7 files changed, 98 insertions, 111 deletions
diff --git a/security/apparmor/path.c b/security/apparmor/path.c
index 36cc0cc39e78..b566eba4a65c 100644
--- a/security/apparmor/path.c
+++ b/security/apparmor/path.c
@@ -57,23 +57,44 @@ static int prepend(char **buffer, int buflen, const char *str, int namelen)
 static int d_namespace_path(struct path *path, char *buf, int buflen,
                            char **name, int flags)
 {
-        struct path root, tmp;
        char *res;
-        int connected, error = 0;
+        int error = 0;
+        int connected = 1;
+        if (path->mnt->mnt_flags & MNT_INTERNAL) {
+                /* it's not mounted anywhere */
+                res = dentry_path(path->dentry, buf, buflen);
+                *name = res;
+                if (IS_ERR(res)) {
+                        *name = buf;
+                        return PTR_ERR(res);
+                }
+                if (path->dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
+                    strncmp(*name, "/sys/", 5) == 0) {
+                        /* TODO: convert over to using a per namespace
+                         * control instead of hard coded /proc
+                         */
+                        return prepend(name, *name - buf, "/proc", 5);
+                }
+                return 0;
+        }
-        /* Get the root we want to resolve too, released below */
+        /* resolve paths relative to chroot?*/
        if (flags & PATH_CHROOT_REL) {
-                /* resolve paths relative to chroot */
+                struct path root;
                get_fs_root(current->fs, &root);
-        } else {
+                res = __d_path(path, &root, buf, buflen);
-                /* resolve paths relative to namespace */
+                if (res && !IS_ERR(res)) {
-                root.mnt = current->nsproxy->mnt_ns->root;
+                        /* everything's fine */
-                root.dentry = root.mnt->mnt_root;
+                        *name = res;
-                path_get(&root);
+                        path_put(&root);
+                        goto ok;
+                }
+                path_put(&root);
+                connected = 0;
        }
-        tmp = root;
+        res = d_absolute_path(path, buf, buflen);
-        res = __d_path(path, &tmp, buf, buflen);
        *name = res;
        /* handle error conditions - and still allow a partial path to
@@ -84,7 +105,10 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
                *name = buf;
                goto out;
        }
+        if (!our_mnt(path->mnt))
+                connected = 0;
+ok:
        /* Handle two cases:
         * 1. A deleted dentry && profile is not allowing mediation of deleted
         * 2. On some filesystems, newly allocated dentries appear to the
@@ -97,10 +121,7 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
                        goto out;
        }
-        /* Determine if the path is connected to the expected root */
+        /* If the path is not connected to the expected root,
-        connected = tmp.dentry == root.dentry && tmp.mnt == root.mnt;
-        /* If the path is not connected,
         * check if it is a sysctl and handle specially else remove any
         * leading / that __d_path may have returned.
         * Unless
@@ -112,17 +133,9 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
         *     namespace root.
         */
        if (!connected) {
-                /* is the disconnect path a sysctl? */
+                if (!(flags & PATH_CONNECT_PATH) &&
-                if (tmp.dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
-                    strncmp(*name, "/sys/", 5) == 0) {
-                        /* TODO: convert over to using a per namespace
-                         * control instead of hard coded /proc
-                         */
-                        error = prepend(name, *name - buf, "/proc", 5);
-                } else if (!(flags & PATH_CONNECT_PATH) &&
                           !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
-                             (tmp.mnt == current->nsproxy->mnt_ns->root &&
