Merge branch 'next' into for-linus

James Morris
2 parents 238c6d5483 3699c53c48
Showing 26 changed files Side-by-side Diff
Documentation/feature-removal-schedule.txt
include/linux/capability.h
include/linux/security.h
include/net/cipso_ipv4.h
include/net/netlabel.h
kernel/capability.c
net/ipv4/cipso_ipv4.c
net/netlabel/netlabel_cipso_v4.c
net/netlabel/netlabel_domainhash.c
net/netlabel/netlabel_domainhash.h
net/netlabel/netlabel_kapi.c
net/netlabel/netlabel_unlabeled.c
net/netlabel/netlabel_unlabeled.h
security/commoncap.c
security/keys/keyctl.c
security/security.c
security/selinux/Kconfig
security/selinux/avc.c
security/selinux/hooks.c
security/selinux/include/avc_ss.h
@@ -315,4 +315,16 @@
 Why:	Deprecated by the new (standard) device driver binding model. Use
 	i2c_driver->probe() and ->remove() instead.
 Who:	Jean Delvare <khali@linux-fr.org>
+
+---------------------------
+
+What:	SELinux "compat_net" functionality
+When:	2.6.30 at the earliest
+Why:	In 2.6.18 the Secmark concept was introduced to replace the "compat_net"
+	network access control functionality of SELinux.  Secmark offers both
+	better performance and greater flexibility than the "compat_net"
+	mechanism.  Now that the major Linux distributions have moved to
+	Secmark, it is time to deprecate the older mechanism and start the
+	process of removing the old code.
+Who:	Paul Moore <paul.moore@hp.com>
@@ -529,8 +529,21 @@
  *
  * Note that this does not set PF_SUPERPRIV on the task.
  */
-#define has_capability(t, cap) (security_capable((t), (cap)) == 0)
-#define has_capability_noaudit(t, cap) (security_capable_noaudit((t), (cap)) == 0)
+#define has_capability(t, cap) (security_real_capable((t), (cap)) == 0)
+
+/**
+ * has_capability_noaudit - Determine if a task has a superior capability available (unaudited)
+ * @t: The task in question
+ * @cap: The capability to be tested for
+ *
+ * Return true if the specified task has the given superior capability
+ * currently in effect, false if not, but don't write an audit message for the
+ * check.
+ *
+ * Note that this does not set PF_SUPERPRIV on the task.
+ */
+#define has_capability_noaudit(t, cap) \
+	(security_real_capable_noaudit((t), (cap)) == 0)
  
 extern int capable(int cap);
  
@@ -48,7 +48,8 @@
  * These functions are in security/capability.c and are used
  * as the default capabilities functions
  */
-extern int cap_capable(struct task_struct *tsk, int cap, int audit);
+extern int cap_capable(struct task_struct *tsk, const struct cred *cred,
+		       int cap, int audit);
 extern int cap_settime(struct timespec *ts, struct timezone *tz);
 extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode);
 extern int cap_ptrace_traceme(struct task_struct *parent);
  
  
@@ -1251,9 +1252,12 @@
  *	@permitted contains the permitted capability set.
  *	Return 0 and update @new if permission is granted.
  * @capable:
- *	Check whether the @tsk process has the @cap capability.
+ *	Check whether the @tsk process has the @cap capability in the indicated
+ *	credentials.
  *	@tsk contains the task_struct for the process.
+ *	@cred contains the credentials to use.
  *	@cap contains the capability <include/linux/capability.h>.
+ *	@audit: Whether to write an audit message or not
  *	Return 0 if the capability is granted for @tsk.
  * @acct:
  *	Check permission before enabling or disabling process accounting.  If
@@ -1346,7 +1350,8 @@
 		       const kernel_cap_t *effective,
 		       const kernel_cap_t *inheritable,
 		       const kernel_cap_t *permitted);
-	int (*capable) (struct task_struct *tsk, int cap, int audit);
+	int (*capable) (struct task_struct *tsk, const struct cred *cred,
+			int cap, int audit);
 	int (*acct) (struct file *file);
 	int (*sysctl) (struct ctl_table *table, int op);
 	int (*quotactl) (int cmds, int type, int id, struct super_block *sb);
@@ -1628,8 +1633,9 @@
 		    const kernel_cap_t *effective,
 		    const kernel_cap_t *inheritable,
 		    const kernel_cap_t *permitted);
-int security_capable(struct task_struct *tsk, int cap);
-int security_capable_noaudit(struct task_struct *tsk, int cap);
+int security_capable(int cap);
+int security_real_capable(struct task_struct *tsk, int cap);
+int security_real_capable_noaudit(struct task_struct *tsk, int cap);
 int security_acct(struct file *file);
 int security_sysctl(struct ctl_table *table, int op);
 int security_quotactl(int cmds, int type, int id, struct super_block *sb);
  
  
  
@@ -1826,14 +1832,31 @@
 	return cap_capset(new, old, effective, inheritable, permitted);
 }
  
-static inline int security_capable(struct task_struct *tsk, int cap)
+static inline int security_capable(int cap)
 {
-	return cap_capable(tsk, cap, SECURITY_CAP_AUDIT);
+	return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT);
 }
  
-static inline int security_capable_noaudit(struct task_struct *tsk, int cap)
+static inline int security_real_capable(struct task_struct *tsk, int cap)
 {
-	return cap_capable(tsk, cap, SECURITY_CAP_NOAUDIT);
+	int ret;
+
+	rcu_read_lock();
+	ret = cap_capable(tsk, __task_cred(tsk), cap, SECURITY_CAP_AUDIT);
+	rcu_read_unlock();
+	return ret;
+}
+
+static inline
+int security_real_capable_noaudit(struct task_struct *tsk, int cap)
+{
+	int ret;
+
+	rcu_read_lock();
+	ret = cap_capable(tsk, __task_cred(tsk), cap,
+			       SECURITY_CAP_NOAUDIT);
+	rcu_read_unlock();
+	return ret;
 }
  
 static inline int security_acct(struct file *file)
@@ -131,7 +131,8 @@
  */
  
 #ifdef CONFIG_NETLABEL
-int cipso_v4_doi_add(struct cipso_v4_doi *doi_def);
+int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,
+		     struct netlbl_audit *audit_info);
 void cipso_v4_doi_free(struct cipso_v4_doi *doi_def);
 int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info);
 struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi);
@@ -140,7 +141,8 @@
 		     int (*callback) (struct cipso_v4_doi *doi_def, void *arg),
 	             void *cb_arg);
 #else
-static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)
+static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,
+				   struct netlbl_audit *audit_info)
 {
 	return -ENOSYS;
 }
@@ -33,6 +33,8 @@
 #include <linux/types.h>
 #include <linux/net.h>
 #include <linux/skbuff.h>
+#include <linux/in.h>
+#include <linux/in6.h>
 #include <net/netlink.h>
 #include <asm/atomic.h>
  
  
  
  
@@ -353,13 +355,37 @@
 /*
  * LSM configuration operations
  */
-int netlbl_cfg_map_del(const char *domain, struct netlbl_audit *audit_info);
-int netlbl_cfg_unlbl_add_map(const char *domain,
+int netlbl_cfg_map_del(const char *domain,
+		       u16 family,
+		       const void *addr,
+		       const void *mask,
+		       struct netlbl_audit *audit_info);
+int netlbl_cfg_unlbl_map_add(const char *domain,
+			     u16 family,
+			     const void *addr,
+			     const void *mask,
 			     struct netlbl_audit *audit_info);
-int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def,
+int netlbl_cfg_unlbl_static_add(struct net *net,
+				const char *dev_name,
+				const void *addr,
+				const void *mask,
+				u16 family,
+				u32 secid,
+				struct netlbl_audit *audit_info);
+int netlbl_cfg_unlbl_static_del(struct net *net,
+				const char *dev_name,
+				const void *addr,
+				const void *mask,
+				u16 family,
+				struct netlbl_audit *audit_info);
+int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
+			   struct netlbl_audit *audit_info);
+void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info);
+int netlbl_cfg_cipsov4_map_add(u32 doi,
 			       const char *domain,
+			       const struct in_addr *addr,
+			       const struct in_addr *mask,
 			       struct netlbl_audit *audit_info);
-
 /*
  * LSM security attribute operations
  */
  
  
  
  
@@ -401,19 +427,62 @@
 void netlbl_cache_invalidate(void);
 int netlbl_cache_add(const struct sk_buff *skb,
 		     const struct netlbl_lsm_secattr *secattr);
+
+/*
+ * Protocol engine operations
+ */
+struct audit_buffer *netlbl_audit_start(int type,
+					struct netlbl_audit *audit_info);
 #else
 static inline int netlbl_cfg_map_del(const char *domain,
+				     u16 family,
+				     const void *addr,
+				     const void *mask,
 				     struct netlbl_audit *audit_info)
 {
 	return -ENOSYS;
 }
-static inline int netlbl_cfg_unlbl_add_map(const char *domain,
+static inline int netlbl_cfg_unlbl_map_add(const char *domain,
+					   u16 family,
+					   void *addr,
+					   void *mask,
 					   struct netlbl_audit *audit_info)
 {
 	return -ENOSYS;
 }
-static inline int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def,
+static inline int netlbl_cfg_unlbl_static_add(struct net *net,
+					      const char *dev_name,
+					      const void *addr,
+					      const void *mask,
+					      u16 family,
+					      u32 secid,
+					      struct netlbl_audit *audit_info)
+{
+	return -ENOSYS;
+}
+static inline int netlbl_cfg_unlbl_static_del(struct net *net,
+					      const char *dev_name,
+					      const void *addr,
+					      const void *mask,
+					      u16 family,
+					      struct netlbl_audit *audit_info)
+{
+	return -ENOSYS;
+}
+static inline int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
+					 struct netlbl_audit *audit_info)
+{
+	return -ENOSYS;
+}
+static inline void netlbl_cfg_cipsov4_del(u32 doi,
+					  struct netlbl_audit *audit_info)
+{
+	return;
+}
+static inline int netlbl_cfg_cipsov4_map_add(u32 doi,
 					     const char *domain,
+					     const struct in_addr *addr,
+					     const struct in_addr *mask,
 					     struct netlbl_audit *audit_info)
 {
 	return -ENOSYS;
@@ -494,6 +563,11 @@
 				   const struct netlbl_lsm_secattr *secattr)
 {
 	return 0;
+}
+static inline struct audit_buffer *netlbl_audit_start(int type,
+						struct netlbl_audit *audit_info)
+{
+	return NULL;
 }
 #endif /* CONFIG_NETLABEL */
  
@@ -306,7 +306,7 @@
 		BUG();
 	}
  
-	if (has_capability(current, cap)) {
+	if (security_capable(cap) == 0) {
 		current->flags |= PF_SUPERPRIV;
 		return 1;
 	}
@@ -38,6 +38,7 @@
 #include <linux/spinlock.h>
 #include <linux/string.h>
 #include <linux/jhash.h>
+#include <linux/audit.h>
 #include <net/ip.h>
 #include <net/icmp.h>
 #include <net/tcp.h>
@@ -449,6 +450,7 @@
 /**
  * cipso_v4_doi_add - Add a new DOI to the CIPSO protocol engine
  * @doi_def: the DOI structure
+ * @audit_info: NetLabel audit information
  *
  * Description:
  * The caller defines a new DOI for use by the CIPSO engine and calls this
  
  
  
  
  
  
  
  
  
  
  
  
  
@@ -458,50 +460,78 @@
  * zero on success and non-zero on failure.
  *
  */
-int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)
+int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,
+		     struct netlbl_audit *audit_info)
 {
+	int ret_val = -EINVAL;
 	u32 iter;
+	u32 doi;
+	u32 doi_type;
+	struct audit_buffer *audit_buf;
  
+	doi = doi_def->doi;
+	doi_type = doi_def->type;
+
 	if (doi_def == NULL || doi_def->doi == CIPSO_V4_DOI_UNKNOWN)
-		return -EINVAL;
+		goto doi_add_return;
 	for (iter = 0; iter < CIPSO_V4_TAG_MAXCNT; iter++) {
 		switch (doi_def->tags[iter]) {
 		case CIPSO_V4_TAG_RBITMAP:
 			break;
 		case CIPSO_V4_TAG_RANGE:
-			if (doi_def->type != CIPSO_V4_MAP_PASS)
-				return -EINVAL;
-			break;
-		case CIPSO_V4_TAG_INVALID:
-			if (iter == 0)
-				return -EINVAL;
-			break;
 		case CIPSO_V4_TAG_ENUM:
 			if (doi_def->type != CIPSO_V4_MAP_PASS)
-				return -EINVAL;
+				goto doi_add_return;
 			break;
 		case CIPSO_V4_TAG_LOCAL:
 			if (doi_def->type != CIPSO_V4_MAP_LOCAL)
-				return -EINVAL;
+				goto doi_add_return;
 			break;
+		case CIPSO_V4_TAG_INVALID:
+			if (iter == 0)
+				goto doi_add_return;
+			break;
 		default:
-			return -EINVAL;
+			goto doi_add_return;
 		}
 	}
  
 	atomic_set(&doi_def->refcount, 1);
  
 	spin_lock(&cipso_v4_doi_list_lock);
-	if (cipso_v4_doi_search(doi_def->doi) != NULL)
-		goto doi_add_failure;
+	if (cipso_v4_doi_search(doi_def->doi) != NULL) {
+		spin_unlock(&cipso_v4_doi_list_lock);
+		ret_val = -EEXIST;
+		goto doi_add_return;
+	}
 	list_add_tail_rcu(&doi_def->list, &cipso_v4_doi_list);
 	spin_unlock(&cipso_v4_doi_list_lock);
+	ret_val = 0;
  
-	return 0;
+doi_add_return:
+	audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_ADD, audit_info);
+	if (audit_buf != NULL) {
+		const char *type_str;
+		switch (doi_type) {
+		case CIPSO_V4_MAP_TRANS:
+			type_str = "trans";
+			break;
+		case CIPSO_V4_MAP_PASS:
+			type_str = "pass";
+			break;
+		case CIPSO_V4_MAP_LOCAL:
+			type_str = "local";
+			break;
+		default:
+			type_str = "(unknown)";
+		}
+		audit_log_format(audit_buf,
+				 " cipso_doi=%u cipso_type=%s res=%u",
+				 doi, type_str, ret_val == 0 ? 1 : 0);
+		audit_log_end(audit_buf);
+	}
  
-doi_add_failure:
-	spin_unlock(&cipso_v4_doi_list_lock);
-	return -EEXIST;
+	return ret_val;
 }
  
 /**
  
  
  
  
  
