Merge branch 'mpi-master' into wip-k-fmlpwip-k-fmlp

Conflicts:
	litmus/sched_cedf.c

4 files changed, 52 insertions, 17 deletions

diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index e94e82f73818..47fda963495d 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -15,7 +15,6 @@
 #include <linux/audit.h>
 #include <linux/lsm_audit.h>
 #include <linux/in6.h>
-#include <linux/path.h>
 #include <asm/system.h>
 #include "flask.h"
 #include "av_permissions.h"
@@ -42,7 +41,6 @@ struct sk_buff;
  */
 struct avc_cache_stats {
         unsigned int lookups;
-        unsigned int hits;
         unsigned int misses;
         unsigned int allocations;
         unsigned int reclaims;
@@ -55,11 +53,11 @@ struct avc_cache_stats {
 
 void __init avc_init(void);
 
-void avc_audit(u32 ssid, u32 tsid,
+int avc_audit(u32 ssid, u32 tsid,
                u16 tclass, u32 requested,
                struct av_decision *avd,
                int result,
-               struct common_audit_data *a);
+              struct common_audit_data *a, unsigned flags);
 
 #define AVC_STRICT 1 /* Ignore permissive mode. */
 int avc_has_perm_noaudit(u32 ssid, u32 tsid,
@@ -67,9 +65,17 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
                          unsigned flags,
                          struct av_decision *avd);
 
-int avc_has_perm(u32 ssid, u32 tsid,
-                 u16 tclass, u32 requested,
-                 struct common_audit_data *auditdata);
+int avc_has_perm_flags(u32 ssid, u32 tsid,
+                       u16 tclass, u32 requested,
+                       struct common_audit_data *auditdata,
+                       unsigned);
+
+static inline int avc_has_perm(u32 ssid, u32 tsid,
+                               u16 tclass, u32 requested,
+                               struct common_audit_data *auditdata)
+{
+        return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0);
+}
 
 u32 avc_policy_seqno(void);
 
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index b4c9eb4bd6f9..b8c53723e09b 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -12,12 +12,16 @@
 #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
             "write", "associate", "unix_read", "unix_write"
 
+/*
+ * Note: The name for any socket class should be suffixed by "socket",
+ *       and doesn't contain more than one substr of "socket".
+ */
 struct security_class_mapping secclass_map[] = {
         { "security",
           { "compute_av", "compute_create", "compute_member",
             "check_context", "load_policy", "compute_relabel",
             "compute_user", "setenforce", "setbool", "setsecparam",
-            "setcheckreqprot", NULL } },
+            "setcheckreqprot", "read_policy", NULL } },
         { "process",
           { "fork", "transition", "sigchld", "sigkill",
             "sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
@@ -132,8 +136,7 @@ struct security_class_mapping secclass_map[] = {
         { "appletalk_socket",
           { COMMON_SOCK_PERMS, NULL } },
         { "packet",
-          { "send", "recv", "relabelto", "flow_in", "flow_out",
-            "forward_in", "forward_out", NULL } },
+          { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
         { "key",
           { "view", "read", "write", "search", "link", "setattr", "create",
             NULL } },
@@ -142,7 +145,7 @@ struct security_class_mapping secclass_map[] = {
             "node_bind", "name_connect", NULL } },
         { "memprotect", { "mmap_zero", NULL } },
         { "peer", { "recv", NULL } },
-        { "capability2", { "mac_override", "mac_admin", NULL } },
+        { "capability2", { "mac_override", "mac_admin", "syslog", NULL } },
         { "kernel_service", { "use_as_override", "create_files_as", NULL } },
         { "tun_socket",
           { COMMON_SOCK_PERMS, NULL } },
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 1f7c2491d3dc..3ba4feba048a 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -8,7 +8,9 @@
 #ifndef _SELINUX_SECURITY_H_
 #define _SELINUX_SECURITY_H_
 
+#include <linux/dcache.h>
 #include <linux/magic.h>
+#include <linux/types.h>
 #include "flask.h"
 
 #define SECSID_NULL                     0x00000000 /* unspecified SID */
@@ -27,13 +29,15 @@
 #define POLICYDB_VERSION_POLCAP         22
 #define POLICYDB_VERSION_PERMISSIVE     23
 #define POLICYDB_VERSION_BOUNDARY       24
+#define POLICYDB_VERSION_FILENAME_TRANS 25
+#define POLICYDB_VERSION_ROLETRANS      26
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
 #define POLICYDB_VERSION_MAX    CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 #else
-#define POLICYDB_VERSION_MAX    POLICYDB_VERSION_BOUNDARY
+#define POLICYDB_VERSION_MAX    POLICYDB_VERSION_ROLETRANS
 #endif
 
 /* Mask for just the mount related flags */
@@ -82,6 +86,8 @@ extern int selinux_policycap_openperm;
 int security_mls_enabled(void);
 
 int security_load_policy(void *data, size_t len);
+int security_read_policy(void **data, size_t *len);
+size_t security_policydb_len(void);
 
 int security_policycap_supported(unsigned int req_cap);
 
@@ -103,11 +109,11 @@ void security_compute_av(u32 ssid, u32 tsid,
 void security_compute_av_user(u32 ssid, u32 tsid,
                              u16 tclass, struct av_decision *avd);
 
-int security_transition_sid(u32 ssid, u32 tsid,
-                            u16 tclass, u32 *out_sid);
+int security_transition_sid(u32 ssid, u32 tsid, u16 tclass,
+                            const struct qstr *qstr, u32 *out_sid);
 
-int security_transition_sid_user(u32 ssid, u32 tsid,
-                                 u16 tclass, u32 *out_sid);
+int security_transition_sid_user(u32 ssid, u32 tsid, u16 tclass,
+                                 const char *objname, u32 *out_sid);
 
 int security_member_sid(u32 ssid, u32 tsid,
         u16 tclass, u32 *out_sid);
@@ -191,5 +197,25 @@ static inline int security_netlbl_sid_to_secattr(u32 sid,
 
 const char *security_get_initial_sid_context(u32 sid);
 
+/*
+ * status notifier using mmap interface
+ */
+extern struct page *selinux_kernel_status_page(void);
+
+#define SELINUX_KERNEL_STATUS_VERSION   1
+struct selinux_kernel_status {
+        u32     version;        /* version number of thie structure */
+        u32     sequence;       /* sequence number of seqlock logic */
+        u32     enforcing;      /* current setting of enforcing mode */
+        u32     policyload;     /* times of policy reloaded */
+        u32     deny_unknown;   /* current setting of deny_unknown */
+        /*
+         * The version > 0 supports above members.
+         */
+} __attribute__((packed));
+
+extern void selinux_status_update_setenforce(int enforcing);
+extern void selinux_status_update_policyload(int seqno);
+
 #endif /* _SELINUX_SECURITY_H_ */
 
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 13128f9a3e5a..b43813c9e049 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -19,7 +19,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x);
 int selinux_xfrm_state_delete(struct xfrm_state *x);
 int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
 int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
-                        struct xfrm_policy *xp, struct flowi *fl);
+                        struct xfrm_policy *xp, const struct flowi *fl);
 
 /*
  * Extract the security blob from the sock (it's actually on the socket)