+                             our_mnt(path->mnt))) {
-                              tmp.dentry == tmp.mnt->mnt_root))) {
                        /* disconnected path, don't return pathname starting
                         * with '/'
                         */
@@ -133,8 +146,6 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
        }
 out:
-        path_put(&root);
        return error;
 }
diff --git a/security/keys/encrypted-keys/Makefile b/security/keys/encrypted-keys/Makefile
index 6bc7a86d1027..d6f8433250a5 100644
--- a/security/keys/encrypted-keys/Makefile
+++ b/security/keys/encrypted-keys/Makefile
@@ -2,5 +2,9 @@
 # Makefile for encrypted keys
 #
-obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted.o ecryptfs_format.o
+obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys.o
-obj-$(CONFIG_TRUSTED_KEYS) += masterkey_trusted.o
+encrypted-keys-y := encrypted.o ecryptfs_format.o
+masterkey-$(CONFIG_TRUSTED_KEYS) := masterkey_trusted.o
+masterkey-$(CONFIG_TRUSTED_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_trusted.o
+encrypted-keys-y += $(masterkey-y) $(masterkey-m-m)
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index dcc843cb0f80..41144f71d615 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -444,7 +444,7 @@ static struct key *request_master_key(struct encrypted_key_payload *epayload,
                goto out;
        if (IS_ERR(mkey)) {
-                int ret = PTR_ERR(epayload);
+                int ret = PTR_ERR(mkey);
                if (ret == -ENOTSUPP)
                        pr_info("encrypted_key: key %s not supported",
diff --git a/security/keys/encrypted-keys/encrypted.h b/security/keys/encrypted-keys/encrypted.h
index b6ade8945250..8136a2d44c63 100644
--- a/security/keys/encrypted-keys/encrypted.h
+++ b/security/keys/encrypted-keys/encrypted.h
@@ -2,7 +2,8 @@
 #define __ENCRYPTED_KEY_H
 #define ENCRYPTED_DEBUG 0
-#ifdef CONFIG_TRUSTED_KEYS
+#if defined(CONFIG_TRUSTED_KEYS) || \
+  (defined(CONFIG_TRUSTED_KEYS_MODULE) && defined(CONFIG_ENCRYPTED_KEYS_MODULE))
 extern struct key *request_trusted_key(const char *trusted_desc,
                                       u8 **master_key, size_t *master_keylen);
 #else
diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c
index 5b366d7af3c4..69ff52c08e97 100644
--- a/security/keys/user_defined.c
+++ b/security/keys/user_defined.c
@@ -102,7 +102,8 @@ int user_update(struct key *key, const void *data, size_t datalen)
                key->expiry = 0;
        }
-        kfree_rcu(zap, rcu);
+        if (zap)
+                kfree_rcu(zap, rcu);
 error:
        return ret;
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 6aceef518a41..5c32f36ff706 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -102,9 +102,6 @@ static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
 const char *smack_cipso_option = SMACK_CIPSO_OPTION;
-#define SEQ_READ_FINISHED       ((loff_t)-1)
 /*
 * Values for parsing cipso rules
 * SMK_DIGITLEN: Length of a digit field in a rule.
@@ -357,10 +354,12 @@ static ssize_t smk_write_load_list(struct file *file, const char __user *buf,
        rc = count;
        /*
+         * If this is "load" as opposed to "load-self" and a new rule
+         * it needs to get added for reporting.
         * smk_set_access returns true if there was already a rule
         * for the subject/object pair, and false if it was new.
         */
-        if (!smk_set_access(rule, rule_list, rule_lock)) {
+        if (load && !smk_set_access(rule, rule_list, rule_lock)) {
                smlp = kzalloc(sizeof(*smlp), GFP_KERNEL);
                if (smlp != NULL) {
                        smlp->smk_rule = rule;
@@ -377,12 +376,12 @@ out:
        return rc;
 }
 /*
- * Seq_file read operations for /smack/load
+ * Core logic for smackfs seq list operations.
 */
-static void *load_seq_start(struct seq_file *s, loff_t *pos)
+static void *smk_seq_start(struct seq_file *s, loff_t *pos,
+                                struct list_head *head)
 {
        struct list_head *list;
@@ -390,7 +389,7 @@ static void *load_seq_start(struct seq_file *s, loff_t *pos)
         * This is 0 the first time through.
