if DEFAULT_SECURITY_SMACK
        default "tomoyo" if DEFAULT_SECURITY_TOMOYO
        default "apparmor" if DEFAULT_SECURITY_APPARMOR
+        default "yama" if DEFAULT_SECURITY_YAMA
        default "" if DEFAULT_SECURITY_DAC
 endmenu
diff --git a/security/Makefile b/security/Makefile
index a5e502f8a05b..c26c81e92571 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -7,6 +7,7 @@ subdir-$(CONFIG_SECURITY_SELINUX)	+= selinux
 subdir-$(CONFIG_SECURITY_SMACK)         += smack
 subdir-$(CONFIG_SECURITY_TOMOYO)        += tomoyo
 subdir-$(CONFIG_SECURITY_APPARMOR)      += apparmor
+subdir-$(CONFIG_SECURITY_YAMA)          += yama
 # always enable default capabilities
 obj-y                                   += commoncap.o
@@ -21,6 +22,7 @@ obj-$(CONFIG_SECURITY_SMACK)		+= smack/built-in.o
 obj-$(CONFIG_AUDIT)                     += lsm_audit.o
 obj-$(CONFIG_SECURITY_TOMOYO)           += tomoyo/built-in.o
 obj-$(CONFIG_SECURITY_APPARMOR)         += apparmor/built-in.o
+obj-$(CONFIG_SECURITY_YAMA)             += yama/built-in.o
 obj-$(CONFIG_CGROUP_DEVICE)             += device_cgroup.o
 # Object integrity file lists
diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
index 2dafe50a2e25..806bd19af7f2 100644
--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
@@ -15,7 +15,7 @@ clean-files := capability_names.h rlim_names.h
 # to
 #    [1] = "dac_override",
 quiet_cmd_make-caps = GEN     $@
-cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ;\
+cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\
        sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \
        -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\
        echo "};" >> $@
@@ -28,25 +28,38 @@ cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ;\
 #    [RLIMIT_STACK] = "stack",
 #
 # and build a second integer table (with the second sed cmd), that maps
-# RLIMIT defines to the order defined in asm-generic/resource.h  Thi is
+# RLIMIT defines to the order defined in asm-generic/resource.h  This is
 # required by policy load to map policy ordering of RLIMITs to internal
 # ordering for architectures that redefine an RLIMIT.
 # Transforms lines from
 #    #define RLIMIT_STACK               3       /* max stack size */
 # to
 # RLIMIT_STACK, 
+#
+# and build the securityfs entries for the mapping.
+# Transforms lines from
+#    #define RLIMIT_FSIZE        1   /* Maximum filesize */
+#    #define RLIMIT_STACK               3       /* max stack size */
+# to
+# #define AA_FS_RLIMIT_MASK "fsize stack"
 quiet_cmd_make-rlim = GEN     $@
-cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
+cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
+        > $@ ;\
        sed $< >> $@ -r -n \
            -e 's/^\# ?define[ \t]+(RLIMIT_([A-Z0-9_]+)).*/[\1] = "\L\2",/p';\
        echo "};" >> $@ ;\
-        echo "static const int rlim_map[] = {" >> $@ ;\
+        echo "static const int rlim_map[RLIM_NLIMITS] = {" >> $@ ;\
        sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
-        echo "};" >> $@
+        echo "};" >> $@ ; \
+        echo -n '\#define AA_FS_RLIMIT_MASK "' >> $@ ;\
+        sed -r -n 's/^\# ?define[ \t]+RLIMIT_([A-Z0-9_]+).*/\L\1/p' $< | \
+            tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
 $(obj)/capability.o : $(obj)/capability_names.h
 $(obj)/resource.o : $(obj)/rlim_names.h
-$(obj)/capability_names.h : $(srctree)/include/linux/capability.h
+$(obj)/capability_names.h : $(srctree)/include/linux/capability.h \
+                            $(src)/Makefile
        $(call cmd,make-caps)
-$(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
+$(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h \
+                      $(src)/Makefile
        $(call cmd,make-rlim)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index e39df6d43779..16c15ec6f670 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -18,12 +18,14 @@
 #include <linux/seq_file.h>
 #include <linux/uaccess.h>
 #include <linux/namei.h>
+#include <linux/capability.h>
 #include "include/apparmor.h"
 #include "include/apparmorfs.h"
 #include "include/audit.h"
 #include "include/context.h"
 #include "include/policy.h"
+#include "include/resource.h"
 /**
 * aa_simple_write_to_buffer - common routine for getting policy from user
@@ -142,38 +144,166 @@ static const struct file_operations aa_fs_profile_remove = {
        .llseek = default_llseek,
 };
-/** Base file system setup **/
+static int aa_fs_seq_show(struct seq_file *seq, void *v)
+{
+        struct aa_fs_entry *fs_file = seq->private;
+        if (!fs_file)
+                return 0;
-static struct dentry *aa_fs_dentry __initdata;
+        switch (fs_file->v_type) {
+        case AA_FS_TYPE_BOOLEAN:
+                seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no");
+                break;
+        case AA_FS_TYPE_STRING:
+                seq_printf(seq, "%s\n", fs_file->v.string);
+                break;
+        case AA_FS_TYPE_U64:
+                seq_printf(seq, "%#08lx\n", fs_file->v.u64);
+                break;
+        default:
+                /* Ignore unpritable entry types. */
+                break;
+        }
+        return 0;
+}
-static void __init aafs_remove(const char *name)
+static int aa_fs_seq_open(struct inode *inode, struct file *file)
 {
-        struct dentry *dentry;
+        return single_open(file, aa_fs_seq_show, inode->i_private);
+}
+const struct file_operations aa_fs_seq_file_ops = {
+        .owner          = THIS_MODULE,
+        .open           = aa_fs_seq_open,
+        .read           = seq_read,
+        .llseek         = seq_lseek,
+        .release        = single_release,
+};
+/** Base file system setup **/
+static struct aa_fs_entry aa_fs_entry_file[] = {
+        AA_FS_FILE_STRING("mask", "create read write exec append mmap_exec " \
+                                  "link lock"),
+        { }
+};
-        dentry = lookup_one_len(name, aa_fs_dentry, strlen(name));
+static struct aa_fs_entry aa_fs_entry_domain[] = {
-        if (!IS_ERR(dentry)) {
+        AA_FS_FILE_BOOLEAN("change_hat",        1),
-                securityfs_remove(dentry);
+        AA_FS_FILE_BOOLEAN("change_hatv",       1),
-                dput(dentry);
+        AA_FS_FILE_BOOLEAN("change_onexec",     1),
+        AA_FS_FILE_BOOLEAN("change_profile",    1),
+        { }
+};
+static struct aa_fs_entry aa_fs_entry_features[] = {
+        AA_FS_DIR("domain",                     aa_fs_entry_domain),
+        AA_FS_DIR("file",                       aa_fs_entry_file),
+        AA_FS_FILE_U64("capability",            VFS_CAP_FLAGS_MASK),
+        AA_FS_DIR("rlimit",                     aa_fs_entry_rlimit),
+        { }
+};
+static struct aa_fs_entry aa_fs_entry_apparmor[] = {
+        AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load),
+        AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace),
+        AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove),
+        AA_FS_DIR("features", aa_fs_entry_features),
+        { }
+};
+static struct aa_fs_entry aa_fs_entry =
+        AA_FS_DIR("apparmor", aa_fs_entry_apparmor);
+/**
+ * aafs_create_file - create a file entry in the apparmor securityfs
+ * @fs_file: aa_fs_entry to build an entry for (NOT NULL)
+ * @parent: the parent dentry in the securityfs
+ *
+ * Use aafs_remove_file to remove entries created with this fn.
