8 files changed, 234 insertions, 63 deletions
diff --git a/security/capability.c b/security/capability.c
index a6290b625be9..1728d4e375db 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -738,6 +738,11 @@ static int cap_tun_dev_open(void *security)
 {
        return 0;
 }
+static void cap_skb_owned_by(struct sk_buff *skb, struct sock *sk)
+{
+}
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1072,6 +1077,7 @@ void __init security_fixup_ops(struct security_operations *ops)
        set_to_cap_if_null(ops, tun_dev_open);
        set_to_cap_if_null(ops, tun_dev_attach_queue);
        set_to_cap_if_null(ops, tun_dev_attach);
+        set_to_cap_if_null(ops, skb_owned_by);
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
        set_to_cap_if_null(ops, xfrm_policy_alloc_security);
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 1c69e38e3a2c..dd0dc574d78d 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -25,6 +25,12 @@
 static DEFINE_MUTEX(devcgroup_mutex);
+enum devcg_behavior {
+        DEVCG_DEFAULT_NONE,
+        DEVCG_DEFAULT_ALLOW,
+        DEVCG_DEFAULT_DENY,
+};
 /*
 * exception list locking rules:
 * hold devcgroup_mutex for update/read.
@@ -42,10 +48,9 @@ struct dev_exception_item {
 struct dev_cgroup {
        struct cgroup_subsys_state css;
        struct list_head exceptions;
-        enum {
+        enum devcg_behavior behavior;
-                DEVCG_DEFAULT_ALLOW,
+        /* temporary list for pending propagation operations */
-                DEVCG_DEFAULT_DENY,
+        struct list_head propagate_pending;
-        } behavior;
 };
 static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
@@ -182,35 +187,62 @@ static void dev_exception_clean(struct dev_cgroup *dev_cgroup)
        __dev_exception_clean(dev_cgroup);
 }
+static inline bool is_devcg_online(const struct dev_cgroup *devcg)
+{
+        return (devcg->behavior != DEVCG_DEFAULT_NONE);
+}
+/**
+ * devcgroup_online - initializes devcgroup's behavior and exceptions based on
+ *                    parent's
+ * @cgroup: cgroup getting online
+ * returns 0 in case of success, error code otherwise
+ */
+static int devcgroup_online(struct cgroup *cgroup)
+{
+        struct dev_cgroup *dev_cgroup, *parent_dev_cgroup = NULL;
+        int ret = 0;
+        mutex_lock(&devcgroup_mutex);
+        dev_cgroup = cgroup_to_devcgroup(cgroup);
+        if (cgroup->parent)
+                parent_dev_cgroup = cgroup_to_devcgroup(cgroup->parent);
+        if (parent_dev_cgroup == NULL)
+                dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW;
+        else {
+                ret = dev_exceptions_copy(&dev_cgroup->exceptions,
+                                          &parent_dev_cgroup->exceptions);
+                if (!ret)
+                        dev_cgroup->behavior = parent_dev_cgroup->behavior;
+        }
+        mutex_unlock(&devcgroup_mutex);
+        return ret;
+}
+static void devcgroup_offline(struct cgroup *cgroup)
+{
+        struct dev_cgroup *dev_cgroup = cgroup_to_devcgroup(cgroup);
+        mutex_lock(&devcgroup_mutex);
+        dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
+        mutex_unlock(&devcgroup_mutex);
+}
 /*
 * called from kernel/cgroup.c with cgroup_lock() held.
 */
 static struct cgroup_subsys_state *devcgroup_css_alloc(struct cgroup *cgroup)
 {
-        struct dev_cgroup *dev_cgroup, *parent_dev_cgroup;
+        struct dev_cgroup *dev_cgroup;
-        struct cgroup *parent_cgroup;
-        int ret;
        dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL);
        if (!dev_cgroup)
                return ERR_PTR(-ENOMEM);
        INIT_LIST_HEAD(&dev_cgroup->exceptions);
-        parent_cgroup = cgroup->parent;
+        INIT_LIST_HEAD(&dev_cgroup->propagate_pending);
+        dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
-        if (parent_cgroup == NULL)
-                dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW;
-        else {
-                parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);
-                mutex_lock(&devcgroup_mutex);
-                ret = dev_exceptions_copy(&dev_cgroup->exceptions,
-                                          &parent_dev_cgroup->exceptions);
-                dev_cgroup->behavior = parent_dev_cgroup->behavior;
-                mutex_unlock(&devcgroup_mutex);
-                if (ret) {
-                        kfree(dev_cgroup);
-                        return ERR_PTR(ret);
-                }
-        }
        return &dev_cgroup->css;
 }
@@ -304,9 +336,11 @@ static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
 *              verify if a certain access is allowed.