         */
        if (s->index == 0)
-                s->private = &smack_rule_list;
+                s->private = head;
        if (s->private == NULL)
                return NULL;
@@ -404,11 +403,12 @@ static void *load_seq_start(struct seq_file *s, loff_t *pos)
        return list;
 }
-static void *load_seq_next(struct seq_file *s, void *v, loff_t *pos)
+static void *smk_seq_next(struct seq_file *s, void *v, loff_t *pos,
+                                struct list_head *head)
 {
        struct list_head *list = v;
-        if (list_is_last(list, &smack_rule_list)) {
+        if (list_is_last(list, head)) {
                s->private = NULL;
                return NULL;
        }
@@ -416,6 +416,25 @@ static void *load_seq_next(struct seq_file *s, void *v, loff_t *pos)
        return list->next;
 }
+static void smk_seq_stop(struct seq_file *s, void *v)
+{
+        /* No-op */
+}
+/*
+ * Seq_file read operations for /smack/load
+ */
+static void *load_seq_start(struct seq_file *s, loff_t *pos)
+{
+        return smk_seq_start(s, pos, &smack_rule_list);
+}
+static void *load_seq_next(struct seq_file *s, void *v, loff_t *pos)
+{
+        return smk_seq_next(s, v, pos, &smack_rule_list);
+}
 static int load_seq_show(struct seq_file *s, void *v)
 {
        struct list_head *list = v;
@@ -446,16 +465,11 @@ static int load_seq_show(struct seq_file *s, void *v)
        return 0;
 }
-static void load_seq_stop(struct seq_file *s, void *v)
-{
-        /* No-op */
-}
 static const struct seq_operations load_seq_ops = {
        .start = load_seq_start,
        .next  = load_seq_next,
        .show  = load_seq_show,
-        .stop  = load_seq_stop,
+        .stop  = smk_seq_stop,
 };
 /**
@@ -574,28 +588,12 @@ static void smk_unlbl_ambient(char *oldambient)
 static void *cipso_seq_start(struct seq_file *s, loff_t *pos)
 {
-        if (*pos == SEQ_READ_FINISHED)
+        return smk_seq_start(s, pos, &smack_known_list);
-                return NULL;
-        if (list_empty(&smack_known_list))
-                return NULL;
-        return smack_known_list.next;
 }
 static void *cipso_seq_next(struct seq_file *s, void *v, loff_t *pos)
 {
-        struct list_head  *list = v;
+        return smk_seq_next(s, v, pos, &smack_known_list);
-        /*
-         * labels with no associated cipso value wont be printed
-         * in cipso_seq_show
-         */
-        if (list_is_last(list, &smack_known_list)) {
-                *pos = SEQ_READ_FINISHED;
-                return NULL;
-        }
-        return list->next;
 }
 /*
@@ -634,16 +632,11 @@ static int cipso_seq_show(struct seq_file *s, void *v)
        return 0;
 }
-static void cipso_seq_stop(struct seq_file *s, void *v)
-{
-        /* No-op */
-}
 static const struct seq_operations cipso_seq_ops = {
        .start = cipso_seq_start,
-        .stop  = cipso_seq_stop,
        .next  = cipso_seq_next,
        .show  = cipso_seq_show,
+        .stop  = smk_seq_stop,
 };
 /**
@@ -788,23 +781,12 @@ static const struct file_operations smk_cipso_ops = {
 static void *netlbladdr_seq_start(struct seq_file *s, loff_t *pos)
 {
-        if (*pos == SEQ_READ_FINISHED)
+        return smk_seq_start(s, pos, &smk_netlbladdr_list);
-                return NULL;
-        if (list_empty(&smk_netlbladdr_list))
-                return NULL;
-        return smk_netlbladdr_list.next;
 }
 static void *netlbladdr_seq_next(struct seq_file *s, void *v, loff_t *pos)
 {
-        struct list_head *list = v;
+        return smk_seq_next(s, v, pos, &smk_netlbladdr_list);
-        if (list_is_last(list, &smk_netlbladdr_list)) {
-                *pos = SEQ_READ_FINISHED;
-                return NULL;
-        }
-        return list->next;
 }
 #define BEBITS  (sizeof(__be32) * 8)
@@ -828,16 +810,11 @@ static int netlbladdr_seq_show(struct seq_file *s, void *v)
        return 0;
 }
-static void netlbladdr_seq_stop(struct seq_file *s, void *v)
-{
-        /* No-op */
-}
 static const struct seq_operations netlbladdr_seq_ops = {
        .start = netlbladdr_seq_start,
-        .stop  = netlbladdr_seq_stop,
        .next  = netlbladdr_seq_next,
        .show  = netlbladdr_seq_show,
+        .stop  = smk_seq_stop,
 };
 /**
@@ -1405,23 +1382,14 @@ static void *load_self_seq_start(struct seq_file *s, loff_t *pos)
 {
        struct task_smack *tsp = current_security();
-        if (*pos == SEQ_READ_FINISHED)
+        return smk_seq_start(s, pos, &tsp->smk_rules);
-                return NULL;
-        if (list_empty(&tsp->smk_rules))
-                return NULL;
-        return tsp->smk_rules.next;
 }
 static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
 {
        struct task_smack *tsp = current_security();
-        struct list_head *list = v;
-        if (list_is_last(list, &tsp->smk_rules)) {
+        return smk_seq_next(s, v, pos, &tsp->smk_rules);
-                *pos = SEQ_READ_FINISHED;
-                return NULL;
-        }
-        return list->next;
 }
 static int load_self_seq_show(struct seq_file *s, void *v)
@@ -1453,16 +1421,11 @@ static int load_self_seq_show(struct seq_file *s, void *v)
        return 0;
 }
-static void load_self_seq_stop(struct seq_file *s, void *v)
-{
-        /* No-op */
-}
 static const struct seq_operations load_self_seq_ops = {
        .start = load_self_seq_start,
        .next  = load_self_seq_next,
        .show  = load_self_seq_show,
-        .stop  = load_self_seq_stop,
+        .stop  = smk_seq_stop,
 };
diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c
index 738bbdf8d4c7..d9f3ced8756e 100644
--- a/security/tomoyo/realpath.c
+++ b/security/tomoyo/realpath.c
@@ -101,9 +101,8 @@ static char *tomoyo_get_absolute_path(struct path *path, char * const buffer,
 {
        char *pos = ERR_PTR(-ENOMEM);
        if (buflen >= 256) {
-                struct path ns_root = { };
                /* go to whatever namespace root we are under */
-                pos = __d_path(path, &ns_root, buffer, buflen - 1);
+                pos = d_absolute_path(path, buffer, buflen - 1);
                if (!IS_ERR(pos) && *pos == '/' && pos[1]) {
                        struct inode *inode = path->dentry->d_inode;
                        if (inode && S_ISDIR(inode->i_mode)) {
@@ -294,8 +293,16 @@ char *tomoyo_realpath_from_path(struct path *path)
                        pos = tomoyo_get_local_path(path->dentry, buf,
                                                    buf_len - 1);
                /* Get absolute name for the rest. */
-                else
+                else {
                        pos = tomoyo_get_absolute_path(path, buf, buf_len - 1);
+                        /*
+                         * Fall back to local name if absolute name is not
+                         * available.
