--- v26
+++ v25
@@ -54,13 +54,13 @@
25 files changed, 274 insertions(+), 107 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
-index f2a27bbbbe4d..7818c0fe0f38 100644
+index 4c810ea52ab7..28f573d46391 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
-@@ -2722,7 +2722,7 @@ static void binder_transaction(struct binder_proc *proc,
- * case well anyway.
- */
- security_task_getsecid_obj(proc->tsk, &blob);
+@@ -2700,7 +2700,7 @@ static void binder_transaction(struct binder_proc *proc,
+ size_t added_size;
+
+ security_task_getsecid(proc->tsk, &blob);
- ret = security_secid_to_secctx(&blob, &lsmctx);
+ ret = security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_DISPLAY);
if (ret) {
@@ -144,7 +144,7 @@
{
return 0;
diff --git a/include/linux/security.h b/include/linux/security.h
-index 0129400ff6e9..ddab456e93d3 100644
+index 9dcc910036f4..d2fcbc20d764 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -182,6 +182,8 @@ struct lsmblob {
@@ -172,7 +172,7 @@
/* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, unsigned int opts);
-@@ -578,7 +589,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
+@@ -575,7 +586,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
@@ -182,7 +182,7 @@
int security_secctx_to_secid(const char *secdata, u32 seclen,
struct lsmblob *blob);
void security_release_secctx(struct lsmcontext *cp);
-@@ -1433,7 +1445,7 @@ static inline int security_ismaclabel(const char *name)
+@@ -1414,7 +1426,7 @@ static inline int security_ismaclabel(const char *name)
}
static inline int security_secid_to_secctx(struct lsmblob *blob,
@@ -219,7 +219,7 @@
if (!err) {
put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, context.len,
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
-index c58a6d4eb610..f8ad20d34498 100644
+index b2a06f10b62c..bfe3ba2a5233 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -669,13 +669,22 @@ struct xfrm_spi_skb_cb {
@@ -260,7 +260,7 @@
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
diff --git a/kernel/audit.c b/kernel/audit.c
-index 841123390d41..60c027d7759c 100644
+index a8dc5f55cfa3..5b29a350df78 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -386,10 +386,12 @@ void audit_log_lost(const char *message)
@@ -513,7 +513,7 @@
* audit_log - Log an audit record
* @ctx: audit context
diff --git a/kernel/audit.h b/kernel/audit.h
-index 27ef690afd30..5ad0c6819aa8 100644
+index 3f2285e1c6e0..4f245c3dac0c 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -100,6 +100,7 @@ struct audit_context {
@@ -541,7 +541,7 @@
extern int auditd_test_task(struct task_struct *task);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
-index 1ba14a7a38f7..be59ca46b0a2 100644
+index 9e73a7961665..2b0a6fda767d 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1098,12 +1098,14 @@ static void audit_list_rules(int seq, struct sk_buff_head *q)
@@ -570,10 +570,10 @@
/**
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
-index d4e061f95da8..55509faf5341 100644
+index 8994d4f4672e..4d0f3fa0bcb0 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
-@@ -940,6 +940,7 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state,
+@@ -942,6 +942,7 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state,
INIT_LIST_HEAD(&context->names_list);
context->fds[0] = -1;
context->return_valid = AUDITSC_INVALID;
@@ -581,7 +581,7 @@
return context;
}
-@@ -987,12 +988,11 @@ struct audit_context *audit_alloc_local(gfp_t gfpflags)
+@@ -989,12 +990,11 @@ struct audit_context *audit_alloc_local(gfp_t gfpflags)
context = audit_alloc_context(AUDIT_RECORD_CONTEXT, gfpflags);
if (!context) {
audit_log_lost("out of memory in audit_alloc_local");
@@ -595,7 +595,7 @@
return context;
}
EXPORT_SYMBOL(audit_alloc_local);
-@@ -1013,6 +1013,13 @@ void audit_free_context(struct audit_context *context)
+@@ -1015,6 +1015,13 @@ void audit_free_context(struct audit_context *context)
}
EXPORT_SYMBOL(audit_free_context);
@@ -609,7 +609,7 @@
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
kuid_t auid, kuid_t uid,
unsigned int sessionid,
-@@ -1030,7 +1037,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
+@@ -1032,7 +1039,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
if (lsmblob_is_set(blob)) {
@@ -618,7 +618,7 @@
audit_log_format(ab, " obj=(none)");
rc = 1;
} else {
-@@ -1275,7 +1282,8 @@ static void show_special(struct audit_context *context, int *call_panic)
+@@ -1277,7 +1284,8 @@ static void show_special(struct audit_context *context, int *call_panic)
struct lsmblob blob;
lsmblob_init(&blob, osid);