 * @dev_cgroup: dev cgroup to be tested against
 * @refex: new exception
+ * @behavior: behavior of the exception
 */
-static int may_access(struct dev_cgroup *dev_cgroup,
+static bool may_access(struct dev_cgroup *dev_cgroup,
-                      struct dev_exception_item *refex)
+                       struct dev_exception_item *refex,
+                       enum devcg_behavior behavior)
 {
        struct dev_exception_item *ex;
        bool match = false;
@@ -330,18 +364,29 @@ static int may_access(struct dev_cgroup *dev_cgroup,
                break;
        }
-        /*
+        if (dev_cgroup->behavior == DEVCG_DEFAULT_ALLOW) {
-         * In two cases we'll consider this new exception valid:
+                if (behavior == DEVCG_DEFAULT_ALLOW) {
-         * - the dev cgroup has its default policy to allow + exception list:
+                        /* the exception will deny access to certain devices */
-         *   the new exception should *not* match any of the exceptions
+                        return true;
-         *   (behavior == DEVCG_DEFAULT_ALLOW, !match)
+                } else {
-         * - the dev cgroup has its default policy to deny + exception list:
+                        /* the exception will allow access to certain devices */
-         *   the new exception *should* match the exceptions
+                        if (match)
-         *   (behavior == DEVCG_DEFAULT_DENY, match)
+                                /*
-         */
+                                 * a new exception allowing access shouldn't
-        if ((dev_cgroup->behavior == DEVCG_DEFAULT_DENY) == match)
+                                 * match an parent's exception
-                return 1;
+                                 */
-        return 0;
+                                return false;
+                        return true;
+                }
+        } else {
+                /* only behavior == DEVCG_DEFAULT_DENY allowed here */
+                if (match)
+                        /* parent has an exception that matches the proposed */
+                        return true;
+                else
+                        return false;
+        }
+        return false;
 }
 /*
@@ -358,7 +403,7 @@ static int parent_has_perm(struct dev_cgroup *childcg,
        if (!pcg)
                return 1;
        parent = cgroup_to_devcgroup(pcg);
-        return may_access(parent, ex);
+        return may_access(parent, ex, childcg->behavior);
 }
 /**
@@ -374,6 +419,111 @@ static inline int may_allow_all(struct dev_cgroup *parent)
        return parent->behavior == DEVCG_DEFAULT_ALLOW;
 }
+/**
+ * revalidate_active_exceptions - walks through the active exception list and
+ *                                revalidates the exceptions based on parent's
+ *                                behavior and exceptions. The exceptions that
+ *                                are no longer valid will be removed.
+ *                                Called with devcgroup_mutex held.
+ * @devcg: cgroup which exceptions will be checked
+ *
+ * This is one of the three key functions for hierarchy implementation.
+ * This function is responsible for re-evaluating all the cgroup's active
+ * exceptions due to a parent's exception change.
+ * Refer to Documentation/cgroups/devices.txt for more details.
+ */
+static void revalidate_active_exceptions(struct dev_cgroup *devcg)
+{
+        struct dev_exception_item *ex;
+        struct list_head *this, *tmp;
+        list_for_each_safe(this, tmp, &devcg->exceptions) {
+                ex = container_of(this, struct dev_exception_item, list);
+                if (!parent_has_perm(devcg, ex))
+                        dev_exception_rm(devcg, ex);
+        }
+}
+/**
+ * get_online_devcg - walks the cgroup tree and fills a list with the online
+ *                    groups
+ * @root: cgroup used as starting point
+ * @online: list that will be filled with online groups
+ *
+ * Must be called with devcgroup_mutex held. Grabs RCU lock.
+ * Because devcgroup_mutex is held, no devcg will become online or offline
+ * during the tree walk (see devcgroup_online, devcgroup_offline)
+ * A separated list is needed because propagate_behavior() and
+ * propagate_exception() need to allocate memory and can block.
+ */
+static void get_online_devcg(struct cgroup *root, struct list_head *online)
+{
+        struct cgroup *pos;
+        struct dev_cgroup *devcg;
+        lockdep_assert_held(&devcgroup_mutex);
+        rcu_read_lock();
+        cgroup_for_each_descendant_pre(pos, root) {
+                devcg = cgroup_to_devcgroup(pos);
+                if (is_devcg_online(devcg))
+                        list_add_tail(&devcg->propagate_pending, online);
+        }
+        rcu_read_unlock();
+}
+/**
+ * propagate_exception - propagates a new exception to the children
+ * @devcg_root: device cgroup that added a new exception
+ * @ex: new exception to be propagated
+ *
+ * returns: 0 in case of success, != 0 in case of error
+ */
+static int propagate_exception(struct dev_cgroup *devcg_root,
+                               struct dev_exception_item *ex)
+{
+        struct cgroup *root = devcg_root->css.cgroup;
+        struct dev_cgroup *devcg, *parent, *tmp;
+        int rc = 0;
+        LIST_HEAD(pending);
+        get_online_devcg(root, &pending);
+        list_for_each_entry_safe(devcg, tmp, &pending, propagate_pending) {
+                parent = cgroup_to_devcgroup(devcg->css.cgroup->parent);
+                /*
+                 * in case both root's behavior and devcg is allow, a new
+                 * restriction means adding to the exception list
+                 */
+                if (devcg_root->behavior == DEVCG_DEFAULT_ALLOW &&
+                    devcg->behavior == DEVCG_DEFAULT_ALLOW) {
+                        rc = dev_exception_add(devcg, ex);
+                        if (rc)
+                                break;
+                } else {
+                        /*
+                         * in the other possible cases:
+                         * root's behavior: allow, devcg's: deny
+                         * root's behavior: deny, devcg's: deny
+                         * the exception will be removed
+                         */
+                        dev_exception_rm(devcg, ex);
+                }
+                revalidate_active_exceptions(devcg);
+                list_del_init(&devcg->propagate_pending);
+        }
+        return rc;
+}
+static inline bool has_children(struct dev_cgroup *devcgroup)
+{
+        struct cgroup *cgrp = devcgroup->css.cgroup;
+        return !list_empty(&cgrp->children);
+}
 /*
 * Modify the exception list using allow/deny rules.