+                         */
+                        if (pos == ERR_PTR(-EINVAL))
+                                pos = tomoyo_get_local_path(path->dentry, buf,
+                                                            buf_len - 1);
+                }
 encode:
                if (IS_ERR(pos))
                        continue;

diff --git a/security/apparmor/path.c b/security/apparmor/path.c index 36cc0cc39e78..b566eba4a65c 100644 --- a/security/apparmor/path.c +++ b/security/apparmor/path.c
@@ -57,23 +57,44 @@ static int prepend(char *buffer, int buflen, const char str, int namelen)
57	static int d_namespace_path(struct path path, char buf, int buflen,	57	static int d_namespace_path(struct path path, char buf, int buflen,
58	char **name, int flags)	58	char **name, int flags)
59	{	59	{
60	struct path root, tmp;
61	char *res;	60	char *res;
62	int connected, error = 0;	61	int error = 0;
		62	int connected = 1;
		63
		64	if (path->mnt->mnt_flags & MNT_INTERNAL) {
		65	/* it's not mounted anywhere */
		66	res = dentry_path(path->dentry, buf, buflen);
		67	*name = res;
		68	if (IS_ERR(res)) {
		69	*name = buf;
		70	return PTR_ERR(res);
		71	}
		72	if (path->dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
		73	strncmp(*name, "/sys/", 5) == 0) {
		74	/* TODO: convert over to using a per namespace
		75	* control instead of hard coded /proc
		76	*/
		77	return prepend(name, *name - buf, "/proc", 5);
		78	}
		79	return 0;
		80	}
63		81
64	/* Get the root we want to resolve too, released below */	82	/* resolve paths relative to chroot?*/
65	if (flags & PATH_CHROOT_REL) {	83	if (flags & PATH_CHROOT_REL) {
66	/* resolve paths relative to chroot */	84	struct path root;
67	get_fs_root(current->fs, &root);	85	get_fs_root(current->fs, &root);
68	} else {	86	res = __d_path(path, &root, buf, buflen);
69	/* resolve paths relative to namespace */	87	if (res && !IS_ERR(res)) {
70	root.mnt = current->nsproxy->mnt_ns->root;	88	/* everything's fine */
71	root.dentry = root.mnt->mnt_root;	89	*name = res;
72	path_get(&root);	90	path_put(&root);
		91	goto ok;
		92	}
		93	path_put(&root);
		94	connected = 0;
73	}	95	}
74		96
75	tmp = root;	97	res = d_absolute_path(path, buf, buflen);
76	res = __d_path(path, &tmp, buf, buflen);
77		98
78	*name = res;	99	*name = res;
79	/* handle error conditions - and still allow a partial path to	100	/* handle error conditions - and still allow a partial path to
@@ -84,7 +105,10 @@ static int d_namespace_path(struct path path, char buf, int buflen,
84	*name = buf;	105	*name = buf;
85	goto out;	106	goto out;
86	}	107	}
		108	if (!our_mnt(path->mnt))
		109	connected = 0;
87		110
		111	ok:
88	/* Handle two cases:	112	/* Handle two cases:
89	* 1. A deleted dentry && profile is not allowing mediation of deleted	113	* 1. A deleted dentry && profile is not allowing mediation of deleted
90	* 2. On some filesystems, newly allocated dentries appear to the	114	* 2. On some filesystems, newly allocated dentries appear to the
@@ -97,10 +121,7 @@ static int d_namespace_path(struct path path, char buf, int buflen,
97	goto out;	121	goto out;
98	}	122	}
99		123
100	/* Determine if the path is connected to the expected root */	124	/* If the path is not connected to the expected root,
101	connected = tmp.dentry == root.dentry && tmp.mnt == root.mnt;
102
103	/* If the path is not connected,
104	* check if it is a sysctl and handle specially else remove any	125	* check if it is a sysctl and handle specially else remove any
105	* leading / that __d_path may have returned.	126	* leading / that __d_path may have returned.