@@ -628,7 +628,7 @@
audit_log_format(ab, " osid=%u", osid);
*call_panic = 1;
} else {
-@@ -1430,7 +1438,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
+@@ -1432,7 +1440,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
struct lsmcontext lsmctx;
lsmblob_init(&blob, n->osid);
@@ -637,7 +637,7 @@
audit_log_format(ab, " osid=%u", n->osid);
if (call_panic)
*call_panic = 2;
-@@ -1504,6 +1512,47 @@ static void audit_log_proctitle(void)
+@@ -1506,6 +1514,47 @@ static void audit_log_proctitle(void)
audit_log_end(ab);
}
@@ -685,7 +685,7 @@
static void audit_log_exit(void)
{
int i, call_panic = 0;
-@@ -1538,6 +1587,8 @@ static void audit_log_exit(void)
+@@ -1540,6 +1589,8 @@ static void audit_log_exit(void)
audit_log_key(ab, context->filterkey);
audit_log_end(ab);
@@ -694,7 +694,7 @@
for (aux = context->aux; aux; aux = aux->next) {
ab = audit_log_start(context, GFP_KERNEL, aux->type);
-@@ -1628,6 +1679,8 @@ static void audit_log_exit(void)
+@@ -1630,6 +1681,8 @@ static void audit_log_exit(void)
audit_log_proctitle();
@@ -703,7 +703,7 @@
/* Send end of event record to help user space know we are finished */
ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE);
if (ab)
-@@ -2619,10 +2672,12 @@ void __audit_ntp_log(const struct audit_ntp_data *ad)
+@@ -2622,10 +2675,12 @@ void __audit_ntp_log(const struct audit_ntp_data *ad)
void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
enum audit_nfcfgop op, gfp_t gfp)
{
@@ -717,7 +717,7 @@
if (!ab)
return;
audit_log_format(ab, "table=%s family=%u entries=%u op=%s",
-@@ -2632,7 +2687,7 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
+@@ -2635,7 +2690,7 @@ void __audit_log_nfcfg(const char *name, u8 af, unsigned int nentries,
audit_log_task_context(ab); /* subj= */
audit_log_format(ab, " comm=");
audit_log_untrustedstring(ab, get_task_comm(comm, current));
@@ -726,7 +726,7 @@
}
EXPORT_SYMBOL_GPL(__audit_log_nfcfg);
-@@ -2667,6 +2722,7 @@ static void audit_log_task(struct audit_buffer *ab)
+@@ -2670,6 +2725,7 @@ static void audit_log_task(struct audit_buffer *ab)
*/
void audit_core_dumps(long signr)
{
@@ -734,7 +734,7 @@
struct audit_buffer *ab;
if (!audit_enabled)
-@@ -2675,12 +2731,13 @@ void audit_core_dumps(long signr)
+@@ -2678,12 +2734,13 @@ void audit_core_dumps(long signr)
if (signr == SIGQUIT) /* don't care for those */
return;
@@ -764,7 +764,7 @@
return;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
-index 215d3f9e9715..60539221e023 100644
+index f14c0049d7cc..21d250ef81b4 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -344,7 +344,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
@@ -776,7 +776,7 @@
if (ret)
return 0;
-@@ -655,7 +655,7 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
+@@ -660,7 +660,7 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
struct lsmblob blob;
struct lsmcontext context;
@@ -786,7 +786,7 @@
return 0;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
-index df6043d1bc22..861106a5f605 100644
+index 241089cb7e20..b53ef27b57fe 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -177,7 +177,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
@@ -799,7 +799,7 @@
return;
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
-index bf8db099090b..90ecf03b35ba 100644
+index 56784592c820..cb4d02199fdb 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -316,7 +316,7 @@ static void nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context)
@@ -834,7 +834,7 @@
switch (entry->def.type) {
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
-index 0ce9bee43dd3..380eeffd8e00 100644
+index 3befe0738d31..ff5901113a27 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -437,13 +437,14 @@ int netlbl_unlhsh_add(struct net *net,
@@ -915,10 +915,10 @@
/* Only the kernel is allowed to call this function and the only time
* it is called is at bootup before the audit subsystem is reporting
* messages so don't worry to much about these values. */
-- security_task_getsecid_subj(current, &blob);
+- security_task_getsecid(current, &blob);
- /* scaffolding until audit_info.secid is converted */
- audit_info.secid = blob.secid[0];
-+ security_task_getsecid_subj(current, &audit_info.lsmdata);
++ security_task_getsecid(current, &audit_info.lsmdata);
audit_info.loginuid = GLOBAL_ROOT_UID;
audit_info.sessionid = 0;
@@ -967,7 +967,7 @@
return audit_buf;
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
-index 11f6da93f31b..bc1f0cd824d5 100644
+index 438b5db6c714..bd4335443b87 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -34,11 +34,7 @@