@@ -559,25 +589,39 @@
  */
 int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info)
 {
+	int ret_val;
 	struct cipso_v4_doi *doi_def;
+	struct audit_buffer *audit_buf;
  
 	spin_lock(&cipso_v4_doi_list_lock);
 	doi_def = cipso_v4_doi_search(doi);
 	if (doi_def == NULL) {
 		spin_unlock(&cipso_v4_doi_list_lock);
-		return -ENOENT;
+		ret_val = -ENOENT;
+		goto doi_remove_return;
 	}
 	if (!atomic_dec_and_test(&doi_def->refcount)) {
 		spin_unlock(&cipso_v4_doi_list_lock);
-		return -EBUSY;
+		ret_val = -EBUSY;
+		goto doi_remove_return;
 	}
 	list_del_rcu(&doi_def->list);
 	spin_unlock(&cipso_v4_doi_list_lock);
  
 	cipso_v4_cache_invalidate();
 	call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu);
+	ret_val = 0;
  
-	return 0;
+doi_remove_return:
+	audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_DEL, audit_info);
+	if (audit_buf != NULL) {
+		audit_log_format(audit_buf,
+				 " cipso_doi=%u res=%u",
+				 doi, ret_val == 0 ? 1 : 0);
+		audit_log_end(audit_buf);
+	}
+
+	return ret_val;
 }
  
 /**
@@ -130,6 +130,7 @@
 /**
  * netlbl_cipsov4_add_std - Adds a CIPSO V4 DOI definition
  * @info: the Generic NETLINK info block
+ * @audit_info: NetLabel audit information
  *
  * Description:
  * Create a new CIPSO_V4_MAP_TRANS DOI definition based on the given ADD
@@ -137,7 +138,8 @@
  * non-zero on error.
  *
  */
-static int netlbl_cipsov4_add_std(struct genl_info *info)
+static int netlbl_cipsov4_add_std(struct genl_info *info,
+				  struct netlbl_audit *audit_info)
 {
 	int ret_val = -EINVAL;
 	struct cipso_v4_doi *doi_def = NULL;
@@ -316,7 +318,7 @@
 			}
 	}
  
-	ret_val = cipso_v4_doi_add(doi_def);
+	ret_val = cipso_v4_doi_add(doi_def, audit_info);
 	if (ret_val != 0)
 		goto add_std_failure;
 	return 0;
@@ -330,6 +332,7 @@
 /**
  * netlbl_cipsov4_add_pass - Adds a CIPSO V4 DOI definition
  * @info: the Generic NETLINK info block
+ * @audit_info: NetLabel audit information
  *
  * Description:
  * Create a new CIPSO_V4_MAP_PASS DOI definition based on the given ADD message
@@ -337,7 +340,8 @@
  * error.
  *
  */
-static int netlbl_cipsov4_add_pass(struct genl_info *info)
+static int netlbl_cipsov4_add_pass(struct genl_info *info,
+				   struct netlbl_audit *audit_info)
 {
 	int ret_val;
 	struct cipso_v4_doi *doi_def = NULL;
@@ -354,7 +358,7 @@
 	if (ret_val != 0)
 		goto add_pass_failure;
  
-	ret_val = cipso_v4_doi_add(doi_def);
+	ret_val = cipso_v4_doi_add(doi_def, audit_info);
 	if (ret_val != 0)
 		goto add_pass_failure;
 	return 0;
@@ -367,6 +371,7 @@
 /**
  * netlbl_cipsov4_add_local - Adds a CIPSO V4 DOI definition
  * @info: the Generic NETLINK info block
+ * @audit_info: NetLabel audit information
  *
  * Description:
  * Create a new CIPSO_V4_MAP_LOCAL DOI definition based on the given ADD
@@ -374,7 +379,8 @@
  * non-zero on error.
  *
  */
-static int netlbl_cipsov4_add_local(struct genl_info *info)
+static int netlbl_cipsov4_add_local(struct genl_info *info,
+				    struct netlbl_audit *audit_info)
 {
 	int ret_val;
 	struct cipso_v4_doi *doi_def = NULL;
@@ -391,7 +397,7 @@
 	if (ret_val != 0)
 		goto add_local_failure;
  
-	ret_val = cipso_v4_doi_add(doi_def);
+	ret_val = cipso_v4_doi_add(doi_def, audit_info);
 	if (ret_val != 0)
 		goto add_local_failure;
 	return 0;
  
  
  
  
  
  
  
@@ -415,48 +421,31 @@
  
 {
 	int ret_val = -EINVAL;
-	u32 type;
-	u32 doi;
 	const char *type_str = "(unknown)";
-	struct audit_buffer *audit_buf;
 	struct netlbl_audit audit_info;
  
 	if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
 	    !info->attrs[NLBL_CIPSOV4_A_MTYPE])
 		return -EINVAL;
  
-	doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
 	netlbl_netlink_auditinfo(skb, &audit_info);
-
-	type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
-	switch (type) {
+	switch (nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE])) {
 	case CIPSO_V4_MAP_TRANS:
 		type_str = "trans";
-		ret_val = netlbl_cipsov4_add_std(info);
+		ret_val = netlbl_cipsov4_add_std(info, &audit_info);
 		break;
 	case CIPSO_V4_MAP_PASS:
 		type_str = "pass";
-		ret_val = netlbl_cipsov4_add_pass(info);
+		ret_val = netlbl_cipsov4_add_pass(info, &audit_info);
 		break;
 	case CIPSO_V4_MAP_LOCAL:
 		type_str = "local";
-		ret_val = netlbl_cipsov4_add_local(info);
+		ret_val = netlbl_cipsov4_add_local(info, &audit_info);
 		break;
 	}
 	if (ret_val == 0)
 		atomic_inc(&netlabel_mgmt_protocount);
  
-	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
-					      &audit_info);
-	if (audit_buf != NULL) {
-		audit_log_format(audit_buf,
-				 " cipso_doi=%u cipso_type=%s res=%u",
-				 doi,
-				 type_str,
-				 ret_val == 0 ? 1 : 0);
-		audit_log_end(audit_buf);
-	}
-
 	return ret_val;
 }
  
  
@@ -725,9 +714,7 @@
 static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info)
 {
 	int ret_val = -EINVAL;
-	u32 doi = 0;
 	struct netlbl_domhsh_walk_arg cb_arg;
-	struct audit_buffer *audit_buf;
 	struct netlbl_audit audit_info;
 	u32 skip_bkt = 0;
 	u32 skip_chain = 0;
  
  
  
@@ -735,27 +722,15 @@
 	if (!info->attrs[NLBL_CIPSOV4_A_DOI])
 		return -EINVAL;
  
-	doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
 	netlbl_netlink_auditinfo(skb, &audit_info);
-
-	cb_arg.doi = doi;
+	cb_arg.doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
 	cb_arg.audit_info = &audit_info;
 	ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain,
 				     netlbl_cipsov4_remove_cb, &cb_arg);
 	if (ret_val == 0 || ret_val == -ENOENT) {
-		ret_val = cipso_v4_doi_remove(doi, &audit_info);
+		ret_val = cipso_v4_doi_remove(cb_arg.doi, &audit_info);
 		if (ret_val == 0)
 			atomic_dec(&netlabel_mgmt_protocount);
-	}
-
-	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
-					      &audit_info);
-	if (audit_buf != NULL) {
-		audit_log_format(audit_buf,
-				 " cipso_doi=%u res=%u",
-				 doi,
-				 ret_val == 0 ? 1 : 0);
-		audit_log_end(audit_buf);
 	}
  
 	return ret_val;
@@ -483,6 +483,73 @@
 }
  
 /**
+ * netlbl_domhsh_remove_af4 - Removes an address selector entry
+ * @domain: the domain
+ * @addr: IPv4 address
+ * @mask: IPv4 address mask
+ * @audit_info: NetLabel audit information
+ *
+ * Description:
+ * Removes an individual address selector from a domain mapping and potentially
+ * the entire mapping if it is empty.  Returns zero on success, negative values
+ * on failure.
+ *
+ */
+int netlbl_domhsh_remove_af4(const char *domain,
+			     const struct in_addr *addr,
+			     const struct in_addr *mask,
+			     struct netlbl_audit *audit_info)
+{
+	struct netlbl_dom_map *entry_map;
+	struct netlbl_af4list *entry_addr;
+	struct netlbl_af4list *iter4;
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+	struct netlbl_af6list *iter6;
+#endif /* IPv6 */
+	struct netlbl_domaddr4_map *entry;
+
+	rcu_read_lock();
+
+	if (domain)
+		entry_map = netlbl_domhsh_search(domain);
+	else
+		entry_map = netlbl_domhsh_search_def(domain);
+	if (entry_map == NULL || entry_map->type != NETLBL_NLTYPE_ADDRSELECT)
+		goto remove_af4_failure;
+
+	spin_lock(&netlbl_domhsh_lock);
+	entry_addr = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
+					   &entry_map->type_def.addrsel->list4);
+	spin_unlock(&netlbl_domhsh_lock);
+
+	if (entry_addr == NULL)
+		goto remove_af4_failure;
+	netlbl_af4list_foreach_rcu(iter4, &entry_map->type_def.addrsel->list4)
+		goto remove_af4_single_addr;
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+	netlbl_af6list_foreach_rcu(iter6, &entry_map->type_def.addrsel->list6)
+		goto remove_af4_single_addr;
+#endif /* IPv6 */
+	/* the domain mapping is empty so remove it from the mapping table */
+	netlbl_domhsh_remove_entry(entry_map, audit_info);
+
+remove_af4_single_addr:
+	rcu_read_unlock();
+	/* yick, we can't use call_rcu here because we don't have a rcu head
+	 * pointer but hopefully this should be a rare case so the pause
+	 * shouldn't be a problem */
+	synchronize_rcu();
+	entry = netlbl_domhsh_addr4_entry(entry_addr);
+	cipso_v4_doi_putdef(entry->type_def.cipsov4);
+	kfree(entry);
+	return 0;
+
+remove_af4_failure:
+	rcu_read_unlock();
+	return -ENOENT;
+}
+
+/**
  * netlbl_domhsh_remove - Removes an entry from the domain hash table
  * @domain: the domain to remove
  * @audit_info: NetLabel audit information
@@ -90,6 +90,10 @@
 			      struct netlbl_audit *audit_info);
 int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry,
 			       struct netlbl_audit *audit_info);
+int netlbl_domhsh_remove_af4(const char *domain,
+			     const struct in_addr *addr,
+			     const struct in_addr *mask,
+			     struct netlbl_audit *audit_info);
 int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info);
 int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info);
 struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain);
@@ -31,7 +31,10 @@
 #include <linux/init.h>
 #include <linux/types.h>
 #include <linux/audit.h>
+#include <linux/in.h>
+#include <linux/in6.h>
 #include <net/ip.h>
+#include <net/ipv6.h>
 #include <net/netlabel.h>
 #include <net/cipso_ipv4.h>
 #include <asm/bug.h>
@@ -42,6 +45,7 @@
 #include "netlabel_cipso_v4.h"
 #include "netlabel_user.h"
 #include "netlabel_mgmt.h"
+#include "netlabel_addrlist.h"
  
 /*
  * Configuration Functions
@@ -50,6 +54,9 @@
 /**
  * netlbl_cfg_map_del - Remove a NetLabel/LSM domain mapping
  * @domain: the domain mapping to remove
+ * @family: address family
+ * @addr: IP address
+ * @mask: IP address mask
  * @audit_info: NetLabel audit information
  *
  * Description:
  
  
  
@@ -58,14 +65,32 @@
  * values on failure.
  *
  */
-int netlbl_cfg_map_del(const char *domain, struct netlbl_audit *audit_info)
+int netlbl_cfg_map_del(const char *domain,
+		       u16 family,
+		       const void *addr,
+		       const void *mask,
+		       struct netlbl_audit *audit_info)
 {
-	return netlbl_domhsh_remove(domain, audit_info);
+	if (addr == NULL && mask == NULL) {
+		return netlbl_domhsh_remove(domain, audit_info);
+	} else if (addr != NULL && mask != NULL) {
+		switch (family) {
+		case AF_INET:
+			return netlbl_domhsh_remove_af4(domain, addr, mask,
+							audit_info);
+		default:
+			return -EPFNOSUPPORT;
+		}
+	} else
+		return -EINVAL;
 }
  
 /**
- * netlbl_cfg_unlbl_add_map - Add an unlabeled NetLabel/LSM domain mapping
+ * netlbl_cfg_unlbl_map_add - Add a new unlabeled mapping
  * @domain: the domain mapping to add
+ * @family: address family
+ * @addr: IP address
+ * @mask: IP address mask
  * @audit_info: NetLabel audit information
  *
  * Description:
  
@@ -74,11 +99,19 @@
  * negative values on failure.
  *
  */
-int netlbl_cfg_unlbl_add_map(const char *domain,
+int netlbl_cfg_unlbl_map_add(const char *domain,
+			     u16 family,
+			     const void *addr,
+			     const void *mask,
 			     struct netlbl_audit *audit_info)
 {
 	int ret_val = -ENOMEM;
 	struct netlbl_dom_map *entry;
+	struct netlbl_domaddr_map *addrmap = NULL;
+	struct netlbl_domaddr4_map *map4 = NULL;
+	struct netlbl_domaddr6_map *map6 = NULL;
+	const struct in_addr *addr4, *mask4;
+	const struct in6_addr *addr6, *mask6;
  
 	entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
 	if (entry == NULL)
  
  
  
  
  
  
  
  
  
  
  
  
  
  
@@ -86,49 +119,225 @@
 	if (domain != NULL) {
 		entry->domain = kstrdup(domain, GFP_ATOMIC);
 		if (entry->domain == NULL)
-			goto cfg_unlbl_add_map_failure;
+			goto cfg_unlbl_map_add_failure;
 	}
-	entry->type = NETLBL_NLTYPE_UNLABELED;
  
+	if (addr == NULL && mask == NULL)
+		entry->type = NETLBL_NLTYPE_UNLABELED;
+	else if (addr != NULL && mask != NULL) {
+		addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
+		if (addrmap == NULL)
+			goto cfg_unlbl_map_add_failure;
+		INIT_LIST_HEAD(&addrmap->list4);
+		INIT_LIST_HEAD(&addrmap->list6);
+
+		switch (family) {
+		case AF_INET:
+			addr4 = addr;
+			mask4 = mask;
+			map4 = kzalloc(sizeof(*map4), GFP_ATOMIC);
+			if (map4 == NULL)
+				goto cfg_unlbl_map_add_failure;
+			map4->type = NETLBL_NLTYPE_UNLABELED;
+			map4->list.addr = addr4->s_addr & mask4->s_addr;
+			map4->list.mask = mask4->s_addr;
+			map4->list.valid = 1;
+			ret_val = netlbl_af4list_add(&map4->list,
+						     &addrmap->list4);
+			if (ret_val != 0)
+				goto cfg_unlbl_map_add_failure;
+			break;
+		case AF_INET6:
+			addr6 = addr;
+			mask6 = mask;
+			map6 = kzalloc(sizeof(*map6), GFP_ATOMIC);
+			if (map4 == NULL)
+				goto cfg_unlbl_map_add_failure;
+			map6->type = NETLBL_NLTYPE_UNLABELED;
+			ipv6_addr_copy(&map6->list.addr, addr6);
+			map6->list.addr.s6_addr32[0] &= mask6->s6_addr32[0];
+			map6->list.addr.s6_addr32[1] &= mask6->s6_addr32[1];
+			map6->list.addr.s6_addr32[2] &= mask6->s6_addr32[2];
+			map6->list.addr.s6_addr32[3] &= mask6->s6_addr32[3];
+			ipv6_addr_copy(&map6->list.mask, mask6);
+			map6->list.valid = 1;
+			ret_val = netlbl_af4list_add(&map4->list,
+						     &addrmap->list4);
+			if (ret_val != 0)
+				goto cfg_unlbl_map_add_failure;
+			break;
+		default:
+			goto cfg_unlbl_map_add_failure;
+			break;
+		}
+
+		entry->type_def.addrsel = addrmap;
+		entry->type = NETLBL_NLTYPE_ADDRSELECT;
+	} else {
+		ret_val = -EINVAL;
+		goto cfg_unlbl_map_add_failure;
+	}
+
 	ret_val = netlbl_domhsh_add(entry, audit_info);
 	if (ret_val != 0)
-		goto cfg_unlbl_add_map_failure;
+		goto cfg_unlbl_map_add_failure;
  
 	return 0;
  