106	* Unless	127	* Unless
@@ -112,17 +133,9 @@ static int d_namespace_path(struct path path, char buf, int buflen,
112	* namespace root.	133	* namespace root.
113	*/	134	*/
114	if (!connected) {	135	if (!connected) {
115	/* is the disconnect path a sysctl? */	136	if (!(flags & PATH_CONNECT_PATH) &&
116	if (tmp.dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
117	strncmp(*name, "/sys/", 5) == 0) {
118	/* TODO: convert over to using a per namespace
119	* control instead of hard coded /proc
120	*/
121	error = prepend(name, *name - buf, "/proc", 5);
122	} else if (!(flags & PATH_CONNECT_PATH) &&
123	!(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&	137	!(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
124	(tmp.mnt == current->nsproxy->mnt_ns->root &&	138	our_mnt(path->mnt))) {
125	tmp.dentry == tmp.mnt->mnt_root))) {
126	/* disconnected path, don't return pathname starting	139	/* disconnected path, don't return pathname starting
127	* with '/'	140	* with '/'
128	*/	141	*/
@@ -133,8 +146,6 @@ static int d_namespace_path(struct path path, char buf, int buflen,
133	}	146	}
134		147
135	out:	148	out:
136	path_put(&root);
137
138	return error;	149	return error;
139	}	150	}
140		151


diff --git a/security/keys/encrypted-keys/Makefile b/security/keys/encrypted-keys/Makefile index 6bc7a86d1027..d6f8433250a5 100644 --- a/security/keys/encrypted-keys/Makefile +++ b/security/keys/encrypted-keys/Makefile
@@ -2,5 +2,9 @@
2	# Makefile for encrypted keys	2	# Makefile for encrypted keys
3	#	3	#
4		4
5	obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted.o ecryptfs_format.o	5	obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys.o
6	obj-$(CONFIG_TRUSTED_KEYS) += masterkey_trusted.o	6
		7	encrypted-keys-y := encrypted.o ecryptfs_format.o
		8	masterkey-$(CONFIG_TRUSTED_KEYS) := masterkey_trusted.o
		9	masterkey-$(CONFIG_TRUSTED_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_trusted.o
		10	encrypted-keys-y += $(masterkey-y) $(masterkey-m-m)


diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c index dcc843cb0f80..41144f71d615 100644 --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c
@@ -444,7 +444,7 @@ static struct key request_master_key(struct encrypted_key_payload epayload,
444	goto out;	444	goto out;
445		445
446	if (IS_ERR(mkey)) {	446	if (IS_ERR(mkey)) {
447	int ret = PTR_ERR(epayload);	447	int ret = PTR_ERR(mkey);
448		448
449	if (ret == -ENOTSUPP)	449	if (ret == -ENOTSUPP)
450	pr_info("encrypted_key: key %s not supported",	450	pr_info("encrypted_key: key %s not supported",


diff --git a/security/keys/encrypted-keys/encrypted.h b/security/keys/encrypted-keys/encrypted.h index b6ade8945250..8136a2d44c63 100644 --- a/security/keys/encrypted-keys/encrypted.h +++ b/security/keys/encrypted-keys/encrypted.h
@@ -2,7 +2,8 @@
2	#define __ENCRYPTED_KEY_H	2	#define __ENCRYPTED_KEY_H
3		3
4	#define ENCRYPTED_DEBUG 0	4	#define ENCRYPTED_DEBUG 0
5	#ifdef CONFIG_TRUSTED_KEYS	5	#if defined(CONFIG_TRUSTED_KEYS) \|\| \
		6	(defined(CONFIG_TRUSTED_KEYS_MODULE) && defined(CONFIG_ENCRYPTED_KEYS_MODULE))
6	extern struct key request_trusted_key(const char trusted_desc,	7	extern struct key request_trusted_key(const char trusted_desc,
7	u8 *master_key, size_t master_keylen);	8	u8 *master_key, size_t master_keylen);
8	#else	9	#else


diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c index 5b366d7af3c4..69ff52c08e97 100644 --- a/security/keys/user_defined.c +++ b/security/keys/user_defined.c
@@ -102,7 +102,8 @@ int user_update(struct key key, const void data, size_t datalen)
102	key->expiry = 0;	102	key->expiry = 0;
103	}	103	}
104		104
105	kfree_rcu(zap, rcu);	105	if (zap)
		106	kfree_rcu(zap, rcu);
106		107
107	error:	108	error:
108	return ret;	109	return ret;


diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 6aceef518a41..5c32f36ff706 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c
@@ -102,9 +102,6 @@ static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
102		102
103	const char *smack_cipso_option = SMACK_CIPSO_OPTION;	103	const char *smack_cipso_option = SMACK_CIPSO_OPTION;
104		104
105
106	#define SEQ_READ_FINISHED ((loff_t)-1)
107
108	/*	105	/*
109	* Values for parsing cipso rules	106	* Values for parsing cipso rules
110	* SMK_DIGITLEN: Length of a digit field in a rule.	107	* SMK_DIGITLEN: Length of a digit field in a rule.