+ */
+static int __init aafs_create_file(struct aa_fs_entry *fs_file,
+                                   struct dentry *parent)
+{
+        int error = 0;
+        fs_file->dentry = securityfs_create_file(fs_file->name,
+                                                 S_IFREG | fs_file->mode,
+                                                 parent, fs_file,
+                                                 fs_file->file_ops);
+        if (IS_ERR(fs_file->dentry)) {
+                error = PTR_ERR(fs_file->dentry);
+                fs_file->dentry = NULL;
        }
+        return error;
 }
 /**
- * aafs_create - create an entry in the apparmor filesystem
+ * aafs_create_dir - recursively create a directory entry in the securityfs
- * @name: name of the entry (NOT NULL)
+ * @fs_dir: aa_fs_entry (and all child entries) to build (NOT NULL)
- * @mask: file permission mask of the file
+ * @parent: the parent dentry in the securityfs
- * @fops: file operations for the file (NOT NULL)
 *
- * Used aafs_remove to remove entries created with this fn.
+ * Use aafs_remove_dir to remove entries created with this fn.
 */
-static int __init aafs_create(const char *name, umode_t mask,
+static int __init aafs_create_dir(struct aa_fs_entry *fs_dir,
-                              const struct file_operations *fops)
+                                  struct dentry *parent)
 {
-        struct dentry *dentry;
+        int error;
+        struct aa_fs_entry *fs_file;
-        dentry = securityfs_create_file(name, S_IFREG | mask, aa_fs_dentry,
+        fs_dir->dentry = securityfs_create_dir(fs_dir->name, parent);
-                                        NULL, fops);
+        if (IS_ERR(fs_dir->dentry)) {
+                error = PTR_ERR(fs_dir->dentry);
+                fs_dir->dentry = NULL;
+                goto failed;
+        }
-        return IS_ERR(dentry) ? PTR_ERR(dentry) : 0;
+        for (fs_file = fs_dir->v.files; fs_file->name; ++fs_file) {
+                if (fs_file->v_type == AA_FS_TYPE_DIR)
+                        error = aafs_create_dir(fs_file, fs_dir->dentry);
+                else
+                        error = aafs_create_file(fs_file, fs_dir->dentry);
+                if (error)
+                        goto failed;
+        }
+        return 0;
+failed:
+        return error;
+}
+/**
+ * aafs_remove_file - drop a single file entry in the apparmor securityfs
+ * @fs_file: aa_fs_entry to detach from the securityfs (NOT NULL)
+ */
+static void __init aafs_remove_file(struct aa_fs_entry *fs_file)
+{
+        if (!fs_file->dentry)
+                return;
+        securityfs_remove(fs_file->dentry);
+        fs_file->dentry = NULL;
+}
+/**
+ * aafs_remove_dir - recursively drop a directory entry from the securityfs
+ * @fs_dir: aa_fs_entry (and all child entries) to detach (NOT NULL)
+ */
+static void __init aafs_remove_dir(struct aa_fs_entry *fs_dir)
+{
+        struct aa_fs_entry *fs_file;
+        for (fs_file = fs_dir->v.files; fs_file->name; ++fs_file) {
+                if (fs_file->v_type == AA_FS_TYPE_DIR)
+                        aafs_remove_dir(fs_file);
+                else
+                        aafs_remove_file(fs_file);
+        }
+        aafs_remove_file(fs_dir);
 }
 /**
@@ -183,14 +313,7 @@ static int __init aafs_create(const char *name, umode_t mask,
 */
 void __init aa_destroy_aafs(void)
 {
-        if (aa_fs_dentry) {
+        aafs_remove_dir(&aa_fs_entry);
-                aafs_remove(".remove");
-                aafs_remove(".replace");
-                aafs_remove(".load");
-                securityfs_remove(aa_fs_dentry);
-                aa_fs_dentry = NULL;
-        }
 }
 /**
@@ -207,25 +330,13 @@ static int __init aa_create_aafs(void)
        if (!apparmor_initialized)
                return 0;
-        if (aa_fs_dentry) {
+        if (aa_fs_entry.dentry) {
                AA_ERROR("%s: AppArmor securityfs already exists\n", __func__);
                return -EEXIST;
        }
-        aa_fs_dentry = securityfs_create_dir("apparmor", NULL);
+        /* Populate fs tree. */
-        if (IS_ERR(aa_fs_dentry)) {
+        error = aafs_create_dir(&aa_fs_entry, NULL);
-                error = PTR_ERR(aa_fs_dentry);
-                aa_fs_dentry = NULL;
-                goto error;
-        }
-        error = aafs_create(".load", 0640, &aa_fs_profile_load);
-        if (error)
-                goto error;
-        error = aafs_create(".replace", 0640, &aa_fs_profile_replace);
-        if (error)
-                goto error;
-        error = aafs_create(".remove", 0640, &aa_fs_profile_remove);
        if (error)
                goto error;
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index f3fafedd798a..5ff67776a5ad 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -19,7 +19,7 @@
 #include "include/audit.h"
 #include "include/policy.h"
-const char *op_table[] = {
+const char *const op_table[] = {
        "null",
        "sysctl",
@@ -73,7 +73,7 @@ const char *op_table[] = {
        "profile_remove"
 };
-const char *audit_mode_names[] = {
+const char *const audit_mode_names[] = {
        "normal",
        "quiet_denied",
        "quiet",
@@ -81,7 +81,7 @@ const char *audit_mode_names[] = {
        "all"
 };
-static char *aa_audit_type[] = {
+static const char *const aa_audit_type[] = {
        "AUDIT",
        "ALLOWED",
        "DENIED",
@@ -89,6 +89,7 @@ static char *aa_audit_type[] = {
        "STATUS",
        "ERROR",
        "KILLED"
+        "AUTO"
 };
 /*
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index c1e18ba5bdc0..7c69599a69e1 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -372,13 +372,12 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
        state = profile->file.start;
        /* buffer freed below, name is pointer into buffer */
-        error = aa_get_name(&bprm->file->f_path, profile->path_flags, &buffer,
+        error = aa_path_name(&bprm->file->f_path, profile->path_flags, &buffer,
-                            &name);
+                             &name, &info);
        if (error) {
                if (profile->flags &
                    (PFLAG_IX_ON_NAME_ERROR | PFLAG_UNCONFINED))
                        error = 0;
-                info = "Exec failed name resolution";
                name = bprm->filename;
                goto audit;
        }
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index 7312db741219..3022c0f4f0db 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -173,8 +173,6 @@ static u32 map_old_perms(u32 old)
        if (old & 0x40) /* AA_EXEC_MMAP */
                new |= AA_EXEC_MMAP;
-        new |= AA_MAY_META_READ;
        return new;
 }
@@ -212,6 +210,7 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
                perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
                perms.xindex = dfa_other_xindex(dfa, state);
        }
+        perms.allow |= AA_MAY_META_READ;
        /* change_profile wasn't determined by ownership in old mapping */
        if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
@@ -279,22 +278,16 @@ int aa_path_perm(int op, struct aa_profile *profile, struct path *path,
        int error;
        flags |= profile->path_flags | (S_ISDIR(cond->mode) ? PATH_IS_DIR : 0);
-        error = aa_get_name(path, flags, &buffer, &name);
+        error = aa_path_name(path, flags, &buffer, &name, &info);
        if (error) {
                if (error == -ENOENT && is_deleted(path->dentry)) {
                        /* Access to open files that are deleted are
                         * give a pass (implicit delegation)