-cfg_unlbl_add_map_failure:
+cfg_unlbl_map_add_failure:
 	if (entry != NULL)
 		kfree(entry->domain);
 	kfree(entry);
+	kfree(addrmap);
+	kfree(map4);
+	kfree(map6);
 	return ret_val;
 }
  
+
 /**
- * netlbl_cfg_cipsov4_add_map - Add a new CIPSOv4 DOI definition and mapping
- * @doi_def: the DOI definition
+ * netlbl_cfg_unlbl_static_add - Adds a new static label
+ * @net: network namespace
+ * @dev_name: interface name
+ * @addr: IP address in network byte order (struct in[6]_addr)
+ * @mask: address mask in network byte order (struct in[6]_addr)
+ * @family: address family
+ * @secid: LSM secid value for the entry
+ * @audit_info: NetLabel audit information
+ *
+ * Description:
+ * Adds a new NetLabel static label to be used when protocol provided labels
+ * are not present on incoming traffic.  If @dev_name is NULL then the default
+ * interface will be used.  Returns zero on success, negative values on failure.
+ *
+ */
+int netlbl_cfg_unlbl_static_add(struct net *net,
+				const char *dev_name,
+				const void *addr,
+				const void *mask,
+				u16 family,
+				u32 secid,
+				struct netlbl_audit *audit_info)
+{
+	u32 addr_len;
+
+	switch (family) {
+	case AF_INET:
+		addr_len = sizeof(struct in_addr);
+		break;
+	case AF_INET6:
+		addr_len = sizeof(struct in6_addr);
+		break;
+	default:
+		return -EPFNOSUPPORT;
+	}
+
+	return netlbl_unlhsh_add(net,
+				 dev_name, addr, mask, addr_len,
+				 secid, audit_info);
+}
+
+/**
+ * netlbl_cfg_unlbl_static_del - Removes an existing static label
+ * @net: network namespace
+ * @dev_name: interface name
+ * @addr: IP address in network byte order (struct in[6]_addr)
+ * @mask: address mask in network byte order (struct in[6]_addr)
+ * @family: address family
+ * @secid: LSM secid value for the entry
+ * @audit_info: NetLabel audit information
+ *
+ * Description:
+ * Removes an existing NetLabel static label used when protocol provided labels
+ * are not present on incoming traffic.  If @dev_name is NULL then the default
+ * interface will be used.  Returns zero on success, negative values on failure.
+ *
+ */
+int netlbl_cfg_unlbl_static_del(struct net *net,
+				const char *dev_name,
+				const void *addr,
+				const void *mask,
+				u16 family,
+				struct netlbl_audit *audit_info)
+{
+	u32 addr_len;
+
+	switch (family) {
+	case AF_INET:
+		addr_len = sizeof(struct in_addr);
+		break;
+	case AF_INET6:
+		addr_len = sizeof(struct in6_addr);
+		break;
+	default:
+		return -EPFNOSUPPORT;
+	}
+
+	return netlbl_unlhsh_remove(net,
+				    dev_name, addr, mask, addr_len,
+				    audit_info);
+}
+
+/**
+ * netlbl_cfg_cipsov4_add - Add a new CIPSOv4 DOI definition
+ * @doi_def: CIPSO DOI definition
+ * @audit_info: NetLabel audit information
+ *
+ * Description:
+ * Add a new CIPSO DOI definition as defined by @doi_def.  Returns zero on
+ * success and negative values on failure.
+ *
+ */
+int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
+			   struct netlbl_audit *audit_info)
+{
+	return cipso_v4_doi_add(doi_def, audit_info);
+}
+
+/**
+ * netlbl_cfg_cipsov4_del - Remove an existing CIPSOv4 DOI definition
+ * @doi: CIPSO DOI
+ * @audit_info: NetLabel audit information
+ *
+ * Description:
+ * Remove an existing CIPSO DOI definition matching @doi.  Returns zero on
+ * success and negative values on failure.
+ *
+ */
+void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info)
+{
+	cipso_v4_doi_remove(doi, audit_info);
+}
+
+/**
+ * netlbl_cfg_cipsov4_map_add - Add a new CIPSOv4 DOI mapping
+ * @doi: the CIPSO DOI
  * @domain: the domain mapping to add
+ * @addr: IP address
+ * @mask: IP address mask
  * @audit_info: NetLabel audit information
  *
  * Description:
- * Add a new CIPSOv4 DOI definition and NetLabel/LSM domain mapping for this
- * new DOI definition to the NetLabel subsystem.  A @domain value of NULL adds
- * a new default domain mapping.  Returns zero on success, negative values on
- * failure.
+ * Add a new NetLabel/LSM domain mapping for the given CIPSO DOI to the NetLabel
+ * subsystem.  A @domain value of NULL adds a new default domain mapping.
+ * Returns zero on success, negative values on failure.
  *
  */
-int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def,
+int netlbl_cfg_cipsov4_map_add(u32 doi,
 			       const char *domain,
+			       const struct in_addr *addr,
+			       const struct in_addr *mask,
 			       struct netlbl_audit *audit_info)
 {
 	int ret_val = -ENOMEM;
-	u32 doi;
-	u32 doi_type;
+	struct cipso_v4_doi *doi_def;
 	struct netlbl_dom_map *entry;
-	const char *type_str;
-	struct audit_buffer *audit_buf;
+	struct netlbl_domaddr_map *addrmap = NULL;
+	struct netlbl_domaddr4_map *addrinfo = NULL;
  
-	doi = doi_def->doi;
-	doi_type = doi_def->type;
+	doi_def = cipso_v4_doi_getdef(doi);
+	if (doi_def == NULL)
+		return -ENOENT;
  
 	entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
 	if (entry == NULL)
  
  
  
  
  
  
  
@@ -136,56 +345,52 @@
 	if (domain != NULL) {
 		entry->domain = kstrdup(domain, GFP_ATOMIC);
 		if (entry->domain == NULL)
-			goto cfg_cipsov4_add_map_failure;
+			goto cfg_cipsov4_map_add_failure;
 	}
  
-	ret_val = cipso_v4_doi_add(doi_def);
-	if (ret_val != 0)
-		goto cfg_cipsov4_add_map_failure_remove_doi;
-	entry->type = NETLBL_NLTYPE_CIPSOV4;
-	entry->type_def.cipsov4 = cipso_v4_doi_getdef(doi);
-	if (entry->type_def.cipsov4 == NULL) {
-		ret_val = -ENOENT;
-		goto cfg_cipsov4_add_map_failure_remove_doi;
+	if (addr == NULL && mask == NULL) {
+		entry->type_def.cipsov4 = doi_def;
+		entry->type = NETLBL_NLTYPE_CIPSOV4;
+	} else if (addr != NULL && mask != NULL) {
+		addrmap = kzalloc(sizeof(*addrmap), GFP_ATOMIC);
+		if (addrmap == NULL)
+			goto cfg_cipsov4_map_add_failure;
+		INIT_LIST_HEAD(&addrmap->list4);
+		INIT_LIST_HEAD(&addrmap->list6);
+
+		addrinfo = kzalloc(sizeof(*addrinfo), GFP_ATOMIC);
+		if (addrinfo == NULL)
+			goto cfg_cipsov4_map_add_failure;
+		addrinfo->type_def.cipsov4 = doi_def;
+		addrinfo->type = NETLBL_NLTYPE_CIPSOV4;
+		addrinfo->list.addr = addr->s_addr & mask->s_addr;
+		addrinfo->list.mask = mask->s_addr;
+		addrinfo->list.valid = 1;
+		ret_val = netlbl_af4list_add(&addrinfo->list, &addrmap->list4);
+		if (ret_val != 0)
+			goto cfg_cipsov4_map_add_failure;
+
+		entry->type_def.addrsel = addrmap;
+		entry->type = NETLBL_NLTYPE_ADDRSELECT;
+	} else {
+		ret_val = -EINVAL;
+		goto cfg_cipsov4_map_add_failure;
 	}
+
 	ret_val = netlbl_domhsh_add(entry, audit_info);
 	if (ret_val != 0)
-		goto cfg_cipsov4_add_map_failure_release_doi;
+		goto cfg_cipsov4_map_add_failure;
  
-cfg_cipsov4_add_map_return:
-	audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
-					      audit_info);
-	if (audit_buf != NULL) {
-		switch (doi_type) {
-		case CIPSO_V4_MAP_TRANS:
-			type_str = "trans";
-			break;
-		case CIPSO_V4_MAP_PASS:
-			type_str = "pass";
-			break;
-		case CIPSO_V4_MAP_LOCAL:
-			type_str = "local";
-			break;
-		default:
-			type_str = "(unknown)";
-		}
-		audit_log_format(audit_buf,
-				 " cipso_doi=%u cipso_type=%s res=%u",
-				 doi, type_str, ret_val == 0 ? 1 : 0);
-		audit_log_end(audit_buf);
-	}
+	return 0;
  
-	return ret_val;
-
-cfg_cipsov4_add_map_failure_release_doi:
+cfg_cipsov4_map_add_failure:
 	cipso_v4_doi_putdef(doi_def);
-cfg_cipsov4_add_map_failure_remove_doi:
-	cipso_v4_doi_remove(doi, audit_info);
-cfg_cipsov4_add_map_failure:
 	if (entry != NULL)
 		kfree(entry->domain);
 	kfree(entry);
-	goto cfg_cipsov4_add_map_return;
+	kfree(addrmap);
+	kfree(addrinfo);
+	return ret_val;
 }
  
 /*
@@ -688,6 +893,28 @@
 		return cipso_v4_cache_add(skb, secattr);
  
 	return -ENOMSG;
+}
+
+/*
+ * Protocol Engine Functions
+ */
+
+/**
+ * netlbl_audit_start - Start an audit message
+ * @type: audit message type
+ * @audit_info: NetLabel audit information
+ *
+ * Description:
+ * Start an audit message using the type specified in @type and fill the audit
+ * message with some fields common to all NetLabel audit messages.  This
+ * function should only be used by protocol engines, not LSMs.  Returns a
+ * pointer to the audit buffer on success, NULL on failure.
+ *
+ */
+struct audit_buffer *netlbl_audit_start(int type,
+					struct netlbl_audit *audit_info)
+{
+	return netlbl_audit_start_common(type, audit_info);
 }
  
 /*
@@ -450,13 +450,13 @@
  * success, negative values on failure.
  *
  */
-static int netlbl_unlhsh_add(struct net *net,
-			     const char *dev_name,
-			     const void *addr,
-			     const void *mask,
-			     u32 addr_len,
-			     u32 secid,
-			     struct netlbl_audit *audit_info)
+int netlbl_unlhsh_add(struct net *net,
+		      const char *dev_name,
+		      const void *addr,
+		      const void *mask,
+		      u32 addr_len,
+		      u32 secid,
+		      struct netlbl_audit *audit_info)
 {
 	int ret_val;
 	int ifindex;
@@ -720,12 +720,12 @@
  * Returns zero on success, negative values on failure.
  *
  */
-static int netlbl_unlhsh_remove(struct net *net,
-				const char *dev_name,
-				const void *addr,
-				const void *mask,
-				u32 addr_len,
-				struct netlbl_audit *audit_info)
+int netlbl_unlhsh_remove(struct net *net,
+			 const char *dev_name,
+			 const void *addr,
+			 const void *mask,
+			 u32 addr_len,
+			 struct netlbl_audit *audit_info)
 {
 	int ret_val;
 	struct net_device *dev;
@@ -221,6 +221,21 @@
 /* General Unlabeled init function */
 int netlbl_unlabel_init(u32 size);
  
+/* Static/Fallback label management functions */
+int netlbl_unlhsh_add(struct net *net,
+		      const char *dev_name,
+		      const void *addr,
+		      const void *mask,
+		      u32 addr_len,
+		      u32 secid,
+		      struct netlbl_audit *audit_info);
+int netlbl_unlhsh_remove(struct net *net,
+			 const char *dev_name,
+			 const void *addr,
+			 const void *mask,
+			 u32 addr_len,
+			 struct netlbl_audit *audit_info);
+
 /* Process Unlabeled incoming network packets */
 int netlbl_unlabel_getattr(const struct sk_buff *skb,
 			   u16 family,
@@ -45,26 +45,22 @@
 /**
  * cap_capable - Determine whether a task has a particular effective capability
  * @tsk: The task to query
+ * @cred: The credentials to use
  * @cap: The capability to check for
  * @audit: Whether to write an audit message or not
  *
  * Determine whether the nominated task has the specified capability amongst
  * its effective set, returning 0 if it does, -ve if it does not.
  *
- * NOTE WELL: cap_capable() cannot be used like the kernel's capable()
- * function.  That is, it has the reverse semantics: cap_capable() returns 0
- * when a task has a capability, but the kernel's capable() returns 1 for this
- * case.
+ * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
+ * and has_capability() functions.  That is, it has the reverse semantics:
+ * cap_has_capability() returns 0 when a task has a capability, but the
+ * kernel's capable() and has_capability() returns 1 for this case.
  */
-int cap_capable(struct task_struct *tsk, int cap, int audit)
+int cap_capable(struct task_struct *tsk, const struct cred *cred, int cap,
+		int audit)
 {
-	__u32 cap_raised;
-
-	/* Derived from include/linux/sched.h:capable. */
-	rcu_read_lock();
-	cap_raised = cap_raised(__task_cred(tsk)->cap_effective, cap);
-	rcu_read_unlock();
-	return cap_raised ? 0 : -EPERM;
+	return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
 }
  
