Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6

* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: (109 commits)
  [ETHTOOL]: Fix UFO typo
  [SCTP]: Fix persistent slowdown in sctp when a gap ack consumes rx buffer.
  [SCTP]: Send only 1 window update SACK per message.
  [SCTP]: Don't do CRC32C checksum over loopback.
  [SCTP] Reset rtt_in_progress for the chunk when processing its sack.
  [SCTP]: Reject sctp packets with broadcast addresses.
  [SCTP]: Limit association max_retrans setting in setsockopt.
  [PFKEYV2]: Fix inconsistent typing in struct sadb_x_kmprivate.
  [IPV6]: Sum real space for RTAs.
  [IRDA]: Use put_unaligned() in irlmp_do_discovery().
  [BRIDGE]: Add support for NETIF_F_HW_CSUM devices
  [NET]: Add NETIF_F_GEN_CSUM and NETIF_F_ALL_CSUM
  [TG3]: Convert to non-LLTX
  [TG3]: Remove unnecessary tx_lock
  [TCP]: Add tcp_slow_start_after_idle sysctl.
  [BNX2]: Update version and reldate
  [BNX2]: Use CPU native page size
  [BNX2]: Use compressed firmware
  [BNX2]: Add firmware decompression
  [BNX2]: Allow WoL settings on new 5708 chips
  ...

Manual fixup for conflict in drivers/net/tulip/winbond-840.c

1 files changed, 38 insertions, 13 deletions

diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index abe99d881376..6633fb059313 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -132,10 +132,7 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_us
                 goto out;
 
         /*
-         * Does the subject have permission to set security or permission to
-         * do the relabel?
-         * Must be permitted to relabel from default socket type (process type)
-         * to specified context
+         * Does the subject have permission to set security context?
          */
         rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
                           SECCLASS_ASSOCIATION,
@@ -201,6 +198,23 @@ void selinux_xfrm_policy_free(struct xfrm_policy *xp)
 }
 
 /*
+ * LSM hook implementation that authorizes deletion of labeled policies.
+ */
+int selinux_xfrm_policy_delete(struct xfrm_policy *xp)
+{
+        struct task_security_struct *tsec = current->security;
+        struct xfrm_sec_ctx *ctx = xp->security;
+        int rc = 0;
+
+        if (ctx)
+                rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
+                                  SECCLASS_ASSOCIATION,
+                                  ASSOCIATION__SETCONTEXT, NULL);
+
+        return rc;
+}
+
+/*
  * LSM hook implementation that allocs and transfers sec_ctx spec to
  * xfrm_state.
  */
@@ -292,6 +306,23 @@ u32 selinux_socket_getpeer_dgram(struct sk_buff *skb)
         return SECSID_NULL;
 }
 
+ /*
+  * LSM hook implementation that authorizes deletion of labeled SAs.
+  */
+int selinux_xfrm_state_delete(struct xfrm_state *x)
+{
+        struct task_security_struct *tsec = current->security;
+        struct xfrm_sec_ctx *ctx = x->security;
+        int rc = 0;
+
+        if (ctx)
+                rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
+                                  SECCLASS_ASSOCIATION,
+                                  ASSOCIATION__SETCONTEXT, NULL);
+
+        return rc;
+}
+
 /*
  * LSM hook that controls access to unlabelled packets.  If
  * a xfrm_state is authorizable (defined by macro) then it was
@@ -356,18 +387,12 @@ int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
                         struct xfrm_state *x = dst_test->xfrm;
 
                         if (x && selinux_authorizable_xfrm(x))
-                                goto accept;
+                                goto out;
                 }
         }
 
         rc = avc_has_perm(isec_sid, SECINITSID_UNLABELED, SECCLASS_ASSOCIATION,
                           ASSOCIATION__SENDTO, NULL);
-        if (rc)
-                goto drop;
-
-accept:
-        return NF_ACCEPT;
-
-drop:
-        return NF_DROP;
+out:
+        return rc;
 }