                         */
                        error = 0;
+                        info = NULL;
                        perms.allow = request;
-                } else if (error == -ENOENT)
+                }
-                        info = "Failed name lookup - deleted entry";
-                else if (error == -ESTALE)
-                        info = "Failed name lookup - disconnected path";
-                else if (error == -ENAMETOOLONG)
-                        info = "Failed name lookup - name too long";
-                else
-                        info = "Failed name lookup";
        } else {
                aa_str_perms(profile->file.dfa, profile->file.start, name, cond,
                             &perms);
@@ -365,12 +358,14 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
        lperms = nullperms;
        /* buffer freed below, lname is pointer in buffer */
-        error = aa_get_name(&link, profile->path_flags, &buffer, &lname);
+        error = aa_path_name(&link, profile->path_flags, &buffer, &lname,
+                             &info);
        if (error)
                goto audit;
        /* buffer2 freed below, tname is pointer in buffer2 */
-        error = aa_get_name(&target, profile->path_flags, &buffer2, &tname);
+        error = aa_path_name(&target, profile->path_flags, &buffer2, &tname,
+                             &info);
        if (error)
                goto audit;
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
index df3649560818..40aedd9f73ea 100644
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
@@ -19,6 +19,19 @@
 #include "match.h"
+/*
+ * Class of mediation types in the AppArmor policy db
+ */
+#define AA_CLASS_ENTRY          0
+#define AA_CLASS_UNKNOWN        1
+#define AA_CLASS_FILE           2
+#define AA_CLASS_CAP            3
+#define AA_CLASS_NET            4
+#define AA_CLASS_RLIMITS        5
+#define AA_CLASS_DOMAIN         6
+#define AA_CLASS_LAST           AA_CLASS_DOMAIN
 /* Control parameters settable through module/boot flags */
 extern enum audit_mode aa_g_audit;
 extern bool aa_g_audit_header;
@@ -81,7 +94,7 @@ static inline unsigned int aa_dfa_null_transition(struct aa_dfa *dfa,
                                                  unsigned int start)
 {
        /* the null transition only needs the string's null terminator byte */
-        return aa_dfa_match_len(dfa, start, "", 1);
+        return aa_dfa_next(dfa, start, 0);
 }
 static inline bool mediated_filesystem(struct inode *inode)
diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
index cb1e93a114d7..7ea4769fab3f 100644
--- a/security/apparmor/include/apparmorfs.h
+++ b/security/apparmor/include/apparmorfs.h
@@ -15,6 +15,50 @@
 #ifndef __AA_APPARMORFS_H
 #define __AA_APPARMORFS_H
+enum aa_fs_type {
+        AA_FS_TYPE_BOOLEAN,
+        AA_FS_TYPE_STRING,
+        AA_FS_TYPE_U64,
+        AA_FS_TYPE_FOPS,
+        AA_FS_TYPE_DIR,
+};
+struct aa_fs_entry;
+struct aa_fs_entry {
+        const char *name;
+        struct dentry *dentry;
+        umode_t mode;
+        enum aa_fs_type v_type;
+        union {
+                bool boolean;
+                char *string;
+                unsigned long u64;
+                struct aa_fs_entry *files;
+        } v;
+        const struct file_operations *file_ops;
+};
+extern const struct file_operations aa_fs_seq_file_ops;
+#define AA_FS_FILE_BOOLEAN(_name, _value) \
+        { .name = (_name), .mode = 0444, \
+          .v_type = AA_FS_TYPE_BOOLEAN, .v.boolean = (_value), \
+          .file_ops = &aa_fs_seq_file_ops }
+#define AA_FS_FILE_STRING(_name, _value) \
+        { .name = (_name), .mode = 0444, \
+          .v_type = AA_FS_TYPE_STRING, .v.string = (_value), \
+          .file_ops = &aa_fs_seq_file_ops }
+#define AA_FS_FILE_U64(_name, _value) \
+        { .name = (_name), .mode = 0444, \
+          .v_type = AA_FS_TYPE_U64, .v.u64 = (_value), \
+          .file_ops = &aa_fs_seq_file_ops }
+#define AA_FS_FILE_FOPS(_name, _mode, _fops) \
+        { .name = (_name), .v_type = AA_FS_TYPE_FOPS, \
+          .mode = (_mode), .file_ops = (_fops) }
+#define AA_FS_DIR(_name, _value) \
+        { .name = (_name), .v_type = AA_FS_TYPE_DIR, .v.files = (_value) }
 extern void __init aa_destroy_aafs(void);
 #endif /* __AA_APPARMORFS_H */
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 1951786d32e9..4ba78c203af1 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -25,11 +25,9 @@
 struct aa_profile;
-extern const char *audit_mode_names[];
+extern const char *const audit_mode_names[];
 #define AUDIT_MAX_INDEX 5
-#define AUDIT_APPARMOR_AUTO 0   /* auto choose audit message type */
 enum audit_mode {
        AUDIT_NORMAL,           /* follow normal auditing of accesses */
        AUDIT_QUIET_DENIED,     /* quiet all denied access messages */
@@ -45,10 +43,11 @@ enum audit_type {
        AUDIT_APPARMOR_HINT,
        AUDIT_APPARMOR_STATUS,
        AUDIT_APPARMOR_ERROR,
-        AUDIT_APPARMOR_KILL
+        AUDIT_APPARMOR_KILL,
+        AUDIT_APPARMOR_AUTO
 };
-extern const char *op_table[];
+extern const char *const op_table[];
 enum aa_ops {
        OP_NULL,
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index ab8c6d87f758..f98fd4701d80 100644
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -117,7 +117,7 @@ static inline u16 dfa_map_xindex(u16 mask)
                index |= AA_X_NAME;
        } else if (old_index == 3) {
                index |= AA_X_NAME | AA_X_CHILD;
-        } else {
+        } else if (old_index) {
                index |= AA_X_TABLE;
                index |= old_index - 4;
        }
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index a4a863997bd5..775843e7f984 100644
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -116,6 +116,9 @@ unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
                              const char *str, int len);
 unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
                          const char *str);
+unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
+                         const char c);
 void aa_dfa_free_kref(struct kref *kref);
 /**
diff --git a/security/apparmor/include/path.h b/security/apparmor/include/path.h
index 27b327a7fae5..286ac75dc88b 100644
--- a/security/apparmor/include/path.h
+++ b/security/apparmor/include/path.h
@@ -26,6 +26,7 @@ enum path_flags {
        PATH_MEDIATE_DELETED = 0x10000, /* mediate deleted paths */
 };
-int aa_get_name(struct path *path, int flags, char **buffer, const char **name);
+int aa_path_name(struct path *path, int flags, char **buffer,
+                 const char **name, const char **info);
 #endif /* __AA_PATH_H */
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index aeda5cf56904..bda4569fdd83 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -29,7 +29,7 @@
 #include "file.h"
 #include "resource.h"
-extern const char *profile_mode_names[];
+extern const char *const profile_mode_names[];
 #define APPARMOR_NAMES_MAX_INDEX 3
 #define COMPLAIN_MODE(_profile) \
@@ -129,6 +129,17 @@ struct aa_namespace {
        struct list_head sub_ns;
 };
+/* struct aa_policydb - match engine for a policy
+ * dfa: dfa pattern match
+ * start: set of start states for the different classes of data
+ */
+struct aa_policydb {
+        /* Generic policy DFA specific rule types will be subsections of it */
+        struct aa_dfa *dfa;
+        unsigned int start[AA_CLASS_LAST + 1];
+};
 /* struct aa_profile - basic confinement data
 * @base - base components of the profile (name, refcount, lists, lock ...)