 * CAP_SYS_ADMIN is needed for this.  It's at least separate from CAP_MKNOD
@@ -392,7 +542,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
 {
        const char *b;
        char temp[12];          /* 11 + 1 characters needed for a u32 */
-        int count, rc;
+        int count, rc = 0;
        struct dev_exception_item ex;
        struct cgroup *p = devcgroup->css.cgroup;
        struct dev_cgroup *parent = NULL;
@@ -410,6 +560,9 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
        case 'a':
                switch (filetype) {
                case DEVCG_ALLOW:
+                        if (has_children(devcgroup))
+                                return -EINVAL;
                        if (!may_allow_all(parent))
                                return -EPERM;
                        dev_exception_clean(devcgroup);
@@ -423,6 +576,9 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
                                return rc;
                        break;
                case DEVCG_DENY:
+                        if (has_children(devcgroup))
+                                return -EINVAL;
                        dev_exception_clean(devcgroup);
                        devcgroup->behavior = DEVCG_DEFAULT_DENY;
                        break;
@@ -517,22 +673,28 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
                        dev_exception_rm(devcgroup, &ex);
                        return 0;
                }
-                return dev_exception_add(devcgroup, &ex);
+                rc = dev_exception_add(devcgroup, &ex);
+                break;
        case DEVCG_DENY:
                /*
                 * If the default policy is to deny by default, try to remove
                 * an matching exception instead. And be silent about it: we
                 * don't want to break compatibility
                 */
-                if (devcgroup->behavior == DEVCG_DEFAULT_DENY) {
+                if (devcgroup->behavior == DEVCG_DEFAULT_DENY)
                        dev_exception_rm(devcgroup, &ex);
-                        return 0;
+                else
-                }
+                        rc = dev_exception_add(devcgroup, &ex);
-                return dev_exception_add(devcgroup, &ex);
+                if (rc)
+                        break;
+                /* we only propagate new restrictions */
+                rc = propagate_exception(devcgroup, &ex);
+                break;
        default:
-                return -EINVAL;
+                rc = -EINVAL;
        }
-        return 0;
+        return rc;
 }
 static int devcgroup_access_write(struct cgroup *cgrp, struct cftype *cft,
@@ -571,17 +733,10 @@ struct cgroup_subsys devices_subsys = {
        .can_attach = devcgroup_can_attach,
        .css_alloc = devcgroup_css_alloc,
        .css_free = devcgroup_css_free,
+        .css_online = devcgroup_online,
+        .css_offline = devcgroup_offline,
        .subsys_id = devices_subsys_id,
        .base_cftypes = dev_cgroup_files,
-        /*
-         * While devices cgroup has the rudimentary hierarchy support which
-         * checks the parent's restriction, it doesn't properly propagates
-         * config changes in ancestors to their descendents.  A child
-         * should only be allowed to add more restrictions to the parent's
-         * configuration.  Fix it and remove the following.
-         */
-        .broken_hierarchy = true,
 };
 /**
@@ -609,7 +764,7 @@ static int __devcgroup_check_permission(short type, u32 major, u32 minor,
        rcu_read_lock();
        dev_cgroup = task_devcgroup(current);
-        rc = may_access(dev_cgroup, &ex);
+        rc = may_access(dev_cgroup, &ex, dev_cgroup->behavior);
        rcu_read_unlock();
        if (!rc)
diff --git a/security/keys/compat.c b/security/keys/compat.c
index 1c261763f479..d65fa7fa29ba 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -40,12 +40,12 @@ static long compat_keyctl_instantiate_key_iov(
                                           ARRAY_SIZE(iovstack),
                                           iovstack, &iov);
        if (ret < 0)
-                return ret;
+                goto err;
        if (ret == 0)
                goto no_payload_free;
        ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
+err:
        if (iov != iovstack)
                kfree(iov);
        return ret;
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index a571fad91010..42defae1e161 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -57,7 +57,7 @@ int install_user_keyrings(void)
        kenter("%p{%u}", user, uid);
