4 files changed, 32 insertions, 5 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f553c370397e..7c5c8d17695c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3240,6 +3240,25 @@ static int selinux_inode_setxattr(struct user_namespace *mnt_userns,
 			    &ad);
 }
 
+static int selinux_inode_set_acl(struct user_namespace *mnt_userns,
+				 struct dentry *dentry, const char *acl_name,
+				 struct posix_acl *kacl)
+{
+	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
+}
+
+static int selinux_inode_get_acl(struct user_namespace *mnt_userns,
+				 struct dentry *dentry, const char *acl_name)
+{
+	return dentry_has_perm(current_cred(), dentry, FILE__GETATTR);
+}
+
+static int selinux_inode_remove_acl(struct user_namespace *mnt_userns,
+				    struct dentry *dentry, const char *acl_name)
+{
+	return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
+}
+
 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
 					const void *value, size_t size,
 					int flags)
@@ -7088,6 +7107,9 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(inode_getxattr, selinux_inode_getxattr),
 	LSM_HOOK_INIT(inode_listxattr, selinux_inode_listxattr),
 	LSM_HOOK_INIT(inode_removexattr, selinux_inode_removexattr),
+	LSM_HOOK_INIT(inode_set_acl, selinux_inode_set_acl),
+	LSM_HOOK_INIT(inode_get_acl, selinux_inode_get_acl),
+	LSM_HOOK_INIT(inode_remove_acl, selinux_inode_remove_acl),
 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index e63c4f942fd6..0092b29022f5 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2013,6 +2013,7 @@ static inline int convert_context_handle_invalid_context(
  * @args: populated convert_context_args struct
  * @oldc: original context
  * @newc: converted context
+ * @gfp_flags: allocation flags
  *
  * Convert the values in the security context structure @oldc from the values
  * specified in the policy @args->oldp to the values specified in the policy
@@ -2020,7 +2021,8 @@ static inline int convert_context_handle_invalid_context(
  * context is valid under the new policy.
  */
 int services_convert_context(struct convert_context_args *args,
-			     struct context *oldc, struct context *newc)
+			     struct context *oldc, struct context *newc,
+			     gfp_t gfp_flags)
 {
 	struct ocontext *oc;
 	struct role_datum *role;
@@ -2031,7 +2033,7 @@ int services_convert_context(struct convert_context_args *args,
 	int rc;
 
 	if (oldc->str) {
-		s = kstrdup(oldc->str, GFP_KERNEL);
+		s = kstrdup(oldc->str, gfp_flags);
 		if (!s)
 			return -ENOMEM;
 
diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h
index 6348c95ff0e5..c4301626487f 100644
--- a/security/selinux/ss/services.h
+++ b/security/selinux/ss/services.h
@@ -41,6 +41,7 @@ void services_compute_xperms_decision(struct extended_perms_decision *xpermd,
 				      struct avtab_node *node);
 
 int services_convert_context(struct convert_context_args *args,
-			     struct context *oldc, struct context *newc);
+			     struct context *oldc, struct context *newc,
+			     gfp_t gfp_flags);
 
 #endif	/* _SS_SERVICES_H_ */
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index 1c3d2cda6b92..38d25173aebd 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -328,7 +328,8 @@ int sidtab_context_to_sid(struct sidtab *s, struct context *context,
 		}
 
 		rc = services_convert_context(convert->args,
-					      context, &dst_convert->context);
+					      context, &dst_convert->context,
+					      GFP_ATOMIC);
 		if (rc) {
 			context_destroy(&dst->context);
 			goto out_unlock;
@@ -407,7 +408,8 @@ static int sidtab_convert_tree(union sidtab_entry_inner *edst,
 		while (i < SIDTAB_LEAF_ENTRIES && *pos < count) {
 			rc = services_convert_context(convert->args,
 					&esrc->ptr_leaf->entries[i].context,
-					&edst->ptr_leaf->entries[i].context);
+					&edst->ptr_leaf->entries[i].context,
+					GFP_KERNEL);
 			if (rc)
 				return rc;
 			(*pos)++;