 * @parent: parent of profile
@@ -143,6 +154,7 @@ struct aa_namespace {
 * @flags: flags controlling profile behavior
 * @path_flags: flags controlling path generation behavior
 * @size: the memory consumed by this profiles rules
+ * @policy: general match rules governing policy
 * @file: The set of rules governing basic file access and domain transitions
 * @caps: capabilities for the profile
 * @rlimits: rlimits for the profile
@@ -179,6 +191,7 @@ struct aa_profile {
        u32 path_flags;
        int size;
+        struct aa_policydb policy;
        struct aa_file_rules file;
        struct aa_caps caps;
        struct aa_rlimit rlimits;
diff --git a/security/apparmor/include/resource.h b/security/apparmor/include/resource.h
index 02baec732bb5..d3f4cf027957 100644
--- a/security/apparmor/include/resource.h
+++ b/security/apparmor/include/resource.h
@@ -18,6 +18,8 @@
 #include <linux/resource.h>
 #include <linux/sched.h>
+#include "apparmorfs.h"
 struct aa_profile;
 /* struct aa_rlimit - rlimit settings for the profile
@@ -32,6 +34,8 @@ struct aa_rlimit {
        struct rlimit limits[RLIM_NLIMITS];
 };
+extern struct aa_fs_entry aa_fs_entry_rlimit[];
 int aa_map_resource(int resource);
 int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *,
                      unsigned int resource, struct rlimit *new_rlim);
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 94de6b4907c8..90971a8c3789 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -335,12 +335,12 @@ unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
 }
 /**
- * aa_dfa_next_state - traverse @dfa to find state @str stops at
+ * aa_dfa_match - traverse @dfa to find state @str stops at
 * @dfa: the dfa to match @str against  (NOT NULL)
 * @start: the state of the dfa to start matching in
 * @str: the null terminated string of bytes to match against the dfa (NOT NULL)
 *
- * aa_dfa_next_state will match @str against the dfa and return the state it
+ * aa_dfa_match will match @str against the dfa and return the state it
 * finished matching in. The final state can be used to look up the accepting
 * label, or as the start state of a continuing match.
 *
@@ -349,5 +349,79 @@ unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
 unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
                          const char *str)
 {
-        return aa_dfa_match_len(dfa, start, str, strlen(str));
+        u16 *def = DEFAULT_TABLE(dfa);
+        u32 *base = BASE_TABLE(dfa);
+        u16 *next = NEXT_TABLE(dfa);
+        u16 *check = CHECK_TABLE(dfa);
+        unsigned int state = start, pos;
+        if (state == 0)
+                return 0;
+        /* current state is <state>, matching character *str */
+        if (dfa->tables[YYTD_ID_EC]) {
+                /* Equivalence class table defined */
+                u8 *equiv = EQUIV_TABLE(dfa);
+                /* default is direct to next state */
+                while (*str) {
+                        pos = base[state] + equiv[(u8) *str++];
+                        if (check[pos] == state)
+                                state = next[pos];
+                        else
+                                state = def[state];
+                }
+        } else {
+                /* default is direct to next state */
+                while (*str) {
+                        pos = base[state] + (u8) *str++;
+                        if (check[pos] == state)
+                                state = next[pos];
+                        else
+                                state = def[state];
+                }
+        }
+        return state;
+}
+/**
+ * aa_dfa_next - step one character to the next state in the dfa
+ * @dfa: the dfa to tranverse (NOT NULL)
+ * @state: the state to start in
+ * @c: the input character to transition on
+ *
+ * aa_dfa_match will step through the dfa by one input character @c
+ *
+ * Returns: state reach after input @c
+ */
+unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
+                          const char c)
+{
+        u16 *def = DEFAULT_TABLE(dfa);
+        u32 *base = BASE_TABLE(dfa);
+        u16 *next = NEXT_TABLE(dfa);
+        u16 *check = CHECK_TABLE(dfa);
+        unsigned int pos;
+        /* current state is <state>, matching character *str */
+        if (dfa->tables[YYTD_ID_EC]) {
+                /* Equivalence class table defined */
+                u8 *equiv = EQUIV_TABLE(dfa);
+                /* default is direct to next state */
+                pos = base[state] + equiv[(u8) c];
+                if (check[pos] == state)
+                        state = next[pos];
+                else
+                        state = def[state];
+        } else {
+                /* default is direct to next state */
+                pos = base[state] + (u8) c;
+                if (check[pos] == state)
+                        state = next[pos];
+                else
+                        state = def[state];
+        }
+        return state;
 }
diff --git a/security/apparmor/path.c b/security/apparmor/path.c
index 9d070a7c3ffc..2daeea4f9266 100644
--- a/security/apparmor/path.c
+++ b/security/apparmor/path.c
@@ -83,31 +83,29 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
                struct path root;
                get_fs_root(current->fs, &root);
                res = __d_path(path, &root, buf, buflen);
-                if (res && !IS_ERR(res)) {
-                        /* everything's fine */
-                        *name = res;
-                        path_put(&root);
-                        goto ok;
-                }
                path_put(&root);
-                connected = 0;
+        } else {
+                res = d_absolute_path(path, buf, buflen);
+                if (!our_mnt(path->mnt))
+                        connected = 0;
        }
-        res = d_absolute_path(path, buf, buflen);
-        *name = res;
        /* handle error conditions - and still allow a partial path to
         * be returned.
         */
-        if (IS_ERR(res)) {
+        if (!res || IS_ERR(res)) {
-                error = PTR_ERR(res);
-                *name = buf;
-                goto out;
-        }
-        if (!our_mnt(path->mnt))
                connected = 0;
+                res = dentry_path_raw(path->dentry, buf, buflen);
+                if (IS_ERR(res)) {
+                        error = PTR_ERR(res);
+                        *name = buf;
+                        goto out;
+                };
+        } else if (!our_mnt(path->mnt))
+                connected = 0;
+        *name = res;
-ok:
        /* Handle two cases:
         * 1. A deleted dentry && profile is not allowing mediation of deleted
         * 2. On some filesystems, newly allocated dentries appear to the
@@ -138,7 +136,7 @@ ok:
                        /* disconnected path, don't return pathname starting
                         * with '/'
                         */
-                        error = -ESTALE;
+                        error = -EACCES;
                        if (*res == '/')
                                *name = res + 1;
                }
@@ -159,7 +157,7 @@ out:
 * Returns: %0 else error on failure
 */
 static int get_name_to_buffer(struct path *path, int flags, char *buffer,
-                              int size, char **name)
+                              int size, char **name, const char **info)
 {
        int adjust = (flags & PATH_IS_DIR) ? 1 : 0;
        int error = d_namespace_path(path, buffer, size - adjust, name, flags);
@@ -171,15 +169,27 @@ static int get_name_to_buffer(struct path *path, int flags, char *buffer,
                 */
                strcpy(&buffer[size - 2], "/");
+        if (info && error) {
+                if (error == -ENOENT)
+                        *info = "Failed name lookup - deleted entry";
+                else if (error == -ESTALE)
+                        *info = "Failed name lookup - disconnected path";
+                else if (error == -ENAMETOOLONG)
+                        *info = "Failed name lookup - name too long";
+                else
+                        *info = "Failed name lookup";
+        }
        return error;
 }
 /**
- * aa_get_name - compute the pathname of a file
+ * aa_path_name - compute the pathname of a file
 * @path: path the file  (NOT NULL)
 * @flags: flags controlling path name generation
 * @buffer: buffer that aa_get_name() allocated  (NOT NULL)
 * @name: Returns - the generated path name if !error (NOT NULL)
+ * @info: Returns - information on why the path lookup failed (MAYBE NULL)
 *
 * @name is a pointer to the beginning of the pathname (which usually differs
 * from the beginning of the buffer), or NULL.  If there is an error @name
@@ -192,7 +202,8 @@ static int get_name_to_buffer(struct path *path, int flags, char *buffer,
 *
 * Returns: %0 else error code if could retrieve name
 */
-int aa_get_name(struct path *path, int flags, char **buffer, const char **name)
+int aa_path_name(struct path *path, int flags, char **buffer, const char **name,
+                 const char **info)
 {
        char *buf, *str = NULL;
        int size = 256;
@@ -206,7 +217,7 @@ int aa_get_name(struct path *path, int flags, char **buffer, const char **name)
                if (!buf)
                        return -ENOMEM;
-                error = get_name_to_buffer(path, flags, buf, size, &str);
+                error = get_name_to_buffer(path, flags, buf, size, &str, info);
                if (error != -ENAMETOOLONG)
                        break;
@@ -214,6 +225,7 @@ int aa_get_name(struct path *path, int flags, char **buffer, const char **name)
                size <<= 1;
                if (size > aa_g_path_max)
                        return -ENAMETOOLONG;
+                *info = NULL;
        }
        *buffer = buf;
        *name = str;
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 4f0eadee78b8..906414383022 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -93,7 +93,7 @@
 /* root profile namespace */
 struct aa_namespace *root_ns;
-const char *profile_mode_names[] = {
+const char *const profile_mode_names[] = {
        "enforce",
        "complain",
        "kill",
@@ -749,6 +749,7 @@ static void free_profile(struct aa_profile *profile)
        aa_free_sid(profile->sid);
        aa_put_dfa(profile->xmatch);
+        aa_put_dfa(profile->policy.dfa);
        aa_put_profile(profile->replacedby);