-        if (user->uid_keyring) {
+        if (user->uid_keyring && user->session_keyring) {
                kleave(" = 0 [exist]");
                return 0;
        }
diff --git a/security/security.c b/security/security.c
index 108281d2307a..a3dce87d1aef 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1290,6 +1290,11 @@ int security_tun_dev_open(void *security)
 }
 EXPORT_SYMBOL(security_tun_dev_open);
+void security_skb_owned_by(struct sk_buff *skb, struct sock *sk)
+{
+        security_ops->skb_owned_by(skb, sk);
+}
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3c02be3f6732..feb2f42c5a07 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -51,6 +51,7 @@
 #include <linux/tty.h>
 #include <net/icmp.h>
 #include <net/ip.h>             /* for local_port_range[] */
+#include <net/sock.h>
 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
 #include <net/net_namespace.h>
 #include <net/netlabel.h>
@@ -4394,6 +4395,11 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
        selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
 }
+static void selinux_skb_owned_by(struct sk_buff *skb, struct sock *sk)
+{
+        skb_set_owner_w(skb, sk);
+}
 static int selinux_secmark_relabel_packet(u32 sid)
 {
        const struct task_security_struct *__tsec;
@@ -5695,6 +5701,7 @@ static struct security_operations selinux_ops = {
        .tun_dev_attach_queue =         selinux_tun_dev_attach_queue,
        .tun_dev_attach =               selinux_tun_dev_attach,
        .tun_dev_open =                 selinux_tun_dev_open,
+        .skb_owned_by =                 selinux_skb_owned_by,
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
        .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 48665ecd1197..8ab295154517 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -310,7 +310,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
        if (old_ctx) {
                new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,
-                                  GFP_KERNEL);
+                                  GFP_ATOMIC);
                if (!new_ctx)
                        return -ENOMEM;
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 23414b93771f..13c88fbcf037 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -347,10 +347,8 @@ int yama_ptrace_traceme(struct task_struct *parent)
        /* Only disallow PTRACE_TRACEME on more aggressive settings. */
        switch (ptrace_scope) {
        case YAMA_SCOPE_CAPABILITY:
-                rcu_read_lock();
+                if (!has_ns_capability(parent, current_user_ns(), CAP_SYS_PTRACE))
-                if (!ns_capable(__task_cred(parent)->user_ns, CAP_SYS_PTRACE))
                        rc = -EPERM;
-                rcu_read_unlock();
                break;
        case YAMA_SCOPE_NO_ATTACH:
                rc = -EPERM;

diff --git a/security/capability.c b/security/capability.c index a6290b625be9..1728d4e375db 100644 --- a/security/capability.c +++ b/security/capability.c
@@ -738,6 +738,11 @@ static int cap_tun_dev_open(void *security)
738	{	738	{
739	return 0;	739	return 0;
740	}	740	}
		741
		742	static void cap_skb_owned_by(struct sk_buff skb, struct sock sk)
		743	{
		744	}
		745
741	#endif /* CONFIG_SECURITY_NETWORK */	746	#endif /* CONFIG_SECURITY_NETWORK */
742		747
743	#ifdef CONFIG_SECURITY_NETWORK_XFRM	748	#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1072,6 +1077,7 @@ void __init security_fixup_ops(struct security_operations *ops)
1072	set_to_cap_if_null(ops, tun_dev_open);	1077	set_to_cap_if_null(ops, tun_dev_open);
1073	set_to_cap_if_null(ops, tun_dev_attach_queue);	1078	set_to_cap_if_null(ops, tun_dev_attach_queue);
1074	set_to_cap_if_null(ops, tun_dev_attach);	1079	set_to_cap_if_null(ops, tun_dev_attach);
		1080	set_to_cap_if_null(ops, skb_owned_by);
1075	#endif /* CONFIG_SECURITY_NETWORK */	1081	#endif /* CONFIG_SECURITY_NETWORK */
1076	#ifdef CONFIG_SECURITY_NETWORK_XFRM	1082	#ifdef CONFIG_SECURITY_NETWORK_XFRM
1077	set_to_cap_if_null(ops, xfrm_policy_alloc_security);	1083	set_to_cap_if_null(ops, xfrm_policy_alloc_security);


diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 1c69e38e3a2c..dd0dc574d78d 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c
@@ -25,6 +25,12 @@
25		25
26	static DEFINE_MUTEX(devcgroup_mutex);	26	static DEFINE_MUTEX(devcgroup_mutex);
27		27
		28	enum devcg_behavior {
		29	DEVCG_DEFAULT_NONE,
		30	DEVCG_DEFAULT_ALLOW,
		31	DEVCG_DEFAULT_DENY,
		32	};
		33
28	/*	34	/*
29	* exception list locking rules:	35	* exception list locking rules:
30	* hold devcgroup_mutex for update/read.	36	* hold devcgroup_mutex for update/read.
