1 files changed, 66 insertions, 215 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 2c627d361c02..c642bb8b8f5a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -23,6 +23,7 @@
 #define __LINUX_SECURITY_H
 #include <linux/fs.h>
+#include <linux/fsnotify.h>
 #include <linux/binfmts.h>
 #include <linux/signal.h>
 #include <linux/resource.h>
@@ -33,7 +34,7 @@
 #include <linux/sched.h>
 #include <linux/key.h>
 #include <linux/xfrm.h>
-#include <linux/gfp.h>
+#include <linux/slab.h>
 #include <net/flow.h>
 /* Maximum number of letters for an LSM name string */
@@ -73,10 +74,9 @@ extern int cap_file_mmap(struct file *file, unsigned long reqprot,
 extern int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags);
 extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
                          unsigned long arg4, unsigned long arg5);
-extern int cap_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp);
+extern int cap_task_setscheduler(struct task_struct *p);
 extern int cap_task_setioprio(struct task_struct *p, int ioprio);
 extern int cap_task_setnice(struct task_struct *p, int nice);
-extern int cap_syslog(int type);
 extern int cap_vm_enough_memory(struct mm_struct *mm, long pages);
 struct msghdr;
@@ -95,6 +95,8 @@ struct seq_file;
 extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
 extern int cap_netlink_recv(struct sk_buff *skb, int cap);
+void reset_security_ops(void);
 #ifdef CONFIG_MMU
 extern unsigned long mmap_min_addr;
 extern unsigned long dac_mmap_min_addr;
@@ -265,49 +267,16 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @orig the original mount data copied from userspace.
 *      @copy copied data which will be passed to the security module.
 *      Returns 0 if the copy was successful.
- * @sb_check_sb:
- *      Check permission before the device with superblock @mnt->sb is mounted
- *      on the mount point named by @nd.
- *      @mnt contains the vfsmount for device being mounted.
- *      @path contains the path for the mount point.
- *      Return 0 if permission is granted.
 * @sb_umount:
 *      Check permission before the @mnt file system is unmounted.
 *      @mnt contains the mounted file system.
 *      @flags contains the unmount flags, e.g. MNT_FORCE.
 *      Return 0 if permission is granted.
- * @sb_umount_close:
- *      Close any files in the @mnt mounted filesystem that are held open by
- *      the security module.  This hook is called during an umount operation
- *      prior to checking whether the filesystem is still busy.
- *      @mnt contains the mounted filesystem.
- * @sb_umount_busy:
- *      Handle a failed umount of the @mnt mounted filesystem, e.g.  re-opening
- *      any files that were closed by umount_close.  This hook is called during
- *      an umount operation if the umount fails after a call to the
- *      umount_close hook.
- *      @mnt contains the mounted filesystem.
- * @sb_post_remount:
- *      Update the security module's state when a filesystem is remounted.
- *      This hook is only called if the remount was successful.
- *      @mnt contains the mounted file system.
- *      @flags contains the new filesystem flags.
- *      @data contains the filesystem-specific data.
- * @sb_post_addmount:
- *      Update the security module's state when a filesystem is mounted.
- *      This hook is called any time a mount is successfully grafetd to
- *      the tree.
- *      @mnt contains the mounted filesystem.
- *      @mountpoint contains the path for the mount point.
 * @sb_pivotroot:
 *      Check permission before pivoting the root filesystem.
 *      @old_path contains the path for the new location of the current root (put_old).
 *      @new_path contains the path for the new root (new_root).
 *      Return 0 if permission is granted.
- * @sb_post_pivotroot:
- *      Update module state after a successful pivot.
- *      @old_path contains the path for the old root.
- *      @new_path contains the path for the new root.
 * @sb_set_mnt_opts:
 *      Set the security relevant mount options used for a superblock
 *      @sb the superblock to set security mount options for
@@ -488,7 +457,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      called when the actual read/write operations are performed.
 *      @inode contains the inode structure to check.
 *      @mask contains the permission mask.
- *      @nd contains the nameidata (may be NULL).
 *      Return 0 if permission is granted.
 * @inode_setattr:
 *      Check permission before setting file attributes.  Note that the kernel
@@ -501,20 +469,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 * @path_truncate:
 *      Check permission before truncating a file.
 *      @path contains the path structure for the file.
- *      @length is the new length of the file.
- *      @time_attrs is the flags passed to do_truncate().
 *      Return 0 if permission is granted.
 * @inode_getattr:
 *      Check permission before obtaining file attributes.
 *      @mnt is the vfsmount where the dentry was looked up
 *      @dentry contains the dentry structure for the file.
 *      Return 0 if permission is granted.
- * @inode_delete:
- *      @inode contains the inode structure for deleted inode.
- *      This hook is called when a deleted inode is released (i.e. an inode
- *      with no hard links has its use count drop to zero).  A security module
- *      can use this hook to release any persistent label associated with the
- *      inode.
 * @inode_setxattr:
 *      Check permission before setting the extended attributes
 *      @value identified by @name for @dentry.
@@ -689,10 +649,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @old points to the original credentials.