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 741dd13e089b..25fd51edc8da 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -84,7 +84,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
 * @new: profile if it has been allocated (MAYBE NULL)
 * @name: name of the profile being manipulated (MAYBE NULL)
 * @info: any extra info about the failure (MAYBE NULL)
- * @e: buffer position info (NOT NULL)
+ * @e: buffer position info
 * @error: error code
 *
 * Returns: %0 or error
@@ -95,7 +95,8 @@ static int audit_iface(struct aa_profile *new, const char *name,
        struct aa_profile *profile = __aa_current_profile();
        struct common_audit_data sa;
        COMMON_AUDIT_DATA_INIT(&sa, NONE);
-        sa.aad.iface.pos = e->pos - e->start;
+        if (e)
+                sa.aad.iface.pos = e->pos - e->start;
        sa.aad.iface.target = new;
        sa.aad.name = name;
        sa.aad.info = info;
@@ -468,7 +469,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
 {
        struct aa_profile *profile = NULL;
        const char *name = NULL;
-        int error = -EPROTO;
+        int i, error = -EPROTO;
        kernel_cap_t tmpcap;
        u32 tmp;
@@ -554,11 +555,35 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
                        goto fail;
                if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL))
                        goto fail;
+                if (!unpack_nameX(e, AA_STRUCTEND, NULL))
+                        goto fail;
        }
        if (!unpack_rlimits(e, profile))
                goto fail;
+        if (unpack_nameX(e, AA_STRUCT, "policydb")) {
+                /* generic policy dfa - optional and may be NULL */
+                profile->policy.dfa = unpack_dfa(e);
+                if (IS_ERR(profile->policy.dfa)) {
+                        error = PTR_ERR(profile->policy.dfa);
+                        profile->policy.dfa = NULL;
+                        goto fail;
+                }
+                if (!unpack_u32(e, &profile->policy.start[0], "start"))
+                        /* default start state */
+                        profile->policy.start[0] = DFA_START;
+                /* setup class index */
+                for (i = AA_CLASS_FILE; i <= AA_CLASS_LAST; i++) {
+                        profile->policy.start[i] =
+                                aa_dfa_next(profile->policy.dfa,
+                                            profile->policy.start[0],
+                                            i);
+                }
+                if (!unpack_nameX(e, AA_STRUCTEND, NULL))
+                        goto fail;
+        }
        /* get file rules */
        profile->file.dfa = unpack_dfa(e);
        if (IS_ERR(profile->file.dfa)) {
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index a4136c10b1c6..72c25a4f2cfd 100644
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -23,6 +23,11 @@
 */
 #include "rlim_names.h"
+struct aa_fs_entry aa_fs_entry_rlimit[] = {
+        AA_FS_FILE_STRING("mask", AA_FS_RLIMIT_MASK),
+        { }
+};
 /* audit callback for resource specific fields */
 static void audit_cb(struct audit_buffer *ab, void *va)
 {
diff --git a/security/capability.c b/security/capability.c
index 2f680eb02b59..5bb21b1c448c 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -358,6 +358,10 @@ static int cap_task_create(unsigned long clone_flags)
        return 0;
 }
+static void cap_task_free(struct task_struct *task)
+{
+}
 static int cap_cred_alloc_blank(struct cred *cred, gfp_t gfp)
 {
        return 0;
@@ -954,6 +958,7 @@ void __init security_fixup_ops(struct security_operations *ops)
        set_to_cap_if_null(ops, file_receive);
        set_to_cap_if_null(ops, dentry_open);
        set_to_cap_if_null(ops, task_create);
+        set_to_cap_if_null(ops, task_free);
        set_to_cap_if_null(ops, cred_alloc_blank);
        set_to_cap_if_null(ops, cred_free);
        set_to_cap_if_null(ops, cred_prepare);
diff --git a/security/commoncap.c b/security/commoncap.c
index 7ce191ea29a0..0cf4b53480a7 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -28,6 +28,7 @@
 #include <linux/prctl.h>
 #include <linux/securebits.h>
 #include <linux/user_namespace.h>
+#include <linux/binfmts.h>
 /*
 * If a non-root user executes a setuid-root binary in
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 4f554f20dc97..35664fe6daa1 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -9,8 +9,8 @@ config IMA
        select CRYPTO_HMAC
        select CRYPTO_MD5
        select CRYPTO_SHA1
-        select TCG_TPM if !S390 && !UML
+        select TCG_TPM if HAS_IOMEM && !UML
-        select TCG_TIS if TCG_TPM
+        select TCG_TIS if TCG_TPM && X86
        help
          The Trusted Computing Group(TCG) runtime Integrity
          Measurement Architecture(IMA) maintains a list of hash
diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/ima/ima_audit.c
index 2ad942fb1e23..21e96bf188df 100644
--- a/security/integrity/ima/ima_audit.c
+++ b/security/integrity/ima/ima_audit.c
@@ -61,6 +61,6 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
                audit_log_untrustedstring(ab, inode->i_sb->s_id);
                audit_log_format(ab, " ino=%lu", inode->i_ino);
        }
-        audit_log_format(ab, " res=%d", !result ? 0 : 1);
+        audit_log_format(ab, " res=%d", !result);
        audit_log_end(ab);
 }
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index d45061d02fee..d8edff209bf3 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -62,6 +62,7 @@ static struct ima_measure_rule_entry default_rules[] = {
        {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
        {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC},
        {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC},
+        {.action = DONT_MEASURE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC},
        {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC},
        {.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC},
        {.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC,
@@ -417,7 +418,7 @@ static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry)
        if (!result && (entry->action == UNKNOWN))
                result = -EINVAL;
-        audit_log_format(ab, "res=%d", !!result);
+        audit_log_format(ab, "res=%d", !result);
        audit_log_end(ab);
        return result;
 }
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 0b3f5d72af1c..6523599e9ac0 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -388,11 +388,24 @@ long keyctl_keyring_clear(key_serial_t ringid)
        keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
        if (IS_ERR(keyring_ref)) {
                ret = PTR_ERR(keyring_ref);
+                /* Root is permitted to invalidate certain special keyrings */
+                if (capable(CAP_SYS_ADMIN)) {
+                        keyring_ref = lookup_user_key(ringid, 0, 0);
+                        if (IS_ERR(keyring_ref))
+                                goto error;
+                        if (test_bit(KEY_FLAG_ROOT_CAN_CLEAR,
+                                     &key_ref_to_ptr(keyring_ref)->flags))
+                                goto clear;
+                        goto error_put;
+                }
                goto error;
        }
+clear:
        ret = keyring_clear(key_ref_to_ptr(keyring_ref));
+error_put:
        key_ref_put(keyring_ref);
 error:
        return ret;
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 1068cb1939b3..be7ecb2018dd 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -657,7 +657,8 @@ try_again:
                        goto error;
                down_read(&cred->request_key_auth->sem);
-                if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) {
+                if (test_bit(KEY_FLAG_REVOKED,
+                             &cred->request_key_auth->flags)) {
                        key_ref = ERR_PTR(-EKEYREVOKED);
                        key = NULL;
                } else {
diff --git a/security/security.c b/security/security.c
index d7542493454d..bf619ffc9a4d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -19,6 +19,8 @@
 #include <linux/integrity.h>
 #include <linux/ima.h>
 #include <linux/evm.h>
+#include <linux/fsnotify.h>
+#include <net/flow.h>
 #define MAX_LSM_EVM_XATTR       2
@@ -187,25 +189,11 @@ int security_settime(const struct timespec *ts, const struct timezone *tz)
        return security_ops->settime(ts, tz);
 }
-int security_vm_enough_memory(long pages)
-{
-        WARN_ON(current->mm == NULL);
-        return security_ops->vm_enough_memory(current->mm, pages);
-}
 int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
 {
-        WARN_ON(mm == NULL);
        return security_ops->vm_enough_memory(mm, pages);
 }
-int security_vm_enough_memory_kern(long pages)
-{
-        /* If current->mm is a kernel thread then we will pass NULL,
-           for this specific case that is fine */
-        return security_ops->vm_enough_memory(current->mm, pages);
-}
 int security_bprm_set_creds(struct linux_binprm *bprm)
 {
        return security_ops->bprm_set_creds(bprm);
@@ -729,6 +717,11 @@ int security_task_create(unsigned long clone_flags)
        return security_ops->task_create(clone_flags);
 }
+void security_task_free(struct task_struct *task)
+{
+        security_ops->task_free(task);
+}
 int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
 {
        return security_ops->cred_alloc_blank(cred, gfp);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6a3683e28426..304929909375 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -81,6 +81,8 @@
 #include <linux/syslog.h>
 #include <linux/user_namespace.h>
 #include <linux/export.h>
+#include <linux/msg.h>
+#include <linux/shm.h>
 #include "avc.h"
 #include "objsec.h"
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index e8af5b0ba80f..cd667b4089a5 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -36,6 +36,9 @@
 #include <linux/magic.h>
 #include <linux/dcache.h>
 #include <linux/personality.h>
+#include <linux/msg.h>
+#include <linux/shm.h>
+#include <linux/binfmts.h>
 #include "smack.h"
 #define task_security(task)     (task_cred_xxx((task), security))
diff --git a/security/tomoyo/audit.c b/security/tomoyo/audit.c
index 5ca47ea3049f..7ef9fa3e37e0 100644
--- a/security/tomoyo/audit.c
+++ b/security/tomoyo/audit.c
@@ -446,11 +446,11 @@ void tomoyo_read_log(struct tomoyo_io_buffer *head)
 * tomoyo_poll_log - Wait for an audit log.