@@ -357,10 +354,12 @@ static ssize_t smk_write_load_list(struct file file, const char __user buf,
357		354
358	rc = count;	355	rc = count;
359	/*	356	/*
		357	* If this is "load" as opposed to "load-self" and a new rule
		358	* it needs to get added for reporting.
360	* smk_set_access returns true if there was already a rule	359	* smk_set_access returns true if there was already a rule
361	* for the subject/object pair, and false if it was new.	360	* for the subject/object pair, and false if it was new.
362	*/	361	*/
363	if (!smk_set_access(rule, rule_list, rule_lock)) {	362	if (load && !smk_set_access(rule, rule_list, rule_lock)) {
364	smlp = kzalloc(sizeof(*smlp), GFP_KERNEL);	363	smlp = kzalloc(sizeof(*smlp), GFP_KERNEL);
365	if (smlp != NULL) {	364	if (smlp != NULL) {
366	smlp->smk_rule = rule;	365	smlp->smk_rule = rule;
@@ -377,12 +376,12 @@ out:
377	return rc;	376	return rc;
378	}	377	}
379		378
380
381	/*	379	/*
382	* Seq_file read operations for /smack/load	380	* Core logic for smackfs seq list operations.
383	*/	381	*/
384		382
385	static void load_seq_start(struct seq_file s, loff_t *pos)	383	static void smk_seq_start(struct seq_file s, loff_t *pos,
		384	struct list_head *head)
386	{	385	{
387	struct list_head *list;	386	struct list_head *list;
388		387
@@ -390,7 +389,7 @@ static void load_seq_start(struct seq_file s, loff_t *pos)
390	* This is 0 the first time through.	389	* This is 0 the first time through.
391	*/	390	*/
392	if (s->index == 0)	391	if (s->index == 0)
393	s->private = &smack_rule_list;	392	s->private = head;
394		393
395	if (s->private == NULL)	394	if (s->private == NULL)
396	return NULL;	395	return NULL;
@@ -404,11 +403,12 @@ static void load_seq_start(struct seq_file s, loff_t *pos)
404	return list;	403	return list;
405	}	404	}
406		405
407	static void load_seq_next(struct seq_file s, void v, loff_t pos)	406	static void smk_seq_next(struct seq_file s, void v, loff_t pos,
		407	struct list_head *head)
408	{	408	{
409	struct list_head *list = v;	409	struct list_head *list = v;
410		410
411	if (list_is_last(list, &smack_rule_list)) {	411	if (list_is_last(list, head)) {
412	s->private = NULL;	412	s->private = NULL;
413	return NULL;	413	return NULL;
414	}	414	}
@@ -416,6 +416,25 @@ static void load_seq_next(struct seq_file s, void v, loff_t pos)
416	return list->next;	416	return list->next;
417	}	417	}
418		418
		419	static void smk_seq_stop(struct seq_file s, void v)
		420	{
		421	/* No-op */
		422	}
		423
		424	/*
		425	* Seq_file read operations for /smack/load
		426	*/
		427
		428	static void load_seq_start(struct seq_file s, loff_t *pos)
		429	{
		430	return smk_seq_start(s, pos, &smack_rule_list);
		431	}
		432
		433	static void load_seq_next(struct seq_file s, void v, loff_t pos)
		434	{
		435	return smk_seq_next(s, v, pos, &smack_rule_list);
		436	}
		437
419	static int load_seq_show(struct seq_file s, void v)	438	static int load_seq_show(struct seq_file s, void v)
420	{	439	{
421	struct list_head *list = v;	440	struct list_head *list = v;
@@ -446,16 +465,11 @@ static int load_seq_show(struct seq_file s, void v)
446	return 0;	465	return 0;
447	}	466	}
448		467
449	static void load_seq_stop(struct seq_file s, void v)
450	{
451	/* No-op */
452	}
453
454	static const struct seq_operations load_seq_ops = {	468	static const struct seq_operations load_seq_ops = {