 /**
@@ -160,7 +156,8 @@
 	/* they are so limited unless the current task has the CAP_SETPCAP
 	 * capability
 	 */
-	if (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) == 0)
+	if (cap_capable(current, current_cred(), CAP_SETPCAP,
+			SECURITY_CAP_AUDIT) == 0)
 		return 0;
 #endif
 	return 1;
@@ -869,7 +866,8 @@
 		     & (new->securebits ^ arg2))			/*[1]*/
 		    || ((new->securebits & SECURE_ALL_LOCKS & ~arg2))	/*[2]*/
 		    || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS))	/*[3]*/
-		    || (cap_capable(current, CAP_SETPCAP, SECURITY_CAP_AUDIT) != 0) /*[4]*/
+		    || (cap_capable(current, current_cred(), CAP_SETPCAP,
+				    SECURITY_CAP_AUDIT) != 0)		/*[4]*/
 			/*
 			 * [1] no changing of bits that are locked
 			 * [2] no unlocking of locks
@@ -950,7 +948,8 @@
 {
 	int cap_sys_admin = 0;
  
-	if (cap_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT) == 0)
+	if (cap_capable(current, current_cred(), CAP_SYS_ADMIN,
+			SECURITY_CAP_NOAUDIT) == 0)
 		cap_sys_admin = 1;
 	return __vm_enough_memory(mm, pages, cap_sys_admin);
 }
@@ -1294,7 +1294,7 @@
  
 	case KEYCTL_GET_SECURITY:
 		return keyctl_get_security((key_serial_t) arg2,
-					   (char *) arg3,
+					   (char __user *) arg3,
 					   (size_t) arg4);
  
 	default:
@@ -154,14 +154,32 @@
 				    effective, inheritable, permitted);
 }
  
-int security_capable(struct task_struct *tsk, int cap)
+int security_capable(int cap)
 {
-	return security_ops->capable(tsk, cap, SECURITY_CAP_AUDIT);
+	return security_ops->capable(current, current_cred(), cap,
+				     SECURITY_CAP_AUDIT);
 }
  
-int security_capable_noaudit(struct task_struct *tsk, int cap)
+int security_real_capable(struct task_struct *tsk, int cap)
 {
-	return security_ops->capable(tsk, cap, SECURITY_CAP_NOAUDIT);
+	const struct cred *cred;
+	int ret;
+
+	cred = get_task_cred(tsk);
+	ret = security_ops->capable(tsk, cred, cap, SECURITY_CAP_AUDIT);
+	put_cred(cred);
+	return ret;
+}
+
+int security_real_capable_noaudit(struct task_struct *tsk, int cap)
+{
+	const struct cred *cred;
+	int ret;
+
+	cred = get_task_cred(tsk);
+	ret = security_ops->capable(tsk, cred, cap, SECURITY_CAP_NOAUDIT);
+	put_cred(cred);
+	return ret;
 }
  
 int security_acct(struct file *file)
@@ -94,33 +94,6 @@
  
 	  If you are unsure how to answer this question, answer 1.
  
-config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
-	bool "NSA SELinux enable new secmark network controls by default"
-	depends on SECURITY_SELINUX
-	default n
-	help
-	  This option determines whether the new secmark-based network
-	  controls will be enabled by default.  If not, the old internal
-	  per-packet controls will be enabled by default, preserving
-	  old behavior.
-
-	  If you enable the new controls, you will need updated
-	  SELinux userspace libraries, tools and policy.  Typically,
-	  your distribution will provide these and enable the new controls
-	  in the kernel they also distribute.
-
-	  Note that this option can be overridden at boot with the
-	  selinux_compat_net parameter, and after boot via
-	  /selinux/compat_net.  See Documentation/kernel-parameters.txt
-	  for details on this parameter.
-
-	  If you enable the new network controls, you will likely
-	  also require the SECMARK and CONNSECMARK targets, as
-	  well as any conntrack helpers for protocols which you
-	  wish to control.
-
-	  If you are unsure what to do here, select N.
-
 config SECURITY_SELINUX_POLICYDB_VERSION_MAX
 	bool "NSA SELinux maximum supported policy format version"
 	depends on SECURITY_SELINUX
@@ -53,18 +53,20 @@
 #undef S_
  
 static const struct av_inherit av_inherit[] = {
-#define S_(c, i, b) { c, common_##i##_perm_to_string, b },
+#define S_(c, i, b) {	.tclass = c,\
+			.common_pts = common_##i##_perm_to_string,\
+			.common_base =  b },
 #include "av_inherit.h"
 #undef S_
 };
  
 const struct selinux_class_perm selinux_class_perm = {
-	av_perm_to_string,
-	ARRAY_SIZE(av_perm_to_string),
-	class_to_string,
-	ARRAY_SIZE(class_to_string),
-	av_inherit,
-	ARRAY_SIZE(av_inherit)
+	.av_perm_to_string = av_perm_to_string,
+	.av_pts_len = ARRAY_SIZE(av_perm_to_string),
+	.class_to_string = class_to_string,
+	.cts_len = ARRAY_SIZE(class_to_string),
+	.av_inherit = av_inherit,
+	.av_inherit_len = ARRAY_SIZE(av_inherit)
 };
  
 #define AVC_CACHE_SLOTS			512
@@ -1433,12 +1433,13 @@
  
 /* Check whether a task is allowed to use a capability. */
 static int task_has_capability(struct task_struct *tsk,
+			       const struct cred *cred,
 			       int cap, int audit)
 {
 	struct avc_audit_data ad;
 	struct av_decision avd;
 	u16 sclass;
-	u32 sid = task_sid(tsk);
+	u32 sid = cred_sid(cred);
 	u32 av = CAP_TO_MASK(cap);
 	int rc;
  
  
  
@@ -1865,15 +1866,16 @@
 	return cred_has_perm(old, new, PROCESS__SETCAP);
 }
  
-static int selinux_capable(struct task_struct *tsk, int cap, int audit)
+static int selinux_capable(struct task_struct *tsk, const struct cred *cred,
+			   int cap, int audit)
 {
 	int rc;
  
-	rc = secondary_ops->capable(tsk, cap, audit);
+	rc = secondary_ops->capable(tsk, cred, cap, audit);
 	if (rc)
 		return rc;
  
-	return task_has_capability(tsk, cap, audit);
+	return task_has_capability(tsk, cred, cap, audit);
 }
  
 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
@@ -2037,7 +2039,8 @@
 {
 	int rc, cap_sys_admin = 0;
  
-	rc = selinux_capable(current, CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
+	rc = selinux_capable(current, current_cred(), CAP_SYS_ADMIN,
+			     SECURITY_CAP_NOAUDIT);
 	if (rc == 0)
 		cap_sys_admin = 1;
  
@@ -2880,7 +2883,8 @@
 	 * and lack of permission just means that we fall back to the
 	 * in-core context value, not a denial.
 	 */
-	error = selinux_capable(current, CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
+	error = selinux_capable(current, current_cred(), CAP_MAC_ADMIN,
+				SECURITY_CAP_NOAUDIT);
 	if (!error)
 		error = security_sid_to_context_force(isec->sid, &context,
 						      &size);
@@ -4185,7 +4189,7 @@
 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
 				       u16 family)
 {
-	int err;
+	int err = 0;
 	struct sk_security_struct *sksec = sk->sk_security;
 	u32 peer_sid;
 	u32 sk_sid = sksec->sid;
@@ -4202,7 +4206,7 @@
 	if (selinux_compat_net)
 		err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
 							   family, addrp);
-	else
+	else if (selinux_secmark_enabled())
 		err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
 				   PACKET__RECV, &ad);
 	if (err)
@@ -4705,7 +4709,7 @@
 		if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
 							 &ad, family, addrp))
 			return NF_DROP;
-	} else {
+	} else if (selinux_secmark_enabled()) {
 		if (avc_has_perm(sksec->sid, skb->secmark,
 				 SECCLASS_PACKET, PACKET__SEND, &ad))
 			return NF_DROP;
@@ -17,16 +17,16 @@
 };
  
 struct av_inherit {
-	u16 tclass;
 	const char **common_pts;
 	u32 common_base;
+	u16 tclass;
 };
  
 struct selinux_class_perm {
 	const struct av_perm_to_string *av_perm_to_string;
 	u32 av_pts_len;
-	const char **class_to_string;
 	u32 cts_len;
+	const char **class_to_string;
 	const struct av_inherit *av_inherit;
 	u32 av_inherit_len;
 };
@@ -47,14 +47,8 @@
  
 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
  
-#ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
-#define SELINUX_COMPAT_NET_VALUE 0
-#else
-#define SELINUX_COMPAT_NET_VALUE 1
-#endif
+int selinux_compat_net = 0;
  
-int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
-
 static int __init checkreqprot_setup(char *str)
 {
 	unsigned long checkreqprot;
@@ -494,7 +488,13 @@
 	if (sscanf(page, "%d", &new_value) != 1)
 		goto out;
  
-	selinux_compat_net = new_value ? 1 : 0;
+	if (new_value) {
+		printk(KERN_NOTICE
+		       "SELinux: compat_net is deprecated, please use secmark"
+		       " instead\n");
+		selinux_compat_net = 1;
+	} else
+		selinux_compat_net = 0;
 	length = count;
 out:
 	free_page((unsigned long) page);
@@ -27,9 +27,9 @@
 	u32 user;
 	u32 role;
 	u32 type;
+	u32 len;        /* length of string in bytes */
 	struct mls_range range;
 	char *str;	/* string representation if context cannot be mapped. */
-	u32 len;        /* length of string in bytes */
 };
  
 static inline void mls_context_init(struct context *c)
@@ -16,6 +16,7 @@
 #include <linux/capability.h>
 #include <linux/spinlock.h>
 #include <linux/security.h>
+#include <linux/in.h>
 #include <net/netlabel.h>
  
 /*
@@ -39,6 +40,7 @@
 struct socket_smack {
 	char		*smk_out;			/* outbound label */
 	char		*smk_in;			/* inbound label */
+	int		smk_labeled;			/* label scheme */
 	char		smk_packet[SMK_LABELLEN];	/* TCP peer label */
 };
  
@@ -80,6 +82,16 @@
 };
  
 /*
+ * An entry in the table identifying hosts.
+ */
+struct smk_netlbladdr {
+	struct smk_netlbladdr	*smk_next;
+	struct sockaddr_in	smk_host;	/* network address */
+	struct in_addr		smk_mask;	/* network mask */
+	char			*smk_label;	/* label */
+};
+
+/*
  * This is the repository for labels seen so that it is
  * not necessary to keep allocating tiny chuncks of memory
  * and so that they can be shared.
@@ -127,6 +139,20 @@
 #define XATTR_NAME_SMACKIPOUT	XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT
  
 /*
+ * How communications on this socket are treated.
+ * Usually it's determined by the underlying netlabel code
+ * but there are certain cases, including single label hosts
+ * and potentially single label interfaces for which the
+ * treatment can not be known in advance.
+ *
+ * The possibility of additional labeling schemes being
+ * introduced in the future exists as well.
+ */
+#define SMACK_UNLABELED_SOCKET	0
+#define SMACK_CIPSO_SOCKET	1
+
+/*
+ * smackfs magic number
  * smackfs macic number
  */
 #define SMACK_MAGIC	0x43415d53 /* "SMAC" */
@@ -141,6 +167,7 @@
  * CIPSO defaults.
  */
 #define SMACK_CIPSO_DOI_DEFAULT		3	/* Historical */
+#define SMACK_CIPSO_DOI_INVALID		-1	/* Not a DOI */
 #define SMACK_CIPSO_DIRECT_DEFAULT	250	/* Arbitrary */
 #define SMACK_CIPSO_MAXCATVAL		63	/* Bigger gets harder */
 #define SMACK_CIPSO_MAXLEVEL            255     /* CIPSO 2.2 standard */
@@ -176,7 +203,6 @@
  * Shared data.
  */
 extern int smack_cipso_direct;
-extern int smack_net_nltype;
 extern char *smack_net_ambient;
 extern char *smack_onlycap;
  
  
@@ -186,9 +212,10 @@
 extern struct smack_known smack_known_huh;
 extern struct smack_known smack_known_invalid;
 extern struct smack_known smack_known_star;
-extern struct smack_known smack_known_unset;
+extern struct smack_known smack_known_web;
  
 extern struct smk_list_entry *smack_list;
+extern struct smk_netlbladdr *smack_netlbladdrs;
 extern struct security_operations smack_ops;
  
 /*
@@ -15,15 +15,8 @@
 #include <linux/sched.h>
 #include "smack.h"
  
-struct smack_known smack_known_unset = {
-	.smk_next	= NULL,
-	.smk_known	= "UNSET",
-	.smk_secid	= 1,
-	.smk_cipso	= NULL,
-};
-
 struct smack_known smack_known_huh = {
-	.smk_next	= &smack_known_unset,
+	.smk_next	= NULL,
 	.smk_known	= "?",
 	.smk_secid	= 2,
 	.smk_cipso	= NULL,
  
@@ -57,8 +50,15 @@
 	.smk_cipso	= NULL,
 };
  
-struct smack_known *smack_known = &smack_known_invalid;
+struct smack_known smack_known_web = {
+	.smk_next	= &smack_known_invalid,
+	.smk_known	= "@",
+	.smk_secid	= 7,
+	.smk_cipso	= NULL,
+};
  
+struct smack_known *smack_known = &smack_known_web;
+
 /*
  * The initial value needs to be bigger than any of the
  * known values above.
@@ -98,6 +98,16 @@
 	if (subject_label == smack_known_star.smk_known ||
 	    strcmp(subject_label, smack_known_star.smk_known) == 0)
 		return -EACCES;
+	/*
+	 * An internet object can be accessed by any subject.
+	 * Tasks cannot be assigned the internet label.
+	 * An internet subject can access any object.
+	 */
+	if (object_label == smack_known_web.smk_known ||
+	    subject_label == smack_known_web.smk_known ||
+	    strcmp(object_label, smack_known_web.smk_known) == 0 ||
+	    strcmp(subject_label, smack_known_web.smk_known) == 0)
+		return 0;
 	/*
 	 * A star object can be accessed by any subject.
 	 */
@@ -1277,6 +1277,7 @@
  
 	ssp->smk_in = csp;
 	ssp->smk_out = csp;
+	ssp->smk_labeled = SMACK_CIPSO_SOCKET;
 	ssp->smk_packet[0] = '\0';
  
 	sk->sk_security = ssp;
  
  
  
  
  
  
@@ -1341,46 +1342,70 @@
 	struct smack_cipso cipso;
 	int rc;
  
-	switch (smack_net_nltype) {
-	case NETLBL_NLTYPE_CIPSOV4:
-		nlsp->domain = smack;
-		nlsp->flags = NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
+	nlsp->domain = smack;
+	nlsp->flags = NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
  
-		rc = smack_to_cipso(smack, &cipso);
-		if (rc == 0) {
-			nlsp->attr.mls.lvl = cipso.smk_level;
-			smack_set_catset(cipso.smk_catset, nlsp);
-		} else {
-			nlsp->attr.mls.lvl = smack_cipso_direct;
-			smack_set_catset(smack, nlsp);
-		}
-		break;
-	default:
-		break;
+	rc = smack_to_cipso(smack, &cipso);
+	if (rc == 0) {
+		nlsp->attr.mls.lvl = cipso.smk_level;
+		smack_set_catset(cipso.smk_catset, nlsp);
+	} else {
+		nlsp->attr.mls.lvl = smack_cipso_direct;
+		smack_set_catset(smack, nlsp);
 	}
 }
  