 *
 * @file: Pointer to "struct file".
- * @wait: Pointer to "poll_table".
+ * @wait: Pointer to "poll_table". Maybe NULL.
 *
 * Returns POLLIN | POLLRDNORM when ready to read an audit log.
 */
-int tomoyo_poll_log(struct file *file, poll_table *wait)
+unsigned int tomoyo_poll_log(struct file *file, poll_table *wait)
 {
        if (tomoyo_log_count)
                return POLLIN | POLLRDNORM;
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index c47d3ce6c733..8656b16eef7b 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -1069,7 +1069,7 @@ static int tomoyo_write_task(struct tomoyo_acl_param *param)
 *
 * @domainname: The name of domain.
 *
- * Returns 0.
+ * Returns 0 on success, negative value otherwise.
 *
 * Caller holds tomoyo_read_lock().
 */
@@ -1081,7 +1081,7 @@ static int tomoyo_delete_domain(char *domainname)
        name.name = domainname;
        tomoyo_fill_path_info(&name);
        if (mutex_lock_interruptible(&tomoyo_policy_lock))
-                return 0;
+                return -EINTR;
        /* Is there an active domain? */
        list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
                /* Never delete tomoyo_kernel_domain */
@@ -1164,15 +1164,16 @@ static int tomoyo_write_domain(struct tomoyo_io_buffer *head)
        bool is_select = !is_delete && tomoyo_str_starts(&data, "select ");
        unsigned int profile;
        if (*data == '<') {
+                int ret = 0;
                domain = NULL;
                if (is_delete)
-                        tomoyo_delete_domain(data);
+                        ret = tomoyo_delete_domain(data);
                else if (is_select)
                        domain = tomoyo_find_domain(data);
                else
                        domain = tomoyo_assign_domain(data, false);
                head->w.domain = domain;
-                return 0;
+                return ret;
        }
        if (!domain)
                return -EINVAL;
@@ -2111,7 +2112,7 @@ static struct tomoyo_domain_info *tomoyo_find_domain_by_qid
        struct tomoyo_domain_info *domain = NULL;
        spin_lock(&tomoyo_query_list_lock);
        list_for_each_entry(ptr, &tomoyo_query_list, list) {
-                if (ptr->serial != serial || ptr->answer)
+                if (ptr->serial != serial)
                        continue;
                domain = ptr->domain;
                break;
@@ -2130,28 +2131,13 @@ static struct tomoyo_domain_info *tomoyo_find_domain_by_qid
 *
 * Waits for access requests which violated policy in enforcing mode.
 */
-static int tomoyo_poll_query(struct file *file, poll_table *wait)
+static unsigned int tomoyo_poll_query(struct file *file, poll_table *wait)
 {
-        struct list_head *tmp;
+        if (!list_empty(&tomoyo_query_list))
-        bool found = false;
+                return POLLIN | POLLRDNORM;
-        u8 i;
+        poll_wait(file, &tomoyo_query_wait, wait);
-        for (i = 0; i < 2; i++) {
+        if (!list_empty(&tomoyo_query_list))
-                spin_lock(&tomoyo_query_list_lock);
+                return POLLIN | POLLRDNORM;
-                list_for_each(tmp, &tomoyo_query_list) {
-                        struct tomoyo_query *ptr =
-                                list_entry(tmp, typeof(*ptr), list);
-                        if (ptr->answer)
-                                continue;
-                        found = true;
-                        break;
-                }
-                spin_unlock(&tomoyo_query_list_lock);
-                if (found)
-                        return POLLIN | POLLRDNORM;
-                if (i)
-                        break;
-                poll_wait(file, &tomoyo_query_wait, wait);
-        }
        return 0;
 }
@@ -2175,8 +2161,6 @@ static void tomoyo_read_query(struct tomoyo_io_buffer *head)
        spin_lock(&tomoyo_query_list_lock);
        list_for_each(tmp, &tomoyo_query_list) {
                struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list);
-                if (ptr->answer)
-                        continue;
                if (pos++ != head->r.query_index)
                        continue;
                len = ptr->query_len;
@@ -2194,8 +2178,6 @@ static void tomoyo_read_query(struct tomoyo_io_buffer *head)
        spin_lock(&tomoyo_query_list_lock);
        list_for_each(tmp, &tomoyo_query_list) {
                struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list);
-                if (ptr->answer)
-                        continue;
                if (pos++ != head->r.query_index)
                        continue;
                /*
@@ -2243,8 +2225,10 @@ static int tomoyo_write_answer(struct tomoyo_io_buffer *head)
                struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list);
                if (ptr->serial != serial)
                        continue;
-                if (!ptr->answer)
+                ptr->answer = answer;
-                        ptr->answer = answer;
+                /* Remove from tomoyo_query_list. */
+                if (ptr->answer)
+                        list_del_init(&ptr->list);
                break;
        }
        spin_unlock(&tomoyo_query_list_lock);
@@ -2477,18 +2461,17 @@ int tomoyo_open_control(const u8 type, struct file *file)
 * tomoyo_poll_control - poll() for /sys/kernel/security/tomoyo/ interface.
 *
 * @file: Pointer to "struct file".
- * @wait: Pointer to "poll_table".
+ * @wait: Pointer to "poll_table". Maybe NULL.
 *
- * Waits for read readiness.
+ * Returns POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write,
- * /sys/kernel/security/tomoyo/query is handled by /usr/sbin/tomoyo-queryd and
+ * POLLOUT | POLLWRNORM otherwise.
- * /sys/kernel/security/tomoyo/audit is handled by /usr/sbin/tomoyo-auditd.