455	.start = load_seq_start,	469	.start = load_seq_start,
456	.next = load_seq_next,	470	.next = load_seq_next,
457	.show = load_seq_show,	471	.show = load_seq_show,
458	.stop = load_seq_stop,	472	.stop = smk_seq_stop,
459	};	473	};
460		474
461	/**	475	/**
@@ -574,28 +588,12 @@ static void smk_unlbl_ambient(char *oldambient)
574		588
575	static void cipso_seq_start(struct seq_file s, loff_t *pos)	589	static void cipso_seq_start(struct seq_file s, loff_t *pos)
576	{	590	{
577	if (*pos == SEQ_READ_FINISHED)	591	return smk_seq_start(s, pos, &smack_known_list);
578	return NULL;
579	if (list_empty(&smack_known_list))
580	return NULL;
581
582	return smack_known_list.next;
583	}	592	}
584		593
585	static void cipso_seq_next(struct seq_file s, void v, loff_t pos)	594	static void cipso_seq_next(struct seq_file s, void v, loff_t pos)
586	{	595	{
587	struct list_head *list = v;	596	return smk_seq_next(s, v, pos, &smack_known_list);
588
589	/*
590	* labels with no associated cipso value wont be printed
591	* in cipso_seq_show
592	*/
593	if (list_is_last(list, &smack_known_list)) {
594	*pos = SEQ_READ_FINISHED;
595	return NULL;
596	}
597
598	return list->next;
599	}	597	}
600		598
601	/*	599	/*
@@ -634,16 +632,11 @@ static int cipso_seq_show(struct seq_file s, void v)
634	return 0;	632	return 0;
635	}	633	}
636		634
637	static void cipso_seq_stop(struct seq_file s, void v)
638	{
639	/* No-op */
640	}
641
642	static const struct seq_operations cipso_seq_ops = {	635	static const struct seq_operations cipso_seq_ops = {
643	.start = cipso_seq_start,	636	.start = cipso_seq_start,
644	.stop = cipso_seq_stop,
645	.next = cipso_seq_next,	637	.next = cipso_seq_next,
646	.show = cipso_seq_show,	638	.show = cipso_seq_show,
		639	.stop = smk_seq_stop,
647	};	640	};
648		641
649	/**	642	/**
@@ -788,23 +781,12 @@ static const struct file_operations smk_cipso_ops = {
788		781
789	static void netlbladdr_seq_start(struct seq_file s, loff_t *pos)	782	static void netlbladdr_seq_start(struct seq_file s, loff_t *pos)
790	{	783	{
791	if (*pos == SEQ_READ_FINISHED)	784	return smk_seq_start(s, pos, &smk_netlbladdr_list);
792	return NULL;
793	if (list_empty(&smk_netlbladdr_list))
794	return NULL;
795	return smk_netlbladdr_list.next;
796	}	785	}
797		786
798	static void netlbladdr_seq_next(struct seq_file s, void v, loff_t pos)	787	static void netlbladdr_seq_next(struct seq_file s, void v, loff_t pos)
799	{	788	{
800	struct list_head *list = v;	789	return smk_seq_next(s, v, pos, &smk_netlbladdr_list);
801
802	if (list_is_last(list, &smk_netlbladdr_list)) {
803	*pos = SEQ_READ_FINISHED;
804	return NULL;
805	}
806
807	return list->next;
808	}	790	}
809	#define BEBITS (sizeof(__be32) * 8)	791	#define BEBITS (sizeof(__be32) * 8)
810		792
@@ -828,16 +810,11 @@ static int netlbladdr_seq_show(struct seq_file s, void v)
828	return 0;	810	return 0;
829	}	811	}
830		812
831	static void netlbladdr_seq_stop(struct seq_file s, void v)
832	{
833	/* No-op */
834	}
835
836	static const struct seq_operations netlbladdr_seq_ops = {	813	static const struct seq_operations netlbladdr_seq_ops = {
837	.start = netlbladdr_seq_start,	814	.start = netlbladdr_seq_start,
838	.stop = netlbladdr_seq_stop,
839	.next = netlbladdr_seq_next,	815	.next = netlbladdr_seq_next,
840	.show = netlbladdr_seq_show,	816	.show = netlbladdr_seq_show,
		817	.stop = smk_seq_stop,
841	};	818	};
842		819
843	/**	820	/**
