Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
  smack: Add a new '-CIPSO' option to the network address label configuration
  netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections
  lsm: Remove the socket_post_accept() hook
  selinux: Remove the "compat_net" compatibility code
  netlabel: Label incoming TCP connections correctly in SELinux
  lsm: Relocate the IPv4 security_inet_conn_request() hooks
  TOMOYO: Fix a typo.
  smack: convert smack to standard linux lists

3 files changed, 37 insertions, 25 deletions

diff --git a/Documentation/Smack.txt b/Documentation/Smack.txt
index 989c2fcd8111..629c92e99783 100644
--- a/Documentation/Smack.txt
+++ b/Documentation/Smack.txt
@@ -184,14 +184,16 @@ length. Single character labels using special characters, that being anything
 other than a letter or digit, are reserved for use by the Smack development
 team. Smack labels are unstructured, case sensitive, and the only operation
 ever performed on them is comparison for equality. Smack labels cannot
-contain unprintable characters or the "/" (slash) character.
+contain unprintable characters or the "/" (slash) character. Smack labels
+cannot begin with a '-', which is reserved for special options.
 
 There are some predefined labels:
 
-        _ Pronounced "floor", a single underscore character.
-        ^ Pronounced "hat", a single circumflex character.
-        * Pronounced "star", a single asterisk character.
-        ? Pronounced "huh", a single question mark character.
+        _       Pronounced "floor", a single underscore character.
+        ^       Pronounced "hat", a single circumflex character.
+        *       Pronounced "star", a single asterisk character.
+        ?       Pronounced "huh", a single question mark character.
+        @       Pronounced "Internet", a single at sign character.
 
 Every task on a Smack system is assigned a label. System tasks, such as
 init(8) and systems daemons, are run with the floor ("_") label. User tasks
@@ -412,6 +414,36 @@ sockets.
         A privileged program may set this to match the label of another
         task with which it hopes to communicate.
 
+Smack Netlabel Exceptions
+
+You will often find that your labeled application has to talk to the outside,
+unlabeled world. To do this there's a special file /smack/netlabel where you can
+add some exceptions in the form of :
+@IP1       LABEL1 or
+@IP2/MASK  LABEL2
+
+It means that your application will have unlabeled access to @IP1 if it has
+write access on LABEL1, and access to the subnet @IP2/MASK if it has write
+access on LABEL2.
+
+Entries in the /smack/netlabel file are matched by longest mask first, like in
+classless IPv4 routing.
+
+A special label '@' and an option '-CIPSO' can be used there :
+@      means Internet, any application with any label has access to it
+-CIPSO means standard CIPSO networking
+
+If you don't know what CIPSO is and don't plan to use it, you can just do :
+echo 127.0.0.1 -CIPSO > /smack/netlabel
+echo 0.0.0.0/0 @      > /smack/netlabel
+
+If you use CIPSO on your 192.168.0.0/16 local network and need also unlabeled
+Internet access, you can have :
+echo 127.0.0.1      -CIPSO > /smack/netlabel
+echo 192.168.0.0/16 -CIPSO > /smack/netlabel
+echo 0.0.0.0/0      @      > /smack/netlabel
+
+
 Writing Applications for Smack
 
 There are three sorts of applications that will run on a Smack system. How an
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 7907586c6e08..1135996bec8b 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -356,17 +356,6 @@ Who:	Hans de Goede <hdegoede@redhat.com>
 
 ---------------------------
 
-What:   SELinux "compat_net" functionality
-When:   2.6.30 at the earliest
-Why:    In 2.6.18 the Secmark concept was introduced to replace the "compat_net"
-        network access control functionality of SELinux.  Secmark offers both
-        better performance and greater flexibility than the "compat_net"
-        mechanism.  Now that the major Linux distributions have moved to
-        Secmark, it is time to deprecate the older mechanism and start the
-        process of removing the old code.
-Who:    Paul Moore <paul.moore@hp.com>
----------------------------
-
 What:   sysfs ui for changing p4-clockmod parameters
 When:   September 2009
 Why:    See commits 129f8ae9b1b5be94517da76009ea956e89104ce8 and
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index d1e2fcb6298b..be3bde51b564 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -2030,15 +2030,6 @@ and is between 256 and 4096 characters. It is defined in the file
                         If enabled at boot time, /selinux/disable can be used
                         later to disable prior to initial policy load.
 
-        selinux_compat_net =
-                        [SELINUX] Set initial selinux_compat_net flag value.
-                        Format: { "0" | "1" }
-                        0 -- use new secmark-based packet controls
-                        1 -- use legacy packet controls
-                        Default value is 0 (preferred).
-                        Value can be changed at runtime via
-                        /selinux/compat_net.
-
         serialnumber    [BUGS=X86-32]
 
         shapers=        [NET]