 */
-int tomoyo_poll_control(struct file *file, poll_table *wait)
+unsigned int tomoyo_poll_control(struct file *file, poll_table *wait)
 {
        struct tomoyo_io_buffer *head = file->private_data;
-        if (!head->poll)
+        if (head->poll)
-                return -ENOSYS;
+                return head->poll(file, wait) | POLLOUT | POLLWRNORM;
-        return head->poll(file, wait);
+        return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM;
 }
 /**
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 9512222d5581..30fd98369700 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -788,7 +788,7 @@ struct tomoyo_acl_param {
 struct tomoyo_io_buffer {
        void (*read) (struct tomoyo_io_buffer *);
        int (*write) (struct tomoyo_io_buffer *);
-        int (*poll) (struct file *file, poll_table *wait);
+        unsigned int (*poll) (struct file *file, poll_table *wait);
        /* Exclusive lock for this structure.   */
        struct mutex io_sem;
        char __user *read_user_buf;
@@ -981,8 +981,8 @@ int tomoyo_path_number_perm(const u8 operation, struct path *path,
                            unsigned long number);
 int tomoyo_path_perm(const u8 operation, struct path *path,
                     const char *target);
-int tomoyo_poll_control(struct file *file, poll_table *wait);
+unsigned int tomoyo_poll_control(struct file *file, poll_table *wait);
-int tomoyo_poll_log(struct file *file, poll_table *wait);
+unsigned int tomoyo_poll_log(struct file *file, poll_table *wait);
 int tomoyo_socket_bind_permission(struct socket *sock, struct sockaddr *addr,
                                  int addr_len);
 int tomoyo_socket_connect_permission(struct socket *sock,
diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c
index bee09d062057..fe00cdfd0267 100644
--- a/security/tomoyo/mount.c
+++ b/security/tomoyo/mount.c
@@ -199,30 +199,32 @@ int tomoyo_mount_permission(char *dev_name, struct path *path,
        if (flags & MS_REMOUNT) {
                type = tomoyo_mounts[TOMOYO_MOUNT_REMOUNT];
                flags &= ~MS_REMOUNT;
-        }
+        } else if (flags & MS_BIND) {
-        if (flags & MS_MOVE) {
-                type = tomoyo_mounts[TOMOYO_MOUNT_MOVE];
-                flags &= ~MS_MOVE;
-        }
-        if (flags & MS_BIND) {
                type = tomoyo_mounts[TOMOYO_MOUNT_BIND];
                flags &= ~MS_BIND;
-        }
+        } else if (flags & MS_SHARED) {
-        if (flags & MS_UNBINDABLE) {
+                if (flags & (MS_PRIVATE | MS_SLAVE | MS_UNBINDABLE))
-                type = tomoyo_mounts[TOMOYO_MOUNT_MAKE_UNBINDABLE];
+                        return -EINVAL;
-                flags &= ~MS_UNBINDABLE;
+                type = tomoyo_mounts[TOMOYO_MOUNT_MAKE_SHARED];
-        }
+                flags &= ~MS_SHARED;
-        if (flags & MS_PRIVATE) {
+        } else if (flags & MS_PRIVATE) {
+                if (flags & (MS_SHARED | MS_SLAVE | MS_UNBINDABLE))
+                        return -EINVAL;
                type = tomoyo_mounts[TOMOYO_MOUNT_MAKE_PRIVATE];
                flags &= ~MS_PRIVATE;
-        }
+        } else if (flags & MS_SLAVE) {
-        if (flags & MS_SLAVE) {
+                if (flags & (MS_SHARED | MS_PRIVATE | MS_UNBINDABLE))
+                        return -EINVAL;
                type = tomoyo_mounts[TOMOYO_MOUNT_MAKE_SLAVE];
                flags &= ~MS_SLAVE;
-        }
+        } else if (flags & MS_UNBINDABLE) {
-        if (flags & MS_SHARED) {
+                if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE))
-                type = tomoyo_mounts[TOMOYO_MOUNT_MAKE_SHARED];
+                        return -EINVAL;
-                flags &= ~MS_SHARED;
+                type = tomoyo_mounts[TOMOYO_MOUNT_MAKE_UNBINDABLE];
+                flags &= ~MS_UNBINDABLE;
+        } else if (flags & MS_MOVE) {
+                type = tomoyo_mounts[TOMOYO_MOUNT_MOVE];
+                flags &= ~MS_MOVE;
        }
        if (!type)
                type = "<NULL>";
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
index 482b2a5f48f0..8592f2fc6ebb 100644
--- a/security/tomoyo/securityfs_if.c
+++ b/security/tomoyo/securityfs_if.c
@@ -157,9 +157,10 @@ static int tomoyo_release(struct inode *inode, struct file *file)
 * tomoyo_poll - poll() for /sys/kernel/security/tomoyo/ interface.
 *
 * @file: Pointer to "struct file".
- * @wait: Pointer to "poll_table".
+ * @wait: Pointer to "poll_table". Maybe NULL.
 *
- * Returns 0 on success, negative value otherwise.
+ * Returns POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write,
+ * POLLOUT | POLLWRNORM otherwise.
 */
 static unsigned int tomoyo_poll(struct file *file, poll_table *wait)
 {
diff --git a/security/yama/Kconfig b/security/yama/Kconfig
new file mode 100644
index 000000000000..51d6709d8bbd
--- /dev/null
+++ b/security/yama/Kconfig
@@ -0,0 +1,13 @@
+config SECURITY_YAMA
+        bool "Yama support"
+        depends on SECURITY
+        select SECURITYFS
+        select SECURITY_PATH
+        default n
+        help
+          This selects Yama, which extends DAC support with additional
+          system-wide security settings beyond regular Linux discretionary
+          access controls. Currently available is ptrace scope restriction.
+          Further information can be found in Documentation/security/Yama.txt.
+          If you are unsure how to answer this question, answer N.
diff --git a/security/yama/Makefile b/security/yama/Makefile
new file mode 100644
index 000000000000..8b5e06588456
--- /dev/null
+++ b/security/yama/Makefile
@@ -0,0 +1,3 @@
+obj-$(CONFIG_SECURITY_YAMA) := yama.o
+yama-y := yama_lsm.o
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
new file mode 100644
index 000000000000..573723843a04
--- /dev/null
+++ b/security/yama/yama_lsm.c
@@ -0,0 +1,323 @@
+/*
+ * Yama Linux Security Module
+ *
+ * Author: Kees Cook <keescook@chromium.org>
+ *
+ * Copyright (C) 2010 Canonical, Ltd.
+ * Copyright (C) 2011 The Chromium OS Authors.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ *
+ */
+#include <linux/security.h>
+#include <linux/sysctl.h>
+#include <linux/ptrace.h>
+#include <linux/prctl.h>
+#include <linux/ratelimit.h>
+static int ptrace_scope = 1;
+/* describe a ptrace relationship for potential exception */
+struct ptrace_relation {
+        struct task_struct *tracer;
+        struct task_struct *tracee;
+        struct list_head node;
+};
+static LIST_HEAD(ptracer_relations);
+static DEFINE_SPINLOCK(ptracer_relations_lock);
+/**
+ * yama_ptracer_add - add/replace an exception for this tracer/tracee pair
+ * @tracer: the task_struct of the process doing the ptrace
+ * @tracee: the task_struct of the process to be ptraced
+ *
+ * Each tracee can have, at most, one tracer registered. Each time this
+ * is called, the prior registered tracer will be replaced for the tracee.
+ *
+ * Returns 0 if relationship was added, -ve on error.