@@ -42,10 +48,9 @@ struct dev_exception_item {
42	struct dev_cgroup {	48	struct dev_cgroup {
43	struct cgroup_subsys_state css;	49	struct cgroup_subsys_state css;
44	struct list_head exceptions;	50	struct list_head exceptions;
45	enum {	51	enum devcg_behavior behavior;
46	DEVCG_DEFAULT_ALLOW,	52	/* temporary list for pending propagation operations */
47	DEVCG_DEFAULT_DENY,	53	struct list_head propagate_pending;
48	} behavior;
49	};	54	};
50		55
51	static inline struct dev_cgroup css_to_devcgroup(struct cgroup_subsys_state s)	56	static inline struct dev_cgroup css_to_devcgroup(struct cgroup_subsys_state s)
@@ -182,35 +187,62 @@ static void dev_exception_clean(struct dev_cgroup *dev_cgroup)
182	__dev_exception_clean(dev_cgroup);	187	__dev_exception_clean(dev_cgroup);
183	}	188	}
184		189
		190	static inline bool is_devcg_online(const struct dev_cgroup *devcg)
		191	{
		192	return (devcg->behavior != DEVCG_DEFAULT_NONE);
		193	}
		194
		195	/**
		196	* devcgroup_online - initializes devcgroup's behavior and exceptions based on
		197	* parent's
		198	* @cgroup: cgroup getting online
		199	* returns 0 in case of success, error code otherwise
		200	*/
		201	static int devcgroup_online(struct cgroup *cgroup)
		202	{
		203	struct dev_cgroup dev_cgroup, parent_dev_cgroup = NULL;
		204	int ret = 0;
		205
		206	mutex_lock(&devcgroup_mutex);
		207	dev_cgroup = cgroup_to_devcgroup(cgroup);
		208	if (cgroup->parent)
		209	parent_dev_cgroup = cgroup_to_devcgroup(cgroup->parent);
		210
		211	if (parent_dev_cgroup == NULL)
		212	dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW;
		213	else {
		214	ret = dev_exceptions_copy(&dev_cgroup->exceptions,
		215	&parent_dev_cgroup->exceptions);
		216	if (!ret)
		217	dev_cgroup->behavior = parent_dev_cgroup->behavior;
		218	}
		219	mutex_unlock(&devcgroup_mutex);
		220
		221	return ret;
		222	}
		223
		224	static void devcgroup_offline(struct cgroup *cgroup)
		225	{
		226	struct dev_cgroup *dev_cgroup = cgroup_to_devcgroup(cgroup);
		227
		228	mutex_lock(&devcgroup_mutex);
		229	dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
		230	mutex_unlock(&devcgroup_mutex);
		231	}
		232
185	/*	233	/*
186	* called from kernel/cgroup.c with cgroup_lock() held.	234	* called from kernel/cgroup.c with cgroup_lock() held.
187	*/	235	*/
188	static struct cgroup_subsys_state devcgroup_css_alloc(struct cgroup cgroup)	236	static struct cgroup_subsys_state devcgroup_css_alloc(struct cgroup cgroup)
189	{	237	{
190	struct dev_cgroup dev_cgroup, parent_dev_cgroup;	238	struct dev_cgroup *dev_cgroup;
191	struct cgroup *parent_cgroup;
192	int ret;
193		239
194	dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL);	240	dev_cgroup = kzalloc(sizeof(*dev_cgroup), GFP_KERNEL);
195	if (!dev_cgroup)	241	if (!dev_cgroup)
196	return ERR_PTR(-ENOMEM);	242	return ERR_PTR(-ENOMEM);
197	INIT_LIST_HEAD(&dev_cgroup->exceptions);	243	INIT_LIST_HEAD(&dev_cgroup->exceptions);
198	parent_cgroup = cgroup->parent;	244	INIT_LIST_HEAD(&dev_cgroup->propagate_pending);
199		245	dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
200	if (parent_cgroup == NULL)
201	dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW;
202	else {
203	parent_dev_cgroup = cgroup_to_devcgroup(parent_cgroup);
204	mutex_lock(&devcgroup_mutex);
205	ret = dev_exceptions_copy(&dev_cgroup->exceptions,
206	&parent_dev_cgroup->exceptions);
207	dev_cgroup->behavior = parent_dev_cgroup->behavior;
208	mutex_unlock(&devcgroup_mutex);
209	if (ret) {
210	kfree(dev_cgroup);
211	return ERR_PTR(ret);
212	}
213	}
214		246
215	return &dev_cgroup->css;	247	return &dev_cgroup->css;
216	}	248	}
@@ -304,9 +336,11 @@ static int devcgroup_seq_read(struct cgroup cgroup, struct cftype cft,
304	* verify if a certain access is allowed.	336	* verify if a certain access is allowed.
305	* @dev_cgroup: dev cgroup to be tested against	337	* @dev_cgroup: dev cgroup to be tested against
306	* @refex: new exception	338	* @refex: new exception
		339	* @behavior: behavior of the exception
307	*/	340	*/
308	static int may_access(struct dev_cgroup *dev_cgroup,	341	static bool may_access(struct dev_cgroup *dev_cgroup,
309	struct dev_exception_item *refex)	342	struct dev_exception_item *refex,
		343	enum devcg_behavior behavior)
310	{	344	{
311	struct dev_exception_item *ex;	345	struct dev_exception_item *ex;
312	bool match = false;	346	bool match = false;
@@ -330,18 +364,29 @@ static int may_access(struct dev_cgroup *dev_cgroup,
330	break;	364	break;
331	}	365	}
332		366
333	/*	367	if (dev_cgroup->behavior == DEVCG_DEFAULT_ALLOW) {
334	* In two cases we'll consider this new exception valid:	368	if (behavior == DEVCG_DEFAULT_ALLOW) {
335	* - the dev cgroup has its default policy to allow + exception list:	369	/* the exception will deny access to certain devices */
336	* the new exception should not match any of the exceptions	370	return true;
337	* (behavior == DEVCG_DEFAULT_ALLOW, !match)	371	} else {
338	* - the dev cgroup has its default policy to deny + exception list:	372	/* the exception will allow access to certain devices */
339	* the new exception should match the exceptions	373	if (match)
340	* (behavior == DEVCG_DEFAULT_DENY, match)	374	/*
341	*/	375	* a new exception allowing access shouldn't
342	if ((dev_cgroup->behavior == DEVCG_DEFAULT_DENY) == match)	376	* match an parent's exception
343	return 1;	377	*/
344	return 0;	378	return false;
		379	return true;
		380	}
		381	} else {
		382	/* only behavior == DEVCG_DEFAULT_DENY allowed here */
		383	if (match)
		384	/* parent has an exception that matches the proposed */
		385	return true;
		386	else
		387	return false;
		388	}
		389	return false;
345	}	390	}
346		391
347	/*	392	/*
@@ -358,7 +403,7 @@ static int parent_has_perm(struct dev_cgroup *childcg,
358	if (!pcg)	403	if (!pcg)
359	return 1;	404	return 1;
360	parent = cgroup_to_devcgroup(pcg);	405	parent = cgroup_to_devcgroup(pcg);
361	return may_access(parent, ex);	406	return may_access(parent, ex, childcg->behavior);
362	}	407	}
363		408
364	/**	409	/**
@@ -374,6 +419,111 @@ static inline int may_allow_all(struct dev_cgroup *parent)
374	return parent->behavior == DEVCG_DEFAULT_ALLOW;	419	return parent->behavior == DEVCG_DEFAULT_ALLOW;
375	}	420	}
376		421
		422	/**
		423	* revalidate_active_exceptions - walks through the active exception list and
		424	* revalidates the exceptions based on parent's
		425	* behavior and exceptions. The exceptions that
		426	* are no longer valid will be removed.