@@ -1405,23 +1382,14 @@ static void load_self_seq_start(struct seq_file s, loff_t *pos)
1405	{	1382	{
1406	struct task_smack *tsp = current_security();	1383	struct task_smack *tsp = current_security();
1407		1384
1408	if (*pos == SEQ_READ_FINISHED)	1385	return smk_seq_start(s, pos, &tsp->smk_rules);
1409	return NULL;
1410	if (list_empty(&tsp->smk_rules))
1411	return NULL;
1412	return tsp->smk_rules.next;
1413	}	1386	}
1414		1387
1415	static void load_self_seq_next(struct seq_file s, void v, loff_t pos)	1388	static void load_self_seq_next(struct seq_file s, void v, loff_t pos)
1416	{	1389	{
1417	struct task_smack *tsp = current_security();	1390	struct task_smack *tsp = current_security();
1418	struct list_head *list = v;
1419		1391
1420	if (list_is_last(list, &tsp->smk_rules)) {	1392	return smk_seq_next(s, v, pos, &tsp->smk_rules);
1421	*pos = SEQ_READ_FINISHED;
1422	return NULL;
1423	}
1424	return list->next;
1425	}	1393	}
1426		1394
1427	static int load_self_seq_show(struct seq_file s, void v)	1395	static int load_self_seq_show(struct seq_file s, void v)
@@ -1453,16 +1421,11 @@ static int load_self_seq_show(struct seq_file s, void v)
1453	return 0;	1421	return 0;
1454	}	1422	}
1455		1423
1456	static void load_self_seq_stop(struct seq_file s, void v)
1457	{
1458	/* No-op */
1459	}
1460
1461	static const struct seq_operations load_self_seq_ops = {	1424	static const struct seq_operations load_self_seq_ops = {
1462	.start = load_self_seq_start,	1425	.start = load_self_seq_start,
1463	.next = load_self_seq_next,	1426	.next = load_self_seq_next,
1464	.show = load_self_seq_show,	1427	.show = load_self_seq_show,
1465	.stop = load_self_seq_stop,	1428	.stop = smk_seq_stop,
1466	};	1429	};
1467		1430
1468		1431


diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c index 738bbdf8d4c7..d9f3ced8756e 100644 --- a/security/tomoyo/realpath.c +++ b/security/tomoyo/realpath.c
@@ -101,9 +101,8 @@ static char tomoyo_get_absolute_path(struct path path, char * const buffer,
101	{	101	{
102	char *pos = ERR_PTR(-ENOMEM);	102	char *pos = ERR_PTR(-ENOMEM);
103	if (buflen >= 256) {	103	if (buflen >= 256) {
104	struct path ns_root = { };
105	/* go to whatever namespace root we are under */	104	/* go to whatever namespace root we are under */
106	pos = __d_path(path, &ns_root, buffer, buflen - 1);	105	pos = d_absolute_path(path, buffer, buflen - 1);
107	if (!IS_ERR(pos) && *pos == '/' && pos[1]) {	106	if (!IS_ERR(pos) && *pos == '/' && pos[1]) {
108	struct inode *inode = path->dentry->d_inode;	107	struct inode *inode = path->dentry->d_inode;
109	if (inode && S_ISDIR(inode->i_mode)) {	108	if (inode && S_ISDIR(inode->i_mode)) {
@@ -294,8 +293,16 @@ char tomoyo_realpath_from_path(struct path path)
294	pos = tomoyo_get_local_path(path->dentry, buf,	293	pos = tomoyo_get_local_path(path->dentry, buf,
295	buf_len - 1);	294	buf_len - 1);
296	/* Get absolute name for the rest. */	295	/* Get absolute name for the rest. */
297	else	296	else {
298	pos = tomoyo_get_absolute_path(path, buf, buf_len - 1);	297	pos = tomoyo_get_absolute_path(path, buf, buf_len - 1);
		298	/*
		299	* Fall back to local name if absolute name is not
		300	* available.
		301	*/
		302	if (pos == ERR_PTR(-EINVAL))
		303	pos = tomoyo_get_local_path(path->dentry, buf,
		304	buf_len - 1);
		305	}
299	encode:	306	encode:
300	if (IS_ERR(pos))	307	if (IS_ERR(pos))
301	continue;	308	continue;