+ */
+static int yama_ptracer_add(struct task_struct *tracer,
+                            struct task_struct *tracee)
+{
+        int rc = 0;
+        struct ptrace_relation *added;
+        struct ptrace_relation *entry, *relation = NULL;
+        added = kmalloc(sizeof(*added), GFP_KERNEL);
+        if (!added)
+                return -ENOMEM;
+        spin_lock_bh(&ptracer_relations_lock);
+        list_for_each_entry(entry, &ptracer_relations, node)
+                if (entry->tracee == tracee) {
+                        relation = entry;
+                        break;
+                }
+        if (!relation) {
+                relation = added;
+                relation->tracee = tracee;
+                list_add(&relation->node, &ptracer_relations);
+        }
+        relation->tracer = tracer;
+        spin_unlock_bh(&ptracer_relations_lock);
+        if (added != relation)
+                kfree(added);
+        return rc;
+}
+/**
+ * yama_ptracer_del - remove exceptions related to the given tasks
+ * @tracer: remove any relation where tracer task matches
+ * @tracee: remove any relation where tracee task matches
+ */
+static void yama_ptracer_del(struct task_struct *tracer,
+                             struct task_struct *tracee)
+{
+        struct ptrace_relation *relation, *safe;
+        spin_lock_bh(&ptracer_relations_lock);
+        list_for_each_entry_safe(relation, safe, &ptracer_relations, node)
+                if (relation->tracee == tracee ||
+                    (tracer && relation->tracer == tracer)) {
+                        list_del(&relation->node);
+                        kfree(relation);
+                }
+        spin_unlock_bh(&ptracer_relations_lock);
+}
+/**
+ * yama_task_free - check for task_pid to remove from exception list
+ * @task: task being removed
+ */
+static void yama_task_free(struct task_struct *task)
+{
+        yama_ptracer_del(task, task);
+}
+/**
+ * yama_task_prctl - check for Yama-specific prctl operations
+ * @option: operation
+ * @arg2: argument
+ * @arg3: argument
+ * @arg4: argument
+ * @arg5: argument
+ *
+ * Return 0 on success, -ve on error.  -ENOSYS is returned when Yama
+ * does not handle the given option.
+ */
+static int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
+                           unsigned long arg4, unsigned long arg5)
+{
+        int rc;
+        struct task_struct *myself = current;
+        rc = cap_task_prctl(option, arg2, arg3, arg4, arg5);
+        if (rc != -ENOSYS)
+                return rc;
+        switch (option) {
+        case PR_SET_PTRACER:
+                /* Since a thread can call prctl(), find the group leader
+                 * before calling _add() or _del() on it, since we want
+                 * process-level granularity of control. The tracer group
+                 * leader checking is handled later when walking the ancestry
+                 * at the time of PTRACE_ATTACH check.
+                 */
+                rcu_read_lock();
+                if (!thread_group_leader(myself))
+                        myself = rcu_dereference(myself->group_leader);
+                get_task_struct(myself);
+                rcu_read_unlock();
+                if (arg2 == 0) {
+                        yama_ptracer_del(NULL, myself);
+                        rc = 0;
+                } else if (arg2 == PR_SET_PTRACER_ANY) {
+                        rc = yama_ptracer_add(NULL, myself);
+                } else {
+                        struct task_struct *tracer;
+                        rcu_read_lock();
+                        tracer = find_task_by_vpid(arg2);
+                        if (tracer)
+                                get_task_struct(tracer);
+                        else
+                                rc = -EINVAL;
+                        rcu_read_unlock();
+                        if (tracer) {
+                                rc = yama_ptracer_add(tracer, myself);
+                                put_task_struct(tracer);
+                        }
+                }
+                put_task_struct(myself);
+                break;
+        }
+        return rc;
+}
+/**
+ * task_is_descendant - walk up a process family tree looking for a match
+ * @parent: the process to compare against while walking up from child
+ * @child: the process to start from while looking upwards for parent
+ *
+ * Returns 1 if child is a descendant of parent, 0 if not.
+ */
+static int task_is_descendant(struct task_struct *parent,
+                              struct task_struct *child)
+{
+        int rc = 0;
+        struct task_struct *walker = child;
+        if (!parent || !child)
+                return 0;
+        rcu_read_lock();
+        if (!thread_group_leader(parent))
+                parent = rcu_dereference(parent->group_leader);
+        while (walker->pid > 0) {
+                if (!thread_group_leader(walker))
+                        walker = rcu_dereference(walker->group_leader);
+                if (walker == parent) {
+                        rc = 1;
+                        break;
+                }
+                walker = rcu_dereference(walker->real_parent);
+        }
+        rcu_read_unlock();
+        return rc;
+}
+/**
+ * ptracer_exception_found - tracer registered as exception for this tracee
+ * @tracer: the task_struct of the process attempting ptrace
+ * @tracee: the task_struct of the process to be ptraced
+ *
+ * Returns 1 if tracer has is ptracer exception ancestor for tracee.
+ */
+static int ptracer_exception_found(struct task_struct *tracer,
+                                   struct task_struct *tracee)
+{
+        int rc = 0;
+        struct ptrace_relation *relation;
+        struct task_struct *parent = NULL;
+        bool found = false;
+        spin_lock_bh(&ptracer_relations_lock);
+        rcu_read_lock();
+        if (!thread_group_leader(tracee))
+                tracee = rcu_dereference(tracee->group_leader);
+        list_for_each_entry(relation, &ptracer_relations, node)
+                if (relation->tracee == tracee) {
+                        parent = relation->tracer;
+                        found = true;
+                        break;
+                }
+        if (found && (parent == NULL || task_is_descendant(parent, tracer)))
+                rc = 1;
+        rcu_read_unlock();
+        spin_unlock_bh(&ptracer_relations_lock);
+        return rc;
+}
+/**
+ * yama_ptrace_access_check - validate PTRACE_ATTACH calls
+ * @child: task that current task is attempting to ptrace
+ * @mode: ptrace attach mode
+ *
+ * Returns 0 if following the ptrace is allowed, -ve on error.
+ */
+static int yama_ptrace_access_check(struct task_struct *child,
+                                    unsigned int mode)
+{
+        int rc;
+        /* If standard caps disallows it, so does Yama.  We should
+         * only tighten restrictions further.
+         */
+        rc = cap_ptrace_access_check(child, mode);
+        if (rc)
+                return rc;
+        /* require ptrace target be a child of ptracer on attach */
+        if (mode == PTRACE_MODE_ATTACH &&
+            ptrace_scope &&
+            !task_is_descendant(current, child) &&
+            !ptracer_exception_found(current, child) &&
+            !capable(CAP_SYS_PTRACE))
+                rc = -EPERM;
+        if (rc) {
+                char name[sizeof(current->comm)];
+                printk_ratelimited(KERN_NOTICE "ptrace of non-child"
+                        " pid %d was attempted by: %s (pid %d)\n",
+                        child->pid,
+                        get_task_comm(name, current),
+                        current->pid);
+        }
+        return rc;
+}
+static struct security_operations yama_ops = {
+        .name =                 "yama",
+        .ptrace_access_check =  yama_ptrace_access_check,
+        .task_prctl =           yama_task_prctl,
+        .task_free =            yama_task_free,
+};
+#ifdef CONFIG_SYSCTL
+static int zero;
+static int one = 1;
+struct ctl_path yama_sysctl_path[] = {
+        { .procname = "kernel", },
+        { .procname = "yama", },
+        { }
+};
+static struct ctl_table yama_sysctl_table[] = {
+        {
+                .procname       = "ptrace_scope",
+                .data           = &ptrace_scope,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec_minmax,
+                .extra1         = &zero,
+                .extra2         = &one,
+        },
+        { }
+};
+#endif /* CONFIG_SYSCTL */
+static __init int yama_init(void)
+{
+        if (!security_module_enable(&yama_ops))
+                return 0;
+        printk(KERN_INFO "Yama: becoming mindful.\n");
+        if (register_security(&yama_ops))
+                panic("Yama: kernel registration failed.\n");
+#ifdef CONFIG_SYSCTL
+        if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table))
+                panic("Yama: sysctl registration failed.\n");
+#endif
+        return 0;
+}
+security_initcall(yama_init);