 /**
  * smack_netlabel - Set the secattr on a socket
  * @sk: the socket
+ * @labeled: socket label scheme
  *
  * Convert the outbound smack value (smk_out) to a
  * secattr and attach it to the socket.
  *
  * Returns 0 on success or an error code
  */
-static int smack_netlabel(struct sock *sk)
+static int smack_netlabel(struct sock *sk, int labeled)
 {
 	struct socket_smack *ssp;
 	struct netlbl_lsm_secattr secattr;
-	int rc;
+	int rc = 0;
  
 	ssp = sk->sk_security;
-	netlbl_secattr_init(&secattr);
-	smack_to_secattr(ssp->smk_out, &secattr);
-	rc = netlbl_sock_setattr(sk, &secattr);
-	netlbl_secattr_destroy(&secattr);
+	/*
+	 * Usually the netlabel code will handle changing the
+	 * packet labeling based on the label.
+	 * The case of a single label host is different, because
+	 * a single label host should never get a labeled packet
+	 * even though the label is usually associated with a packet
+	 * label.
+	 */
+	local_bh_disable();
+	bh_lock_sock_nested(sk);
  
+	if (ssp->smk_out == smack_net_ambient ||
+	    labeled == SMACK_UNLABELED_SOCKET)
+		netlbl_sock_delattr(sk);
+	else {
+		netlbl_secattr_init(&secattr);
+		smack_to_secattr(ssp->smk_out, &secattr);
+		rc = netlbl_sock_setattr(sk, &secattr);
+		netlbl_secattr_destroy(&secattr);
+	}
+
+	bh_unlock_sock(sk);
+	local_bh_enable();
+	/*
+	 * Remember the label scheme used so that it is not
+	 * necessary to do the netlabel setting if it has not
+	 * changed the next time through.
+	 *
+	 * The -EDESTADDRREQ case is an indication that there's
+	 * a single level host involved.
+	 */
+	if (rc == 0)
+		ssp->smk_labeled = labeled;
+
 	return rc;
 }
  
@@ -1432,7 +1457,7 @@
 		ssp->smk_in = sp;
 	else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) {
 		ssp->smk_out = sp;
-		rc = smack_netlabel(sock->sk);
+		rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
 		if (rc != 0)
 			printk(KERN_WARNING "Smack: \"%s\" netlbl error %d.\n",
 			       __func__, -rc);
  
  
@@ -1462,10 +1487,111 @@
 	/*
 	 * Set the outbound netlbl.
 	 */
-	return smack_netlabel(sock->sk);
+	return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
 }
  
+
 /**
+ * smack_host_label - check host based restrictions
+ * @sip: the object end
+ *
+ * looks for host based access restrictions
+ *
+ * This version will only be appropriate for really small
+ * sets of single label hosts. Because of the masking
+ * it cannot shortcut out on the first match. There are
+ * numerious ways to address the problem, but none of them
+ * have been applied here.
+ *
+ * Returns the label of the far end or NULL if it's not special.
+ */
+static char *smack_host_label(struct sockaddr_in *sip)
+{
+	struct smk_netlbladdr *snp;
+	char *bestlabel = NULL;
+	struct in_addr *siap = &sip->sin_addr;
+	struct in_addr *liap;
+	struct in_addr *miap;
+	struct in_addr bestmask;
+
+	if (siap->s_addr == 0)
+		return NULL;
+
+	bestmask.s_addr = 0;
+
+	for (snp = smack_netlbladdrs; snp != NULL; snp = snp->smk_next) {
+		liap = &snp->smk_host.sin_addr;
+		miap = &snp->smk_mask;
+		/*
+		 * If the addresses match after applying the list entry mask
+		 * the entry matches the address. If it doesn't move along to
+		 * the next entry.
+		 */
+		if ((liap->s_addr & miap->s_addr) !=
+		    (siap->s_addr & miap->s_addr))
+			continue;
+		/*
+		 * If the list entry mask identifies a single address
+		 * it can't get any more specific.
+		 */
+		if (miap->s_addr == 0xffffffff)
+			return snp->smk_label;
+		/*
+		 * If the list entry mask is less specific than the best
+		 * already found this entry is uninteresting.
+		 */
+		if ((miap->s_addr | bestmask.s_addr) == bestmask.s_addr)
+			continue;
+		/*
+		 * This is better than any entry found so far.
+		 */
+		bestmask.s_addr = miap->s_addr;
+		bestlabel = snp->smk_label;
+	}
+
+	return bestlabel;
+}
+
+/**
+ * smack_socket_connect - connect access check
+ * @sock: the socket
+ * @sap: the other end
+ * @addrlen: size of sap
+ *
+ * Verifies that a connection may be possible
+ *
+ * Returns 0 on success, and error code otherwise
+ */
+static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
+				int addrlen)
+{
+	struct socket_smack *ssp = sock->sk->sk_security;
+	char *hostsp;
+	int rc;
+
+	if (sock->sk == NULL || sock->sk->sk_family != PF_INET)
+		return 0;
+
+	if (addrlen < sizeof(struct sockaddr_in))
+		return -EINVAL;
+
+	hostsp = smack_host_label((struct sockaddr_in *)sap);
+	if (hostsp == NULL) {
+		if (ssp->smk_labeled != SMACK_CIPSO_SOCKET)
+			return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
+		return 0;
+	}
+
+	rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE);
+	if (rc != 0)
+		return rc;
+
+	if (ssp->smk_labeled != SMACK_UNLABELED_SOCKET)
+		return smack_netlabel(sock->sk, SMACK_UNLABELED_SOCKET);
+	return 0;
+}
+
+/**
  * smack_flags_to_may - convert S_ to MAY_ values
  * @flags: the S_ value
  *
  
@@ -2101,8 +2227,14 @@
 	if (newsmack == NULL)
 		return -EINVAL;
  
+	/*
+	 * No process is ever allowed the web ("@") label.
+	 */
+	if (newsmack == smack_known_web.smk_known)
+		return -EPERM;
+
 	new = prepare_creds();
-	if (!new)
+	if (new == NULL)
 		return -ENOMEM;
 	new->security = newsmack;
 	commit_creds(new);
@@ -2144,6 +2276,49 @@
 }
  
 /**
+ * smack_socket_sendmsg - Smack check based on destination host
+ * @sock: the socket
+ * @msghdr: the message
+ * @size: the size of the message
+ *
+ * Return 0 if the current subject can write to the destination
+ * host. This is only a question if the destination is a single
+ * label host.
+ */
+static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
+				int size)
+{
+	struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name;
+	struct socket_smack *ssp = sock->sk->sk_security;
+	char *hostsp;
+	int rc;
+
+	/*
+	 * Perfectly reasonable for this to be NULL
+	 */
+	if (sip == NULL || sip->sin_family != PF_INET)
+		return 0;
+
+	hostsp = smack_host_label(sip);
+	if (hostsp == NULL) {
+		if (ssp->smk_labeled != SMACK_CIPSO_SOCKET)
+			return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
+		return 0;
+	}
+
+	rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE);
+	if (rc != 0)
+		return rc;
+
+	if (ssp->smk_labeled != SMACK_UNLABELED_SOCKET)
+		return smack_netlabel(sock->sk, SMACK_UNLABELED_SOCKET);
+
+	return 0;
+
+}
+
+
+/**
  * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat
  * 	pair to smack
  * @sap: netlabel secattr
  
  
  
  
  
  
  
@@ -2154,44 +2329,66 @@
 static void smack_from_secattr(struct netlbl_lsm_secattr *sap, char *sip)
 {
 	char smack[SMK_LABELLEN];
+	char *sp;
 	int pcat;
  
-	if ((sap->flags & NETLBL_SECATTR_MLS_LVL) == 0) {
+	if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) {
 		/*
+		 * Looks like a CIPSO packet.
 		 * If there are flags but no level netlabel isn't
 		 * behaving the way we expect it to.
 		 *
+		 * Get the categories, if any
 		 * Without guidance regarding the smack value
 		 * for the packet fall back on the network
 		 * ambient value.
 		 */
-		strncpy(sip, smack_net_ambient, SMK_MAXLEN);
+		memset(smack, '\0', SMK_LABELLEN);
+		if ((sap->flags & NETLBL_SECATTR_MLS_CAT) != 0)
+			for (pcat = -1;;) {
+				pcat = netlbl_secattr_catmap_walk(
+					sap->attr.mls.cat, pcat + 1);
+				if (pcat < 0)
+					break;
+				smack_catset_bit(pcat, smack);
+			}
+		/*
+		 * If it is CIPSO using smack direct mapping
+		 * we are already done. WeeHee.
+		 */
+		if (sap->attr.mls.lvl == smack_cipso_direct) {
+			memcpy(sip, smack, SMK_MAXLEN);
+			return;
+		}
+		/*
+		 * Look it up in the supplied table if it is not
+		 * a direct mapping.
+		 */
+		smack_from_cipso(sap->attr.mls.lvl, smack, sip);
 		return;
 	}
-	/*
-	 * Get the categories, if any
-	 */
-	memset(smack, '\0', SMK_LABELLEN);
-	if ((sap->flags & NETLBL_SECATTR_MLS_CAT) != 0)
-		for (pcat = -1;;) {
-			pcat = netlbl_secattr_catmap_walk(sap->attr.mls.cat,
-							  pcat + 1);
-			if (pcat < 0)
-				break;
-			smack_catset_bit(pcat, smack);
-		}
-	/*
-	 * If it is CIPSO using smack direct mapping
-	 * we are already done. WeeHee.
-	 */
-	if (sap->attr.mls.lvl == smack_cipso_direct) {
-		memcpy(sip, smack, SMK_MAXLEN);
+	if ((sap->flags & NETLBL_SECATTR_SECID) != 0) {
+		/*
+		 * Looks like a fallback, which gives us a secid.
+		 */
+		sp = smack_from_secid(sap->attr.secid);
+		/*
+		 * This has got to be a bug because it is
+		 * impossible to specify a fallback without
+		 * specifying the label, which will ensure
+		 * it has a secid, and the only way to get a
+		 * secid is from a fallback.
+		 */
+		BUG_ON(sp == NULL);
+		strncpy(sip, sp, SMK_MAXLEN);
 		return;
 	}
 	/*
-	 * Look it up in the supplied table if it is not a direct mapping.
+	 * Without guidance regarding the smack value
+	 * for the packet fall back on the network
+	 * ambient value.
 	 */
-	smack_from_cipso(sap->attr.mls.lvl, smack, sip);
+	strncpy(sip, smack_net_ambient, SMK_MAXLEN);
 	return;
 }
  
@@ -2207,6 +2404,7 @@
 	struct netlbl_lsm_secattr secattr;
 	struct socket_smack *ssp = sk->sk_security;
 	char smack[SMK_LABELLEN];
+	char *csp;
 	int rc;
  
 	if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
  
  
  
  
  
@@ -2215,21 +2413,24 @@
 	/*
 	 * Translate what netlabel gave us.
 	 */
-	memset(smack, '\0', SMK_LABELLEN);
 	netlbl_secattr_init(&secattr);
+
 	rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr);
-	if (rc == 0)
+	if (rc == 0) {
 		smack_from_secattr(&secattr, smack);
-	else
-		strncpy(smack, smack_net_ambient, SMK_MAXLEN);
+		csp = smack;
+	} else
+		csp = smack_net_ambient;
+
 	netlbl_secattr_destroy(&secattr);
+
 	/*
 	 * Receiving a packet requires that the other end
 	 * be able to write here. Read access is not required.
 	 * This is the simplist possible security model
 	 * for networking.
 	 */
-	rc = smk_access(smack, ssp->smk_in, MAY_WRITE);
+	rc = smk_access(csp, ssp->smk_in, MAY_WRITE);
 	if (rc != 0)
 		netlbl_skbuff_err(skb, rc, 0);
 	return rc;
@@ -2298,7 +2499,6 @@
 	/*
 	 * Translate what netlabel gave us.
 	 */
-	memset(smack, '\0', SMK_LABELLEN);
 	netlbl_secattr_init(&secattr);
 	rc = netlbl_skbuff_getattr(skb, family, &secattr);
 	if (rc == 0)
@@ -2341,7 +2541,7 @@
 	ssp->smk_in = ssp->smk_out = current_security();
 	ssp->smk_packet[0] = '\0';
  
-	rc = smack_netlabel(sk);
+	rc = smack_netlabel(sk, SMACK_CIPSO_SOCKET);
 	if (rc != 0)
 		printk(KERN_WARNING "Smack: \"%s\" netlbl error %d.\n",
 		       __func__, -rc);
@@ -2367,7 +2567,6 @@
 	if (skb == NULL)
 		return -EACCES;
  
-	memset(smack, '\0', SMK_LABELLEN);
 	netlbl_secattr_init(&skb_secattr);
 	rc = netlbl_skbuff_getattr(skb, sk->sk_family, &skb_secattr);
 	if (rc == 0)
@@ -2732,6 +2931,8 @@
 	.unix_may_send = 		smack_unix_may_send,
  
 	.socket_post_create = 		smack_socket_post_create,
+	.socket_connect =		smack_socket_connect,
+	.socket_sendmsg =		smack_socket_sendmsg,
 	.socket_sock_rcv_skb = 		smack_socket_sock_rcv_skb,
 	.socket_getpeersec_stream =	smack_socket_getpeersec_stream,
 	.socket_getpeersec_dgram =	smack_socket_getpeersec_dgram,
@@ -2783,7 +2984,6 @@
 	/*
 	 * Initialize locks
 	 */
-	spin_lock_init(&smack_known_unset.smk_cipsolock);
 	spin_lock_init(&smack_known_huh.smk_cipsolock);
 	spin_lock_init(&smack_known_hat.smk_cipsolock);
 	spin_lock_init(&smack_known_star.smk_cipsolock);
@@ -20,6 +20,7 @@
 #include <linux/vmalloc.h>
 #include <linux/security.h>
 #include <linux/mutex.h>
+#include <net/net_namespace.h>
 #include <net/netlabel.h>
 #include <net/cipso_ipv4.h>
 #include <linux/seq_file.h>
@@ -38,7 +39,7 @@
 	SMK_DOI		= 5,	/* CIPSO DOI */
 	SMK_DIRECT	= 6,	/* CIPSO level indicating direct label */
 	SMK_AMBIENT	= 7,	/* internet ambient label */
-	SMK_NLTYPE	= 8,	/* label scheme to use by default */
+	SMK_NETLBLADDR	= 8,	/* single label hosts */
 	SMK_ONLYCAP	= 9,	/* the only "capable" label */
 };
  