		427	* Called with devcgroup_mutex held.
		428	* @devcg: cgroup which exceptions will be checked
		429	*
		430	* This is one of the three key functions for hierarchy implementation.
		431	* This function is responsible for re-evaluating all the cgroup's active
		432	* exceptions due to a parent's exception change.
		433	* Refer to Documentation/cgroups/devices.txt for more details.
		434	*/
		435	static void revalidate_active_exceptions(struct dev_cgroup *devcg)
		436	{
		437	struct dev_exception_item *ex;
		438	struct list_head this, tmp;
		439
		440	list_for_each_safe(this, tmp, &devcg->exceptions) {
		441	ex = container_of(this, struct dev_exception_item, list);
		442	if (!parent_has_perm(devcg, ex))
		443	dev_exception_rm(devcg, ex);
		444	}
		445	}
		446
		447	/**
		448	* get_online_devcg - walks the cgroup tree and fills a list with the online
		449	* groups
		450	* @root: cgroup used as starting point
		451	* @online: list that will be filled with online groups
		452	*
		453	* Must be called with devcgroup_mutex held. Grabs RCU lock.
		454	* Because devcgroup_mutex is held, no devcg will become online or offline
		455	* during the tree walk (see devcgroup_online, devcgroup_offline)
		456	* A separated list is needed because propagate_behavior() and
		457	* propagate_exception() need to allocate memory and can block.
		458	*/
		459	static void get_online_devcg(struct cgroup root, struct list_head online)
		460	{
		461	struct cgroup *pos;
		462	struct dev_cgroup *devcg;
		463
		464	lockdep_assert_held(&devcgroup_mutex);
		465
		466	rcu_read_lock();
		467	cgroup_for_each_descendant_pre(pos, root) {
		468	devcg = cgroup_to_devcgroup(pos);
		469	if (is_devcg_online(devcg))
		470	list_add_tail(&devcg->propagate_pending, online);
		471	}
		472	rcu_read_unlock();
		473	}
		474
		475	/**
		476	* propagate_exception - propagates a new exception to the children
		477	* @devcg_root: device cgroup that added a new exception
		478	* @ex: new exception to be propagated
		479	*
		480	* returns: 0 in case of success, != 0 in case of error
		481	*/
		482	static int propagate_exception(struct dev_cgroup *devcg_root,
		483	struct dev_exception_item *ex)
		484	{
		485	struct cgroup *root = devcg_root->css.cgroup;
		486	struct dev_cgroup devcg, parent, *tmp;
		487	int rc = 0;
		488	LIST_HEAD(pending);
		489
		490	get_online_devcg(root, &pending);
		491
		492	list_for_each_entry_safe(devcg, tmp, &pending, propagate_pending) {
		493	parent = cgroup_to_devcgroup(devcg->css.cgroup->parent);
		494
		495	/*
		496	* in case both root's behavior and devcg is allow, a new
		497	* restriction means adding to the exception list
		498	*/
		499	if (devcg_root->behavior == DEVCG_DEFAULT_ALLOW &&
		500	devcg->behavior == DEVCG_DEFAULT_ALLOW) {
		501	rc = dev_exception_add(devcg, ex);
		502	if (rc)
		503	break;
		504	} else {
		505	/*
		506	* in the other possible cases:
		507	* root's behavior: allow, devcg's: deny
		508	* root's behavior: deny, devcg's: deny
		509	* the exception will be removed
		510	*/
		511	dev_exception_rm(devcg, ex);
		512	}
		513	revalidate_active_exceptions(devcg);
		514
		515	list_del_init(&devcg->propagate_pending);
		516	}
		517	return rc;
		518	}
		519
		520	static inline bool has_children(struct dev_cgroup *devcgroup)
		521	{
		522	struct cgroup *cgrp = devcgroup->css.cgroup;
		523
		524	return !list_empty(&cgrp->children);
		525	}
		526
377	/*	527	/*
378	* Modify the exception list using allow/deny rules.	528	* Modify the exception list using allow/deny rules.