@@ -976,18 +976,18 @@
{
- struct lsmblob blob;
-
-- security_task_getsecid_subj(current, &blob);
+- security_task_getsecid(current, &blob);
- /* scaffolding until secid is converted */
- audit_info->secid = blob.secid[0];
-+ security_task_getsecid_subj(current, &audit_info->lsmdata);
++ security_task_getsecid(current, &audit_info->lsmdata);
audit_info->loginuid = audit_get_loginuid(current);
audit_info->sessionid = audit_get_sessionid(current);
}
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
-index ce500f847b99..a4d554214d4b 100644
+index b74f28cabe24..d0c89b570ac5 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
-@@ -4173,30 +4173,32 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
+@@ -4215,30 +4215,32 @@ static void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
void xfrm_audit_policy_add(struct xfrm_policy *xp, int result, bool task_valid)
{
@@ -1025,10 +1025,10 @@
EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
#endif
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
-index 4496f7efa220..a1fd0e122be8 100644
+index d01ca1a18418..a3d49a854ed2 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
-@@ -2747,29 +2747,31 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
+@@ -2746,29 +2746,31 @@ static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid)
{
@@ -1064,7 +1064,7 @@
}
EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
-@@ -2779,7 +2781,7 @@ void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
+@@ -2778,7 +2780,7 @@ void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
struct audit_buffer *audit_buf;
u32 spi;
@@ -1073,7 +1073,7 @@
if (audit_buf == NULL)
return;
xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
-@@ -2797,7 +2799,7 @@ void xfrm_audit_state_replay(struct xfrm_state *x,
+@@ -2796,7 +2798,7 @@ void xfrm_audit_state_replay(struct xfrm_state *x,
struct audit_buffer *audit_buf;
u32 spi;
@@ -1082,7 +1082,7 @@
if (audit_buf == NULL)
return;
xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
-@@ -2812,7 +2814,7 @@ void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
+@@ -2811,7 +2813,7 @@ void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
{
struct audit_buffer *audit_buf;
@@ -1091,7 +1091,7 @@
if (audit_buf == NULL)
return;
xfrm_audit_helper_pktinfo(skb, family, audit_buf);
-@@ -2826,7 +2828,7 @@ void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
+@@ -2825,7 +2827,7 @@ void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
struct audit_buffer *audit_buf;
u32 spi;
@@ -1100,7 +1100,7 @@
if (audit_buf == NULL)
return;
xfrm_audit_helper_pktinfo(skb, family, audit_buf);
-@@ -2844,7 +2846,7 @@ void xfrm_audit_state_icvfail(struct xfrm_state *x,
+@@ -2843,7 +2845,7 @@ void xfrm_audit_state_icvfail(struct xfrm_state *x,
__be32 net_spi;
__be32 net_seq;
@@ -1170,10 +1170,10 @@
+ audit_log_end_local(ab, context);
}
diff --git a/security/security.c b/security/security.c
-index d1e9a54e22b4..bb4c7f6c62ec 100644
+index 5d3dad5f800f..7d90f2f531b1 100644
--- a/security/security.c
+++ b/security/security.c
-@@ -2307,7 +2307,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
+@@ -2249,7 +2249,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
hlist_for_each_entry(hp, &security_hook_heads.setprocattr,
list) {
rc = hp->hook.setprocattr(name, value, size);
@@ -1182,7 +1182,7 @@
return rc;
}
-@@ -2352,13 +2352,31 @@ int security_ismaclabel(const char *name)
+@@ -2294,13 +2294,31 @@ int security_ismaclabel(const char *name)
}
EXPORT_SYMBOL(security_ismaclabel);
@@ -1216,7 +1216,7 @@
hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
continue;
-@@ -2388,7 +2406,7 @@ int security_secctx_to_secid(const char *secdata, u32 seclen,
+@@ -2330,7 +2348,7 @@ int security_secctx_to_secid(const char *secdata, u32 seclen,
return hp->hook.secctx_to_secid(secdata, seclen,
&blob->secid[hp->lsmid->slot]);
}
@@ -1225,7 +1225,7 @@
}
EXPORT_SYMBOL(security_secctx_to_secid);
-@@ -2882,23 +2900,17 @@ int security_key_getsecurity(struct key *key, char **_buffer)
+@@ -2824,23 +2842,17 @@ int security_key_getsecurity(struct key *key, char **_buffer)
int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
{
struct security_hook_list *hp;
@@ -1255,7 +1255,7 @@
}
int security_audit_rule_known(struct audit_krule *krule)
-@@ -2930,6 +2942,8 @@ int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+@@ -2872,6 +2884,8 @@ int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
continue;
if (lsmrule[hp->lsmid->slot] == NULL)
continue;