@@ -48,6 +49,7 @@
 static DEFINE_MUTEX(smack_list_lock);
 static DEFINE_MUTEX(smack_cipso_lock);
 static DEFINE_MUTEX(smack_ambient_lock);
+static DEFINE_MUTEX(smk_netlbladdr_lock);
  
 /*
  * This is the "ambient" label for network traffic.
@@ -57,12 +59,6 @@
 char *smack_net_ambient = smack_known_floor.smk_known;
  
 /*
- * This is the default packet marking scheme for network traffic.
- * It can be reset via smackfs/nltype
- */
-int smack_net_nltype = NETLBL_NLTYPE_CIPSOV4;
-
-/*
  * This is the level in a CIPSO header that indicates a
  * smack label is contained directly in the category set.
  * It can be reset via smackfs/direct
@@ -79,6 +75,13 @@
  */
 char *smack_onlycap;
  
+/*
+ * Certain IP addresses may be designated as single label hosts.
+ * Packets are sent there unlabeled, but only from tasks that
+ * can write to the specified label.
+ */
+struct smk_netlbladdr *smack_netlbladdrs;
+
 static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
 struct smk_list_entry *smack_list;
  
  
@@ -104,8 +107,26 @@
 #define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1)
 #define SMK_LOADLEN   (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN)
  
+/**
+ * smk_netlabel_audit_set - fill a netlbl_audit struct
+ * @nap: structure to fill
+ */
+static void smk_netlabel_audit_set(struct netlbl_audit *nap)
+{
+	nap->loginuid = audit_get_loginuid(current);
+	nap->sessionid = audit_get_sessionid(current);
+	nap->secid = smack_to_secid(current_security());
+}
  
 /*
+ * Values for parsing single label host rules
+ * "1.2.3.4 X"
+ * "192.168.138.129/32 abcdefghijklmnopqrstuvw"
+ */
+#define SMK_NETLBLADDRMIN	9
+#define SMK_NETLBLADDRMAX	42
+
+/*
  * Seq_file read operations for /smack/load
  */
  
  
  
@@ -344,13 +365,11 @@
 {
 	int rc;
 	struct cipso_v4_doi *doip;
-	struct netlbl_audit audit_info;
+	struct netlbl_audit nai;
  
-	audit_info.loginuid = audit_get_loginuid(current);
-	audit_info.sessionid = audit_get_sessionid(current);
-	audit_info.secid = smack_to_secid(current_security());
+	smk_netlabel_audit_set(&nai);
  
-	rc = netlbl_cfg_map_del(NULL, &audit_info);
+	rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai);
 	if (rc != 0)
 		printk(KERN_WARNING "%s:%d remove rc = %d\n",
 		       __func__, __LINE__, rc);
  
  
  
@@ -365,12 +384,20 @@
 	for (rc = 1; rc < CIPSO_V4_TAG_MAXCNT; rc++)
 		doip->tags[rc] = CIPSO_V4_TAG_INVALID;
  
-	rc = netlbl_cfg_cipsov4_add_map(doip, NULL, &audit_info);
+	rc = netlbl_cfg_cipsov4_add(doip, &nai);
 	if (rc != 0) {
-		printk(KERN_WARNING "%s:%d add rc = %d\n",
+		printk(KERN_WARNING "%s:%d cipso add rc = %d\n",
 		       __func__, __LINE__, rc);
 		kfree(doip);
+		return;
 	}
+	rc = netlbl_cfg_cipsov4_map_add(doip->doi, NULL, NULL, NULL, &nai);
+	if (rc != 0) {
+		printk(KERN_WARNING "%s:%d map add rc = %d\n",
+		       __func__, __LINE__, rc);
+		kfree(doip);
+		return;
+	}
 }
  
 /**
  
  
  
@@ -379,20 +406,19 @@
 static void smk_unlbl_ambient(char *oldambient)
 {
 	int rc;
-	struct netlbl_audit audit_info;
+	struct netlbl_audit nai;
  
-	audit_info.loginuid = audit_get_loginuid(current);
-	audit_info.sessionid = audit_get_sessionid(current);
-	audit_info.secid = smack_to_secid(current_security());
+	smk_netlabel_audit_set(&nai);
  
 	if (oldambient != NULL) {
-		rc = netlbl_cfg_map_del(oldambient, &audit_info);
+		rc = netlbl_cfg_map_del(oldambient, PF_INET, NULL, NULL, &nai);
 		if (rc != 0)
 			printk(KERN_WARNING "%s:%d remove rc = %d\n",
 			       __func__, __LINE__, rc);
 	}
  
-	rc = netlbl_cfg_unlbl_add_map(smack_net_ambient, &audit_info);
+	rc = netlbl_cfg_unlbl_map_add(smack_net_ambient, PF_INET,
+				      NULL, NULL, &nai);
 	if (rc != 0)
 		printk(KERN_WARNING "%s:%d add rc = %d\n",
 		       __func__, __LINE__, rc);
  
@@ -603,7 +629,202 @@
 	.release        = seq_release,
 };
  
+/*
+ * Seq_file read operations for /smack/netlabel
+ */
+
+static void *netlbladdr_seq_start(struct seq_file *s, loff_t *pos)
+{
+	if (*pos == SEQ_READ_FINISHED)
+		return NULL;
+
+	return smack_netlbladdrs;
+}
+
+static void *netlbladdr_seq_next(struct seq_file *s, void *v, loff_t *pos)
+{
+	struct smk_netlbladdr *skp = ((struct smk_netlbladdr *) v)->smk_next;
+
+	if (skp == NULL)
+		*pos = SEQ_READ_FINISHED;
+
+	return skp;
+}
+/*
+#define BEMASK	0x80000000
+*/
+#define BEMASK	0x00000001
+#define BEBITS	(sizeof(__be32) * 8)
+
+/*
+ * Print host/label pairs
+ */
+static int netlbladdr_seq_show(struct seq_file *s, void *v)
+{
+	struct smk_netlbladdr *skp = (struct smk_netlbladdr *) v;
+	unsigned char *hp = (char *) &skp->smk_host.sin_addr.s_addr;
+	__be32 bebits;
+	int maskn = 0;
+
+	for (bebits = BEMASK; bebits != 0; maskn++, bebits <<= 1)
+		if ((skp->smk_mask.s_addr & bebits) == 0)
+			break;
+
+	seq_printf(s, "%u.%u.%u.%u/%d %s\n",
+		hp[0], hp[1], hp[2], hp[3], maskn, skp->smk_label);
+
+	return 0;
+}
+
+static void netlbladdr_seq_stop(struct seq_file *s, void *v)
+{
+	/* No-op */
+}
+
+static struct seq_operations netlbladdr_seq_ops = {
+	.start = netlbladdr_seq_start,
+	.stop  = netlbladdr_seq_stop,
+	.next  = netlbladdr_seq_next,
+	.show  = netlbladdr_seq_show,
+};
+
 /**
+ * smk_open_netlbladdr - open() for /smack/netlabel
+ * @inode: inode structure representing file
+ * @file: "netlabel" file pointer
+ *
+ * Connect our netlbladdr_seq_* operations with /smack/netlabel
+ * file_operations
+ */
+static int smk_open_netlbladdr(struct inode *inode, struct file *file)
+{
+	return seq_open(file, &netlbladdr_seq_ops);
+}
+
+/**
+ * smk_write_netlbladdr - write() for /smack/netlabel
+ * @filp: file pointer, not actually used
+ * @buf: where to get the data from
+ * @count: bytes sent
+ * @ppos: where to start
+ *
+ * Accepts only one netlbladdr per write call.
+ * Returns number of bytes written or error code, as appropriate
+ */
+static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
+				size_t count, loff_t *ppos)
+{
+	struct smk_netlbladdr *skp;
+	struct sockaddr_in newname;
+	char smack[SMK_LABELLEN];
+	char *sp;
+	char data[SMK_NETLBLADDRMAX];
+	char *host = (char *)&newname.sin_addr.s_addr;
+	int rc;
+	struct netlbl_audit audit_info;
+	struct in_addr mask;
+	unsigned int m;
+	__be32 bebits = BEMASK;
+	__be32 nsa;
+
+	/*
+	 * Must have privilege.
+	 * No partial writes.
+	 * Enough data must be present.
+	 * "<addr/mask, as a.b.c.d/e><space><label>"
+	 * "<addr, as a.b.c.d><space><label>"
+	 */
+	if (!capable(CAP_MAC_ADMIN))
+		return -EPERM;
+	if (*ppos != 0)
+		return -EINVAL;
+	if (count < SMK_NETLBLADDRMIN || count > SMK_NETLBLADDRMAX)
+		return -EINVAL;
+	if (copy_from_user(data, buf, count) != 0)
+		return -EFAULT;
+
+	data[count] = '\0';
+
+	rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%d %s",
+		&host[0], &host[1], &host[2], &host[3], &m, smack);
+	if (rc != 6) {
+		rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s",
+			&host[0], &host[1], &host[2], &host[3], smack);
+		if (rc != 5)
+			return -EINVAL;
+		m = BEBITS;
+	}
+	if (m > BEBITS)
+		return -EINVAL;
+
+	sp = smk_import(smack, 0);
+	if (sp == NULL)
+		return -EINVAL;
+
+	for (mask.s_addr = 0; m > 0; m--) {
+		mask.s_addr |= bebits;
+		bebits <<= 1;
+	}
+	/*
+	 * Only allow one writer at a time. Writes should be
+	 * quite rare and small in any case.
+	 */
+	mutex_lock(&smk_netlbladdr_lock);
+
+	nsa = newname.sin_addr.s_addr;
+	for (skp = smack_netlbladdrs; skp != NULL; skp = skp->smk_next)
+		if (skp->smk_host.sin_addr.s_addr == nsa &&
+		    skp->smk_mask.s_addr == mask.s_addr)
+			break;
+
+	smk_netlabel_audit_set(&audit_info);
+
+	if (skp == NULL) {
+		skp = kzalloc(sizeof(*skp), GFP_KERNEL);
+		if (skp == NULL)
+			rc = -ENOMEM;
+		else {
+			rc = 0;
+			skp->smk_host.sin_addr.s_addr = newname.sin_addr.s_addr;
+			skp->smk_mask.s_addr = mask.s_addr;
+			skp->smk_next = smack_netlbladdrs;
+			skp->smk_label = sp;
+			smack_netlbladdrs = skp;
+		}
+	} else {
+		rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
+			&skp->smk_host.sin_addr, &skp->smk_mask,
+			PF_INET, &audit_info);
+		skp->smk_label = sp;
+	}
+
+	/*
+	 * Now tell netlabel about the single label nature of
+	 * this host so that incoming packets get labeled.
+	 */
+
+	if (rc == 0)
+		rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
+			&skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,
+			smack_to_secid(skp->smk_label), &audit_info);
+
+	if (rc == 0)
+		rc = count;
+
+	mutex_unlock(&smk_netlbladdr_lock);
+
+	return rc;
+}
+
+static const struct file_operations smk_netlbladdr_ops = {
+	.open           = smk_open_netlbladdr,
+	.read		= seq_read,
+	.llseek         = seq_lseek,
+	.write		= smk_write_netlbladdr,
+	.release        = seq_release,
+};
+
+/**
  * smk_read_doi - read() for /smack/doi
  * @filp: file pointer, not actually used
  * @buf: where to put the result
  
@@ -891,111 +1112,7 @@
 	.write		= smk_write_onlycap,
 };
  