 *      @gfp indicates the atomicity of any memory allocations.
 *      Prepare a new set of credentials by copying the data from the old set.
- * @cred_commit:
- *      @new points to the new credentials.
- *      @old points to the original credentials.
- *      Install a new set of credentials.
 * @cred_transfer:
 *      @new points to the new credentials.
 *      @old points to the original credentials.
@@ -715,18 +671,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      userspace to load a kernel module with the given name.
 *      @kmod_name name of the module requested by the kernel
 *      Return 0 if successful.
- * @task_setuid:
- *      Check permission before setting one or more of the user identity
- *      attributes of the current process.  The @flags parameter indicates
- *      which of the set*uid system calls invoked this hook and how to
- *      interpret the @id0, @id1, and @id2 parameters.  See the LSM_SETID
- *      definitions at the beginning of this file for the @flags values and
- *      their meanings.
- *      @id0 contains a uid.
- *      @id1 contains a uid.
- *      @id2 contains a uid.
- *      @flags contains one of the LSM_SETID_* values.
- *      Return 0 if permission is granted.
 * @task_fix_setuid:
 *      Update the module's state after setting one or more of the user
 *      identity attributes of the current process.  The @flags parameter
@@ -736,18 +680,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @old is the set of credentials that are being replaces
 *      @flags contains one of the LSM_SETID_* values.
 *      Return 0 on success.
- * @task_setgid:
- *      Check permission before setting one or more of the group identity
- *      attributes of the current process.  The @flags parameter indicates
- *      which of the set*gid system calls invoked this hook and how to
- *      interpret the @id0, @id1, and @id2 parameters.  See the LSM_SETID
- *      definitions at the beginning of this file for the @flags values and
- *      their meanings.
- *      @id0 contains a gid.
- *      @id1 contains a gid.
- *      @id2 contains a gid.
- *      @flags contains one of the LSM_SETID_* values.
- *      Return 0 if permission is granted.
 * @task_setpgid:
 *      Check permission before setting the process group identifier of the
 *      process @p to @pgid.
@@ -769,11 +701,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @p contains the task_struct for the process and place is into @secid.
 *      In case of failure, @secid will be set to zero.
 *
- * @task_setgroups:
- *      Check permission before setting the supplementary group set of the
- *      current process.
- *      @group_info contains the new group information.
- *      Return 0 if permission is granted.
 * @task_setnice:
 *      Check permission before setting the nice value of @p to @nice.
 *      @p contains the task_struct of process.
@@ -868,8 +795,9 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 * @unix_stream_connect:
 *      Check permissions before establishing a Unix domain stream connection
 *      between @sock and @other.
- *      @sock contains the socket structure.
+ *      @sock contains the sock structure.
- *      @other contains the peer socket structure.
+ *      @other contains the peer sock structure.
+ *      @newsk contains the new sock structure.
 *      Return 0 if permission is granted.
 * @unix_may_send:
 *      Check permissions before connecting or sending datagrams from @sock to
@@ -985,6 +913,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      Check permissions on incoming network packets.  This hook is distinct
 *      from Netfilter's IP input hooks since it is the first time that the
 *      incoming sk_buff @skb has been associated with a particular socket, @sk.
+ *      Must not sleep inside this hook because some callers hold spinlocks.
 *      @sk contains the sock (not socket) associated with the incoming sk_buff.
 *      @skb contains the incoming network data.
 * @socket_getpeersec_stream:
@@ -1029,6 +958,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      Sets the new child socket's sid to the openreq sid.
 * @inet_conn_established:
 *      Sets the connection's peersid to the secmark on skb.
+ * @secmark_relabel_packet:
+ *      check if the process should be allowed to relabel packets to the given secid
+ * @security_secmark_refcount_inc
+ *      tells the LSM to increment the number of secmark labeling rules loaded
+ * @security_secmark_refcount_dec
+ *      tells the LSM to decrement the number of secmark labeling rules loaded
 * @req_classify_flow:
 *      Sets the flow's sid to the openreq sid.
 * @tun_dev_create:
@@ -1123,8 +1058,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @cred points to the credentials to provide the context against which to
 *      evaluate the security data on the key.
 *      @perm describes the combination of permissions required of this key.
- *      Return 1 if permission granted, 0 if permission denied and -ve it the
+ *      Return 0 if permission is granted, -ve error otherwise.
- *      normal permissions model should be effected.
 * @key_getsecurity:
 *      Get a textual representation of the security context attached to a key
 *      for the purposes of honouring KEYCTL_GETSECURITY.  This function
@@ -1136,13 +1070,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      Return the length of the string (including terminating NUL) or -ve if
 *      an error.
 *      May also return 0 (and a NULL buffer pointer) if there is no label.
- * @key_session_to_parent:
- *      Forcibly assign the session keyring from a process to its parent
- *      process.
- *      @cred: Pointer to process's credentials
- *      @parent_cred: Pointer to parent process's credentials
- *      @keyring: Proposed new session keyring
- *      Return 0 if permission is granted, -ve error otherwise.
 *
 * Security hooks affecting all System V IPC operations.