379	* CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD	529	* CAP_SYS_ADMIN is needed for this. It's at least separate from CAP_MKNOD
@@ -392,7 +542,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
392	{	542	{
393	const char *b;	543	const char *b;
394	char temp[12]; /* 11 + 1 characters needed for a u32 */	544	char temp[12]; /* 11 + 1 characters needed for a u32 */
395	int count, rc;	545	int count, rc = 0;
396	struct dev_exception_item ex;	546	struct dev_exception_item ex;
397	struct cgroup *p = devcgroup->css.cgroup;	547	struct cgroup *p = devcgroup->css.cgroup;
398	struct dev_cgroup *parent = NULL;	548	struct dev_cgroup *parent = NULL;
@@ -410,6 +560,9 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
410	case 'a':	560	case 'a':
411	switch (filetype) {	561	switch (filetype) {
412	case DEVCG_ALLOW:	562	case DEVCG_ALLOW:
		563	if (has_children(devcgroup))
		564	return -EINVAL;
		565
413	if (!may_allow_all(parent))	566	if (!may_allow_all(parent))
414	return -EPERM;	567	return -EPERM;
415	dev_exception_clean(devcgroup);	568	dev_exception_clean(devcgroup);
@@ -423,6 +576,9 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
423	return rc;	576	return rc;
424	break;	577	break;
425	case DEVCG_DENY:	578	case DEVCG_DENY:
		579	if (has_children(devcgroup))
		580	return -EINVAL;
		581
426	dev_exception_clean(devcgroup);	582	dev_exception_clean(devcgroup);
427	devcgroup->behavior = DEVCG_DEFAULT_DENY;	583	devcgroup->behavior = DEVCG_DEFAULT_DENY;
428	break;	584	break;
@@ -517,22 +673,28 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
517	dev_exception_rm(devcgroup, &ex);	673	dev_exception_rm(devcgroup, &ex);
518	return 0;	674	return 0;
519	}	675	}
520	return dev_exception_add(devcgroup, &ex);	676	rc = dev_exception_add(devcgroup, &ex);
		677	break;
521	case DEVCG_DENY:	678	case DEVCG_DENY:
522	/*	679	/*
523	* If the default policy is to deny by default, try to remove	680	* If the default policy is to deny by default, try to remove
524	* an matching exception instead. And be silent about it: we	681	* an matching exception instead. And be silent about it: we
525	* don't want to break compatibility	682	* don't want to break compatibility
526	*/	683	*/
527	if (devcgroup->behavior == DEVCG_DEFAULT_DENY) {	684	if (devcgroup->behavior == DEVCG_DEFAULT_DENY)
528	dev_exception_rm(devcgroup, &ex);	685	dev_exception_rm(devcgroup, &ex);
529	return 0;	686	else
530	}	687	rc = dev_exception_add(devcgroup, &ex);
531	return dev_exception_add(devcgroup, &ex);	688
		689	if (rc)
		690	break;
		691	/* we only propagate new restrictions */
		692	rc = propagate_exception(devcgroup, &ex);
		693	break;
532	default:	694	default:
533	return -EINVAL;	695	rc = -EINVAL;
534	}	696	}
535	return 0;	697	return rc;
536	}	698	}
537		699
538	static int devcgroup_access_write(struct cgroup cgrp, struct cftype cft,	700	static int devcgroup_access_write(struct cgroup cgrp, struct cftype cft,
@@ -571,17 +733,10 @@ struct cgroup_subsys devices_subsys = {
571	.can_attach = devcgroup_can_attach,	733	.can_attach = devcgroup_can_attach,
572	.css_alloc = devcgroup_css_alloc,	734	.css_alloc = devcgroup_css_alloc,
573	.css_free = devcgroup_css_free,	735	.css_free = devcgroup_css_free,
		736	.css_online = devcgroup_online,
		737	.css_offline = devcgroup_offline,
574	.subsys_id = devices_subsys_id,	738	.subsys_id = devices_subsys_id,
575	.base_cftypes = dev_cgroup_files,	739	.base_cftypes = dev_cgroup_files,
576
577	/*
578	* While devices cgroup has the rudimentary hierarchy support which
579	* checks the parent's restriction, it doesn't properly propagates
580	* config changes in ancestors to their descendents. A child
581	* should only be allowed to add more restrictions to the parent's
582	* configuration. Fix it and remove the following.