-struct option_names {
-	int	o_number;
-	char	*o_name;
-	char	*o_alias;
-};
-
-static struct option_names netlbl_choices[] = {
-	{ NETLBL_NLTYPE_RIPSO,
-		NETLBL_NLTYPE_RIPSO_NAME,	"ripso" },
-	{ NETLBL_NLTYPE_CIPSOV4,
-		NETLBL_NLTYPE_CIPSOV4_NAME,	"cipsov4" },
-	{ NETLBL_NLTYPE_CIPSOV4,
-		NETLBL_NLTYPE_CIPSOV4_NAME,	"cipso" },
-	{ NETLBL_NLTYPE_CIPSOV6,
-		NETLBL_NLTYPE_CIPSOV6_NAME,	"cipsov6" },
-	{ NETLBL_NLTYPE_UNLABELED,
-		NETLBL_NLTYPE_UNLABELED_NAME,	"unlabeled" },
-};
-
 /**
- * smk_read_nltype - read() for /smack/nltype
- * @filp: file pointer, not actually used
- * @buf: where to put the result
- * @count: maximum to send along
- * @ppos: where to start
- *
- * Returns number of bytes read or error code, as appropriate
- */
-static ssize_t smk_read_nltype(struct file *filp, char __user *buf,
-			       size_t count, loff_t *ppos)
-{
-	char bound[40];
-	ssize_t rc;
-	int i;
-
-	if (count < SMK_LABELLEN)
-		return -EINVAL;
-
-	if (*ppos != 0)
-		return 0;
-
-	sprintf(bound, "unknown");
-
-	for (i = 0; i < ARRAY_SIZE(netlbl_choices); i++)
-		if (smack_net_nltype == netlbl_choices[i].o_number) {
-			sprintf(bound, "%s", netlbl_choices[i].o_name);
-			break;
-		}
-
-	rc = simple_read_from_buffer(buf, count, ppos, bound, strlen(bound));
-
-	return rc;
-}
-
-/**
- * smk_write_nltype - write() for /smack/nltype
- * @filp: file pointer, not actually used
- * @buf: where to get the data from
- * @count: bytes sent
- * @ppos: where to start
- *
- * Returns number of bytes written or error code, as appropriate
- */
-static ssize_t smk_write_nltype(struct file *file, const char __user *buf,
-				size_t count, loff_t *ppos)
-{
-	char bound[40];
-	char *cp;
-	int i;
-
-	if (!capable(CAP_MAC_ADMIN))
-		return -EPERM;
-
-	if (count >= 40)
-		return -EINVAL;
-
-	if (copy_from_user(bound, buf, count) != 0)
-		return -EFAULT;
-
-	bound[count] = '\0';
-	cp = strchr(bound, ' ');
-	if (cp != NULL)
-		*cp = '\0';
-	cp = strchr(bound, '\n');
-	if (cp != NULL)
-		*cp = '\0';
-
-	for (i = 0; i < ARRAY_SIZE(netlbl_choices); i++)
-		if (strcmp(bound, netlbl_choices[i].o_name) == 0 ||
-		    strcmp(bound, netlbl_choices[i].o_alias) == 0) {
-			smack_net_nltype = netlbl_choices[i].o_number;
-			return count;
-		}
-	/*
-	 * Not a valid choice.
-	 */
-	return -EINVAL;
-}
-
-static const struct file_operations smk_nltype_ops = {
-	.read		= smk_read_nltype,
-	.write		= smk_write_nltype,
-};
-
-/**
  * smk_fill_super - fill the /smackfs superblock
  * @sb: the empty superblock
  * @data: unused
@@ -1021,8 +1138,8 @@
 			{"direct", &smk_direct_ops, S_IRUGO|S_IWUSR},
 		[SMK_AMBIENT]	=
 			{"ambient", &smk_ambient_ops, S_IRUGO|S_IWUSR},
-		[SMK_NLTYPE]	=
-			{"nltype", &smk_nltype_ops, S_IRUGO|S_IWUSR},
+		[SMK_NETLBLADDR] =
+			{"netlabel", &smk_netlbladdr_ops, S_IRUGO|S_IWUSR},
 		[SMK_ONLYCAP]	=
 			{"onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR},
 		/* last one */ {""}
...	...	@@ -315,4 +315,16 @@
315	315	Why: Deprecated by the new (standard) device driver binding model. Use
316	316	i2c_driver->probe() and ->remove() instead.
317	317	Who: Jean Delvare <khali@linux-fr.org>
	318	+
	319	+---------------------------
	320	+
	321	+What: SELinux "compat_net" functionality
	322	+When: 2.6.30 at the earliest
	323	+Why: In 2.6.18 the Secmark concept was introduced to replace the "compat_net"
	324	+ network access control functionality of SELinux. Secmark offers both
	325	+ better performance and greater flexibility than the "compat_net"
	326	+ mechanism. Now that the major Linux distributions have moved to
	327	+ Secmark, it is time to deprecate the older mechanism and start the
	328	+ process of removing the old code.
	329	+Who: Paul Moore <paul.moore@hp.com>
...	...	@@ -529,8 +529,21 @@
529	529	*
530	530	* Note that this does not set PF_SUPERPRIV on the task.
531	531	*/
532		-#define has_capability(t, cap) (security_capable((t), (cap)) == 0)
533		-#define has_capability_noaudit(t, cap) (security_capable_noaudit((t), (cap)) == 0)
	532	+#define has_capability(t, cap) (security_real_capable((t), (cap)) == 0)
	533	+
	534	+/**
	535	+ * has_capability_noaudit - Determine if a task has a superior capability available (unaudited)
	536	+ * @t: The task in question
	537	+ * @cap: The capability to be tested for
	538	+ *
	539	+ * Return true if the specified task has the given superior capability
	540	+ * currently in effect, false if not, but don't write an audit message for the
	541	+ * check.
	542	+ *
	543	+ * Note that this does not set PF_SUPERPRIV on the task.
	544	+ */
	545	+#define has_capability_noaudit(t, cap) \
	546	+ (security_real_capable_noaudit((t), (cap)) == 0)
534	547
535	548	extern int capable(int cap);
536	549
...	...	@@ -48,7 +48,8 @@
48	48	* These functions are in security/capability.c and are used
49	49	* as the default capabilities functions
50	50	*/
51		-extern int cap_capable(struct task_struct *tsk, int cap, int audit);
	51	+extern int cap_capable(struct task_struct tsk, const struct cred cred,
	52	+ int cap, int audit);
52	53	extern int cap_settime(struct timespec ts, struct timezone tz);
53	54	extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode);
54	55	extern int cap_ptrace_traceme(struct task_struct *parent);
55	56
56	57
...	...	@@ -1251,9 +1252,12 @@
1251	1252	* @permitted contains the permitted capability set.
1252	1253	* Return 0 and update @new if permission is granted.
1253	1254	* @capable:
1254		- * Check whether the @tsk process has the @cap capability.
	1255	+ * Check whether the @tsk process has the @cap capability in the indicated
	1256	+ * credentials.
1255	1257	* @tsk contains the task_struct for the process.
	1258	+ * @cred contains the credentials to use.
1256	1259	* @cap contains the capability <include/linux/capability.h>.
	1260	+ * @audit: Whether to write an audit message or not
1257	1261	* Return 0 if the capability is granted for @tsk.
1258	1262	* @acct:
1259	1263	* Check permission before enabling or disabling process accounting. If
...	...	@@ -1346,7 +1350,8 @@
1346	1350	const kernel_cap_t *effective,
1347	1351	const kernel_cap_t *inheritable,
1348	1352	const kernel_cap_t *permitted);
1349		- int (capable) (struct task_struct tsk, int cap, int audit);
	1353	+ int (capable) (struct task_struct tsk, const struct cred *cred,
	1354	+ int cap, int audit);
1350	1355	int (acct) (struct file file);
1351	1356	int (sysctl) (struct ctl_table table, int op);
1352	1357	int (quotactl) (int cmds, int type, int id, struct super_block sb);
...	...	@@ -1628,8 +1633,9 @@
1628	1633	const kernel_cap_t *effective,
1629	1634	const kernel_cap_t *inheritable,
1630	1635	const kernel_cap_t *permitted);
1631		-int security_capable(struct task_struct *tsk, int cap);
1632		-int security_capable_noaudit(struct task_struct *tsk, int cap);
	1636	+int security_capable(int cap);
	1637	+int security_real_capable(struct task_struct *tsk, int cap);
	1638	+int security_real_capable_noaudit(struct task_struct *tsk, int cap);
1633	1639	int security_acct(struct file *file);
1634	1640	int security_sysctl(struct ctl_table *table, int op);
1635	1641	int security_quotactl(int cmds, int type, int id, struct super_block *sb);
1636	1642
1637	1643
1638	1644
...	...	@@ -1826,14 +1832,31 @@
1826	1832	return cap_capset(new, old, effective, inheritable, permitted);
1827	1833	}
1828	1834
1829		-static inline int security_capable(struct task_struct *tsk, int cap)
	1835	+static inline int security_capable(int cap)
1830	1836	{
1831		- return cap_capable(tsk, cap, SECURITY_CAP_AUDIT);
	1837	+ return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT);
1832	1838	}
1833	1839
1834		-static inline int security_capable_noaudit(struct task_struct *tsk, int cap)
	1840	+static inline int security_real_capable(struct task_struct *tsk, int cap)
1835	1841	{
1836		- return cap_capable(tsk, cap, SECURITY_CAP_NOAUDIT);
	1842	+ int ret;
	1843	+
	1844	+ rcu_read_lock();
	1845	+ ret = cap_capable(tsk, __task_cred(tsk), cap, SECURITY_CAP_AUDIT);
	1846	+ rcu_read_unlock();
	1847	+ return ret;
	1848	+}
	1849	+
	1850	+static inline
	1851	+int security_real_capable_noaudit(struct task_struct *tsk, int cap)
	1852	+{
	1853	+ int ret;
	1854	+
	1855	+ rcu_read_lock();
	1856	+ ret = cap_capable(tsk, __task_cred(tsk), cap,
	1857	+ SECURITY_CAP_NOAUDIT);
	1858	+ rcu_read_unlock();
	1859	+ return ret;
1837	1860	}
1838	1861
1839	1862	static inline int security_acct(struct file *file)
...	...	@@ -131,7 +131,8 @@
131	131	*/
132	132
133	133	#ifdef CONFIG_NETLABEL
134		-int cipso_v4_doi_add(struct cipso_v4_doi *doi_def);
	134	+int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,
	135	+ struct netlbl_audit *audit_info);
135	136	void cipso_v4_doi_free(struct cipso_v4_doi *doi_def);
136	137	int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info);
137	138	struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi);
...	...	@@ -140,7 +141,8 @@
140	141	int (callback) (struct cipso_v4_doi doi_def, void *arg),
141	142	void *cb_arg);
142	143	#else
143		-static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)
	144	+static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,
	145	+ struct netlbl_audit *audit_info)
144	146	{
145	147	return -ENOSYS;
146	148	}
...	...	@@ -33,6 +33,8 @@
33	33	#include <linux/types.h>
34	34	#include <linux/net.h>
35	35	#include <linux/skbuff.h>
	36	+#include <linux/in.h>
	37	+#include <linux/in6.h>
36	38	#include <net/netlink.h>
37	39	#include <asm/atomic.h>
38	40
39	41
40	42
41	43
...	...	@@ -353,13 +355,37 @@
353	355	/*
354	356	* LSM configuration operations
355	357	*/
356		-int netlbl_cfg_map_del(const char domain, struct netlbl_audit audit_info);
357		-int netlbl_cfg_unlbl_add_map(const char *domain,
	358	+int netlbl_cfg_map_del(const char *domain,
	359	+ u16 family,
	360	+ const void *addr,
	361	+ const void *mask,
	362	+ struct netlbl_audit *audit_info);
	363	+int netlbl_cfg_unlbl_map_add(const char *domain,
	364	+ u16 family,
	365	+ const void *addr,
	366	+ const void *mask,
358	367	struct netlbl_audit *audit_info);
359		-int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def,
	368	+int netlbl_cfg_unlbl_static_add(struct net *net,
	369	+ const char *dev_name,
	370	+ const void *addr,
	371	+ const void *mask,
	372	+ u16 family,
	373	+ u32 secid,
	374	+ struct netlbl_audit *audit_info);
	375	+int netlbl_cfg_unlbl_static_del(struct net *net,
	376	+ const char *dev_name,
	377	+ const void *addr,
	378	+ const void *mask,
	379	+ u16 family,
	380	+ struct netlbl_audit *audit_info);
	381	+int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
	382	+ struct netlbl_audit *audit_info);
	383	+void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info);
	384	+int netlbl_cfg_cipsov4_map_add(u32 doi,
360	385	const char *domain,
	386	+ const struct in_addr *addr,
	387	+ const struct in_addr *mask,
361	388	struct netlbl_audit *audit_info);
362		-
363	389	/*
364	390	* LSM security attribute operations
365	391	*/
366	392
367	393
368	394
369	395
...	...	@@ -401,19 +427,62 @@
401	427	void netlbl_cache_invalidate(void);
402	428	int netlbl_cache_add(const struct sk_buff *skb,
403	429	const struct netlbl_lsm_secattr *secattr);
	430	+
	431	+/*
	432	+ * Protocol engine operations
	433	+ */
	434	+struct audit_buffer *netlbl_audit_start(int type,
	435	+ struct netlbl_audit *audit_info);
404	436	#else
405	437	static inline int netlbl_cfg_map_del(const char *domain,
	438	+ u16 family,
	439	+ const void *addr,
	440	+ const void *mask,
406	441	struct netlbl_audit *audit_info)
407	442	{
408	443	return -ENOSYS;
409	444	}
410		-static inline int netlbl_cfg_unlbl_add_map(const char *domain,
	445	+static inline int netlbl_cfg_unlbl_map_add(const char *domain,
	446	+ u16 family,
	447	+ void *addr,
	448	+ void *mask,
411	449	struct netlbl_audit *audit_info)
412	450	{
413	451	return -ENOSYS;
414	452	}
415		-static inline int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def,
	453	+static inline int netlbl_cfg_unlbl_static_add(struct net *net,
	454	+ const char *dev_name,
	455	+ const void *addr,
	456	+ const void *mask,
	457	+ u16 family,
	458	+ u32 secid,
	459	+ struct netlbl_audit *audit_info)
	460	+{
	461	+ return -ENOSYS;
	462	+}
	463	+static inline int netlbl_cfg_unlbl_static_del(struct net *net,
	464	+ const char *dev_name,
	465	+ const void *addr,
	466	+ const void *mask,
	467	+ u16 family,
	468	+ struct netlbl_audit *audit_info)
	469	+{
	470	+ return -ENOSYS;
	471	+}
	472	+static inline int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
	473	+ struct netlbl_audit *audit_info)
	474	+{
	475	+ return -ENOSYS;
	476	+}
	477	+static inline void netlbl_cfg_cipsov4_del(u32 doi,
	478	+ struct netlbl_audit *audit_info)
	479	+{
	480	+ return;
	481	+}
	482	+static inline int netlbl_cfg_cipsov4_map_add(u32 doi,
416	483	const char *domain,
	484	+ const struct in_addr *addr,
	485	+ const struct in_addr *mask,
417	486	struct netlbl_audit *audit_info)
418	487	{
419	488	return -ENOSYS;
...	...	@@ -494,6 +563,11 @@
494	563	const struct netlbl_lsm_secattr *secattr)
495	564	{
496	565	return 0;
	566	+}
	567	+static inline struct audit_buffer *netlbl_audit_start(int type,
	568	+ struct netlbl_audit *audit_info)
	569	+{
	570	+ return NULL;
497	571	}
498	572	#endif /* CONFIG_NETLABEL */
499	573
...	...	@@ -306,7 +306,7 @@
306	306	BUG();
307	307	}
308	308
309		- if (has_capability(current, cap)) {
	309	+ if (security_capable(cap) == 0) {
310	310	current->flags \|= PF_SUPERPRIV;
311	311	return 1;
312	312	}
...	...	@@ -38,6 +38,7 @@
38	38	#include <linux/spinlock.h>
39	39	#include <linux/string.h>
40	40	#include <linux/jhash.h>
	41	+#include <linux/audit.h>
41	42	#include <net/ip.h>
42	43	#include <net/icmp.h>
43	44	#include <net/tcp.h>
...	...	@@ -449,6 +450,7 @@
449	450	/**
450	451	* cipso_v4_doi_add - Add a new DOI to the CIPSO protocol engine
451	452	* @doi_def: the DOI structure
	453	+ * @audit_info: NetLabel audit information
452	454	*
453	455	* Description:
454	456	* The caller defines a new DOI for use by the CIPSO engine and calls this
455	457
456	458
457	459
458	460
459	461
460	462
461	463
462	464
463	465
464	466
465	467
466	468
467	469
...	...	@@ -458,50 +460,78 @@
458	460	* zero on success and non-zero on failure.
459	461	*
460	462	*/
461		-int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)
	463	+int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,
	464	+ struct netlbl_audit *audit_info)
462	465	{
	466	+ int ret_val = -EINVAL;
463	467	u32 iter;
	468	+ u32 doi;
	469	+ u32 doi_type;
	470	+ struct audit_buffer *audit_buf;
464	471
	472	+ doi = doi_def->doi;
	473	+ doi_type = doi_def->type;
	474	+
465	475	if (doi_def == NULL \|\| doi_def->doi == CIPSO_V4_DOI_UNKNOWN)
466		- return -EINVAL;
	476	+ goto doi_add_return;
467	477	for (iter = 0; iter < CIPSO_V4_TAG_MAXCNT; iter++) {
468	478	switch (doi_def->tags[iter]) {
469	479	case CIPSO_V4_TAG_RBITMAP:
470	480	break;
471	481	case CIPSO_V4_TAG_RANGE:
472		- if (doi_def->type != CIPSO_V4_MAP_PASS)
473		- return -EINVAL;
474		- break;
475		- case CIPSO_V4_TAG_INVALID:
476		- if (iter == 0)
477		- return -EINVAL;
478		- break;
479	482	case CIPSO_V4_TAG_ENUM:
480	483	if (doi_def->type != CIPSO_V4_MAP_PASS)
481		- return -EINVAL;
	484	+ goto doi_add_return;
482	485	break;
483	486	case CIPSO_V4_TAG_LOCAL:
484	487	if (doi_def->type != CIPSO_V4_MAP_LOCAL)
485		- return -EINVAL;
	488	+ goto doi_add_return;
486	489	break;
	490	+ case CIPSO_V4_TAG_INVALID:
	491	+ if (iter == 0)
	492	+ goto doi_add_return;
	493	+ break;
487	494	default:
488		- return -EINVAL;
	495	+ goto doi_add_return;
489	496	}
490	497	}
491	498
492	499	atomic_set(&doi_def->refcount, 1);
493	500
494	501	spin_lock(&cipso_v4_doi_list_lock);
495		- if (cipso_v4_doi_search(doi_def->doi) != NULL)
496		- goto doi_add_failure;
	502	+ if (cipso_v4_doi_search(doi_def->doi) != NULL) {
	503	+ spin_unlock(&cipso_v4_doi_list_lock);
	504	+ ret_val = -EEXIST;
	505	+ goto doi_add_return;
	506	+ }
497	507	list_add_tail_rcu(&doi_def->list, &cipso_v4_doi_list);
498	508	spin_unlock(&cipso_v4_doi_list_lock);
	509	+ ret_val = 0;
499	510
500		- return 0;
	511	+doi_add_return:
	512	+ audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_ADD, audit_info);
	513	+ if (audit_buf != NULL) {
	514	+ const char *type_str;
	515	+ switch (doi_type) {
	516	+ case CIPSO_V4_MAP_TRANS:
	517	+ type_str = "trans";
	518	+ break;
	519	+ case CIPSO_V4_MAP_PASS:
	520	+ type_str = "pass";
	521	+ break;
	522	+ case CIPSO_V4_MAP_LOCAL:
	523	+ type_str = "local";
	524	+ break;
	525	+ default:
	526	+ type_str = "(unknown)";
	527	+ }
	528	+ audit_log_format(audit_buf,
	529	+ " cipso_doi=%u cipso_type=%s res=%u",
	530	+ doi, type_str, ret_val == 0 ? 1 : 0);
	531	+ audit_log_end(audit_buf);
	532	+ }
501	533
502		-doi_add_failure:
503		- spin_unlock(&cipso_v4_doi_list_lock);
504		- return -EEXIST;
	534	+ return ret_val;
505	535	}
506	536
507	537	/**
508	538
509	539
510	540
511	541
512	542
...	...	@@ -559,25 +589,39 @@
559	589	*/
560	590	int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info)
561	591	{
	592	+ int ret_val;
562	593	struct cipso_v4_doi *doi_def;
	594	+ struct audit_buffer *audit_buf;
563	595
564	596	spin_lock(&cipso_v4_doi_list_lock);
565	597	doi_def = cipso_v4_doi_search(doi);
566	598	if (doi_def == NULL) {
567	599	spin_unlock(&cipso_v4_doi_list_lock);
568		- return -ENOENT;
	600	+ ret_val = -ENOENT;
	601	+ goto doi_remove_return;
569	602	}
570	603	if (!atomic_dec_and_test(&doi_def->refcount)) {
571	604	spin_unlock(&cipso_v4_doi_list_lock);
572		- return -EBUSY;
	605	+ ret_val = -EBUSY;
	606	+ goto doi_remove_return;
573	607	}
574	608	list_del_rcu(&doi_def->list);
575	609	spin_unlock(&cipso_v4_doi_list_lock);
576	610
577	611	cipso_v4_cache_invalidate();
578	612	call_rcu(&doi_def->rcu, cipso_v4_doi_free_rcu);
	613	+ ret_val = 0;
579	614
580		- return 0;
	615	+doi_remove_return:
	616	+ audit_buf = netlbl_audit_start(AUDIT_MAC_CIPSOV4_DEL, audit_info);
	617	+ if (audit_buf != NULL) {
	618	+ audit_log_format(audit_buf,
	619	+ " cipso_doi=%u res=%u",
	620	+ doi, ret_val == 0 ? 1 : 0);
	621	+ audit_log_end(audit_buf);
	622	+ }
	623	+
	624	+ return ret_val;
581	625	}
582	626
583	627	/**
...	...	@@ -130,6 +130,7 @@
130	130	/**
131	131	* netlbl_cipsov4_add_std - Adds a CIPSO V4 DOI definition
132	132	* @info: the Generic NETLINK info block
	133	+ * @audit_info: NetLabel audit information
133	134	*
134	135	* Description:
135	136	* Create a new CIPSO_V4_MAP_TRANS DOI definition based on the given ADD
...	...	@@ -137,7 +138,8 @@
137	138	* non-zero on error.
138	139	*
139	140	*/
140		-static int netlbl_cipsov4_add_std(struct genl_info *info)
	141	+static int netlbl_cipsov4_add_std(struct genl_info *info,
	142	+ struct netlbl_audit *audit_info)
141	143	{
142	144	int ret_val = -EINVAL;
143	145	struct cipso_v4_doi *doi_def = NULL;
...	...	@@ -316,7 +318,7 @@
316	318	}
317	319	}
318	320
319		- ret_val = cipso_v4_doi_add(doi_def);
	321	+ ret_val = cipso_v4_doi_add(doi_def, audit_info);
320	322	if (ret_val != 0)
321	323	goto add_std_failure;
322	324	return 0;
...	...	@@ -330,6 +332,7 @@
330	332	/**
331	333	* netlbl_cipsov4_add_pass - Adds a CIPSO V4 DOI definition
332	334	* @info: the Generic NETLINK info block
	335	+ * @audit_info: NetLabel audit information
333	336	*
334	337	* Description:
335	338	* Create a new CIPSO_V4_MAP_PASS DOI definition based on the given ADD message
...	...	@@ -337,7 +340,8 @@
337	340	* error.
338	341	*
339	342	*/
340		-static int netlbl_cipsov4_add_pass(struct genl_info *info)
	343	+static int netlbl_cipsov4_add_pass(struct genl_info *info,
	344	+ struct netlbl_audit *audit_info)
341	345	{
342	346	int ret_val;
343	347	struct cipso_v4_doi *doi_def = NULL;
...	...	@@ -354,7 +358,7 @@
354	358	if (ret_val != 0)
355	359	goto add_pass_failure;
356	360
357		- ret_val = cipso_v4_doi_add(doi_def);
	361	+ ret_val = cipso_v4_doi_add(doi_def, audit_info);
358	362	if (ret_val != 0)
359	363	goto add_pass_failure;
360	364	return 0;
...	...	@@ -367,6 +371,7 @@
367	371	/**
368	372	* netlbl_cipsov4_add_local - Adds a CIPSO V4 DOI definition
369	373	* @info: the Generic NETLINK info block
	374	+ * @audit_info: NetLabel audit information
370	375	*
371	376	* Description:
372	377	* Create a new CIPSO_V4_MAP_LOCAL DOI definition based on the given ADD
...	...	@@ -374,7 +379,8 @@
374	379	* non-zero on error.
375	380	*
376	381	*/
377		-static int netlbl_cipsov4_add_local(struct genl_info *info)
	382	+static int netlbl_cipsov4_add_local(struct genl_info *info,
	383	+ struct netlbl_audit *audit_info)
378	384	{
379	385	int ret_val;
380	386	struct cipso_v4_doi *doi_def = NULL;
...	...	@@ -391,7 +397,7 @@
391	397	if (ret_val != 0)
392	398	goto add_local_failure;
393	399
394		- ret_val = cipso_v4_doi_add(doi_def);
	400	+ ret_val = cipso_v4_doi_add(doi_def, audit_info);
395	401	if (ret_val != 0)
396	402	goto add_local_failure;
397	403	return 0;
398	404
399	405
400	406
401	407
402	408
403	409
404	410
...	...	@@ -415,48 +421,31 @@
415	421
416	422	{
417	423	int ret_val = -EINVAL;
418		- u32 type;
419		- u32 doi;
420	424	const char *type_str = "(unknown)";
421		- struct audit_buffer *audit_buf;
422	425	struct netlbl_audit audit_info;
423	426
424	427	if (!info->attrs[NLBL_CIPSOV4_A_DOI] \|\|
425	428	!info->attrs[NLBL_CIPSOV4_A_MTYPE])
426	429	return -EINVAL;
427	430
428		- doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
429	431	netlbl_netlink_auditinfo(skb, &audit_info);
430		-
431		- type = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE]);
432		- switch (type) {
	432	+ switch (nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE])) {
433	433	case CIPSO_V4_MAP_TRANS:
434	434	type_str = "trans";
435		- ret_val = netlbl_cipsov4_add_std(info);
	435	+ ret_val = netlbl_cipsov4_add_std(info, &audit_info);
436	436	break;
437	437	case CIPSO_V4_MAP_PASS:
438	438	type_str = "pass";
439		- ret_val = netlbl_cipsov4_add_pass(info);
	439	+ ret_val = netlbl_cipsov4_add_pass(info, &audit_info);
440	440	break;
441	441	case CIPSO_V4_MAP_LOCAL:
442	442	type_str = "local";
443		- ret_val = netlbl_cipsov4_add_local(info);
	443	+ ret_val = netlbl_cipsov4_add_local(info, &audit_info);
444	444	break;
445	445	}
446	446	if (ret_val == 0)
447	447	atomic_inc(&netlabel_mgmt_protocount);
448	448
449		- audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD,
450		- &audit_info);
451		- if (audit_buf != NULL) {
452		- audit_log_format(audit_buf,
453		- " cipso_doi=%u cipso_type=%s res=%u",
454		- doi,
455		- type_str,
456		- ret_val == 0 ? 1 : 0);
457		- audit_log_end(audit_buf);
458		- }
459		-
460	449	return ret_val;
461	450	}
462	451
463	452
...	...	@@ -725,9 +714,7 @@
725	714	static int netlbl_cipsov4_remove(struct sk_buff skb, struct genl_info info)
726	715	{
727	716	int ret_val = -EINVAL;
728		- u32 doi = 0;
729	717	struct netlbl_domhsh_walk_arg cb_arg;
730		- struct audit_buffer *audit_buf;
731	718	struct netlbl_audit audit_info;
732	719	u32 skip_bkt = 0;
733	720	u32 skip_chain = 0;
734	721
735	722
736	723
...	...	@@ -735,27 +722,15 @@
735	722	if (!info->attrs[NLBL_CIPSOV4_A_DOI])
736	723	return -EINVAL;
737	724
738		- doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
739	725	netlbl_netlink_auditinfo(skb, &audit_info);
740		-
741		- cb_arg.doi = doi;
	726	+ cb_arg.doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]);
742	727	cb_arg.audit_info = &audit_info;
743	728	ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain,
744	729	netlbl_cipsov4_remove_cb, &cb_arg);
745	730	if (ret_val == 0 \|\| ret_val == -ENOENT) {
746		- ret_val = cipso_v4_doi_remove(doi, &audit_info);
	731	+ ret_val = cipso_v4_doi_remove(cb_arg.doi, &audit_info);
747	732	if (ret_val == 0)
748	733	atomic_dec(&netlabel_mgmt_protocount);
749		- }
750		-
751		- audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL,
752		- &audit_info);
753		- if (audit_buf != NULL) {
754		- audit_log_format(audit_buf,
755		- " cipso_doi=%u res=%u",
756		- doi,
757		- ret_val == 0 ? 1 : 0);
758		- audit_log_end(audit_buf);
759	734	}
760	735
761	736	return ret_val;
...	...	@@ -483,6 +483,73 @@
483	483	}
484	484
485	485	/**
	486	+ * netlbl_domhsh_remove_af4 - Removes an address selector entry
	487	+ * @domain: the domain
	488	+ * @addr: IPv4 address
	489	+ * @mask: IPv4 address mask
	490	+ * @audit_info: NetLabel audit information
	491	+ *
	492	+ * Description:
	493	+ * Removes an individual address selector from a domain mapping and potentially
	494	+ * the entire mapping if it is empty. Returns zero on success, negative values
	495	+ * on failure.
	496	+ *
	497	+ */
	498	+int netlbl_domhsh_remove_af4(const char *domain,
	499	+ const struct in_addr *addr,
	500	+ const struct in_addr *mask,
	501	+ struct netlbl_audit *audit_info)
	502	+{
	503	+ struct netlbl_dom_map *entry_map;
	504	+ struct netlbl_af4list *entry_addr;
	505	+ struct netlbl_af4list *iter4;
	506	+#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
	507	+ struct netlbl_af6list *iter6;
	508	+#endif /* IPv6 */
	509	+ struct netlbl_domaddr4_map *entry;
	510	+
	511	+ rcu_read_lock();
	512	+
	513	+ if (domain)
	514	+ entry_map = netlbl_domhsh_search(domain);
	515	+ else
	516	+ entry_map = netlbl_domhsh_search_def(domain);
	517	+ if (entry_map == NULL \|\| entry_map->type != NETLBL_NLTYPE_ADDRSELECT)
	518	+ goto remove_af4_failure;
	519	+
	520	+ spin_lock(&netlbl_domhsh_lock);
	521	+ entry_addr = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
	522	+ &entry_map->type_def.addrsel->list4);
	523	+ spin_unlock(&netlbl_domhsh_lock);
	524	+
	525	+ if (entry_addr == NULL)
	526	+ goto remove_af4_failure;
	527	+ netlbl_af4list_foreach_rcu(iter4, &entry_map->type_def.addrsel->list4)
	528	+ goto remove_af4_single_addr;
	529	+#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
	530	+ netlbl_af6list_foreach_rcu(iter6, &entry_map->type_def.addrsel->list6)
	531	+ goto remove_af4_single_addr;
	532	+#endif /* IPv6 */
	533	+ /* the domain mapping is empty so remove it from the mapping table */
	534	+ netlbl_domhsh_remove_entry(entry_map, audit_info);
	535	+
	536	+remove_af4_single_addr:
	537	+ rcu_read_unlock();
	538	+ /* yick, we can't use call_rcu here because we don't have a rcu head
	539	+ * pointer but hopefully this should be a rare case so the pause
	540	+ * shouldn't be a problem */
	541	+ synchronize_rcu();
	542	+ entry = netlbl_domhsh_addr4_entry(entry_addr);
	543	+ cipso_v4_doi_putdef(entry->type_def.cipsov4);
	544	+ kfree(entry);
	545	+ return 0;
	546	+
	547	+remove_af4_failure:
	548	+ rcu_read_unlock();
	549	+ return -ENOENT;
	550	+}
	551	+
	552	+/**
486	553	* netlbl_domhsh_remove - Removes an entry from the domain hash table
487	554	* @domain: the domain to remove
488	555	* @audit_info: NetLabel audit information
...	...	@@ -90,6 +90,10 @@
90	90	struct netlbl_audit *audit_info);
91	91	int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry,
92	92	struct netlbl_audit *audit_info);
	93	+int netlbl_domhsh_remove_af4(const char *domain,
	94	+ const struct in_addr *addr,
	95	+ const struct in_addr *mask,
	96	+ struct netlbl_audit *audit_info);
93	97	int netlbl_domhsh_remove(const char domain, struct netlbl_audit audit_info);
94	98	int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info);
95	99	struct netlbl_dom_map netlbl_domhsh_getentry(const char domain);