583	*/
584	.broken_hierarchy = true,
585	};	740	};
586		741
587	/**	742	/**
@@ -609,7 +764,7 @@ static int __devcgroup_check_permission(short type, u32 major, u32 minor,
609		764
610	rcu_read_lock();	765	rcu_read_lock();
611	dev_cgroup = task_devcgroup(current);	766	dev_cgroup = task_devcgroup(current);
612	rc = may_access(dev_cgroup, &ex);	767	rc = may_access(dev_cgroup, &ex, dev_cgroup->behavior);
613	rcu_read_unlock();	768	rcu_read_unlock();
614		769
615	if (!rc)	770	if (!rc)


diff --git a/security/keys/compat.c b/security/keys/compat.c index 1c261763f479..d65fa7fa29ba 100644 --- a/security/keys/compat.c +++ b/security/keys/compat.c
@@ -40,12 +40,12 @@ static long compat_keyctl_instantiate_key_iov(
40	ARRAY_SIZE(iovstack),	40	ARRAY_SIZE(iovstack),
41	iovstack, &iov);	41	iovstack, &iov);
42	if (ret < 0)	42	if (ret < 0)
43	return ret;	43	goto err;
44	if (ret == 0)	44	if (ret == 0)
45	goto no_payload_free;	45	goto no_payload_free;
46		46
47	ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);	47	ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid);
48		48	err:
49	if (iov != iovstack)	49	if (iov != iovstack)
50	kfree(iov);	50	kfree(iov);
51	return ret;	51	return ret;


diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index a571fad91010..42defae1e161 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c
@@ -57,7 +57,7 @@ int install_user_keyrings(void)
57		57
58	kenter("%p{%u}", user, uid);	58	kenter("%p{%u}", user, uid);
59		59
60	if (user->uid_keyring) {	60	if (user->uid_keyring && user->session_keyring) {
61	kleave(" = 0 [exist]");	61	kleave(" = 0 [exist]");
62	return 0;	62	return 0;
63	}	63	}


diff --git a/security/security.c b/security/security.c index 108281d2307a..a3dce87d1aef 100644 --- a/security/security.c +++ b/security/security.c
@@ -1290,6 +1290,11 @@ int security_tun_dev_open(void *security)
1290	}	1290	}
1291	EXPORT_SYMBOL(security_tun_dev_open);	1291	EXPORT_SYMBOL(security_tun_dev_open);
1292		1292
		1293	void security_skb_owned_by(struct sk_buff skb, struct sock sk)
		1294	{
		1295	security_ops->skb_owned_by(skb, sk);
		1296	}
		1297
1293	#endif /* CONFIG_SECURITY_NETWORK */	1298	#endif /* CONFIG_SECURITY_NETWORK */
1294		1299
1295	#ifdef CONFIG_SECURITY_NETWORK_XFRM	1300	#ifdef CONFIG_SECURITY_NETWORK_XFRM


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3c02be3f6732..feb2f42c5a07 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -51,6 +51,7 @@
51	#include <linux/tty.h>	51	#include <linux/tty.h>
52	#include <net/icmp.h>	52	#include <net/icmp.h>
53	#include <net/ip.h> /* for local_port_range[] */	53	#include <net/ip.h> /* for local_port_range[] */
		54	#include <net/sock.h>
54	#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */	55	#include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
55	#include <net/net_namespace.h>	56	#include <net/net_namespace.h>
56	#include <net/netlabel.h>	57	#include <net/netlabel.h>
@@ -4394,6 +4395,11 @@ static void selinux_inet_conn_established(struct sock sk, struct sk_buff skb)
4394	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);	4395	selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4395	}	4396	}
4396		4397
		4398	static void selinux_skb_owned_by(struct sk_buff skb, struct sock sk)
		4399	{
		4400	skb_set_owner_w(skb, sk);
		4401	}
		4402
4397	static int selinux_secmark_relabel_packet(u32 sid)	4403	static int selinux_secmark_relabel_packet(u32 sid)
4398	{	4404	{
4399	const struct task_security_struct *__tsec;	4405	const struct task_security_struct *__tsec;
@@ -5695,6 +5701,7 @@ static struct security_operations selinux_ops = {
5695	.tun_dev_attach_queue = selinux_tun_dev_attach_queue,	5701	.tun_dev_attach_queue = selinux_tun_dev_attach_queue,
5696	.tun_dev_attach = selinux_tun_dev_attach,	5702	.tun_dev_attach = selinux_tun_dev_attach,
5697	.tun_dev_open = selinux_tun_dev_open,	5703	.tun_dev_open = selinux_tun_dev_open,
		5704	.skb_owned_by = selinux_skb_owned_by,
5698		5705
5699	#ifdef CONFIG_SECURITY_NETWORK_XFRM	5706	#ifdef CONFIG_SECURITY_NETWORK_XFRM
5700	.xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,	5707	.xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,


diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 48665ecd1197..8ab295154517 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c
@@ -310,7 +310,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
310		310
311	if (old_ctx) {	311	if (old_ctx) {
312	new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,	312	new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,
313	GFP_KERNEL);	313	GFP_ATOMIC);
314	if (!new_ctx)	314	if (!new_ctx)
315	return -ENOMEM;	315	return -ENOMEM;
316		316


diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 23414b93771f..13c88fbcf037 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c
@@ -347,10 +347,8 @@ int yama_ptrace_traceme(struct task_struct *parent)
347	/* Only disallow PTRACE_TRACEME on more aggressive settings. */	347	/* Only disallow PTRACE_TRACEME on more aggressive settings. */
348	switch (ptrace_scope) {	348	switch (ptrace_scope) {
349	case YAMA_SCOPE_CAPABILITY:	349	case YAMA_SCOPE_CAPABILITY:
350	rcu_read_lock();	350	if (!has_ns_capability(parent, current_user_ns(), CAP_SYS_PTRACE))
351	if (!ns_capable(__task_cred(parent)->user_ns, CAP_SYS_PTRACE))
352	rc = -EPERM;	351	rc = -EPERM;
353	rcu_read_unlock();
354	break;	352	break;
355	case YAMA_SCOPE_NO_ATTACH:	353	case YAMA_SCOPE_NO_ATTACH:
356	rc = -EPERM;	354	rc = -EPERM;