 *
@@ -1330,13 +1257,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @cap contains the capability <include/linux/capability.h>.
 *      @audit: Whether to write an audit message or not
 *      Return 0 if the capability is granted for @tsk.
- * @acct:
- *      Check permission before enabling or disabling process accounting.  If
- *      accounting is being enabled, then @file refers to the open file used to
- *      store accounting records.  If accounting is being disabled, then @file
- *      is NULL.
- *      @file contains the file structure for the accounting file (may be NULL).
- *      Return 0 if permission is granted.
 * @sysctl:
 *      Check permission before accessing the @table sysctl variable in the
 *      manner specified by @op.
@@ -1348,6 +1268,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      logging to the console.
 *      See the syslog(2) manual page for an explanation of the @type values.
 *      @type contains the type of action.
+ *      @from_file indicates the context of action (if it came from /proc).
 *      Return 0 if permission is granted.
 * @settime:
 *      Check permission to change the system time.
@@ -1362,9 +1283,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      Return 0 if permission is granted.
 *
 * @secid_to_secctx:
- *      Convert secid to security context.
+ *      Convert secid to security context.  If secdata is NULL the length of
+ *      the result will be returned in seclen, but no secdata will be returned.
+ *      This does mean that the length could change between calls to check the
+ *      length and the next call which actually allocates and returns the secdata.
 *      @secid contains the security ID.
 *      @secdata contains the pointer that stores the converted security context.
+ *      @seclen pointer which contains the length of the data
 * @secctx_to_secid:
 *      Convert security context to secid.
 *      @secid contains the pointer to the generated security ID.
@@ -1458,7 +1383,6 @@ struct security_operations {
                       const kernel_cap_t *permitted);
        int (*capable) (struct task_struct *tsk, const struct cred *cred,
                        int cap, int audit);
-        int (*acct) (struct file *file);
        int (*sysctl) (struct ctl_table *table, int op);
        int (*quotactl) (int cmds, int type, int id, struct super_block *sb);
        int (*quota_on) (struct dentry *dentry);
@@ -1480,18 +1404,9 @@ struct security_operations {
        int (*sb_statfs) (struct dentry *dentry);
        int (*sb_mount) (char *dev_name, struct path *path,
                         char *type, unsigned long flags, void *data);
-        int (*sb_check_sb) (struct vfsmount *mnt, struct path *path);
        int (*sb_umount) (struct vfsmount *mnt, int flags);
-        void (*sb_umount_close) (struct vfsmount *mnt);
-        void (*sb_umount_busy) (struct vfsmount *mnt);
-        void (*sb_post_remount) (struct vfsmount *mnt,
-                                 unsigned long flags, void *data);
-        void (*sb_post_addmount) (struct vfsmount *mnt,
-                                  struct path *mountpoint);
        int (*sb_pivotroot) (struct path *old_path,
                             struct path *new_path);
-        void (*sb_post_pivotroot) (struct path *old_path,
-                                   struct path *new_path);
        int (*sb_set_mnt_opts) (struct super_block *sb,
                                struct security_mnt_opts *opts);
        void (*sb_clone_mnt_opts) (const struct super_block *oldsb,
@@ -1504,8 +1419,7 @@ struct security_operations {
        int (*path_rmdir) (struct path *dir, struct dentry *dentry);
        int (*path_mknod) (struct path *dir, struct dentry *dentry, int mode,
                           unsigned int dev);
-        int (*path_truncate) (struct path *path, loff_t length,
+        int (*path_truncate) (struct path *path);
-                              unsigned int time_attrs);
        int (*path_symlink) (struct path *dir, struct dentry *dentry,
                             const char *old_name);
        int (*path_link) (struct dentry *old_dentry, struct path *new_dir,
@@ -1540,7 +1454,6 @@ struct security_operations {
        int (*inode_permission) (struct inode *inode, int mask);
        int (*inode_setattr)    (struct dentry *dentry, struct iattr *attr);
        int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
-        void (*inode_delete) (struct inode *inode);
        int (*inode_setxattr) (struct dentry *dentry, const char *name,
                               const void *value, size_t size, int flags);
        void (*inode_post_setxattr) (struct dentry *dentry, const char *name,
@@ -1581,26 +1494,22 @@ struct security_operations {
        void (*cred_free) (struct cred *cred);
        int (*cred_prepare)(struct cred *new, const struct cred *old,
                            gfp_t gfp);
-        void (*cred_commit)(struct cred *new, const struct cred *old);
        void (*cred_transfer)(struct cred *new, const struct cred *old);
        int (*kernel_act_as)(struct cred *new, u32 secid);
        int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
        int (*kernel_module_request)(char *kmod_name);
-        int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags);
        int (*task_fix_setuid) (struct cred *new, const struct cred *old,
                                int flags);
-        int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags);
        int (*task_setpgid) (struct task_struct *p, pid_t pgid);
        int (*task_getpgid) (struct task_struct *p);
        int (*task_getsid) (struct task_struct *p);
        void (*task_getsecid) (struct task_struct *p, u32 *secid);
-        int (*task_setgroups) (struct group_info *group_info);
        int (*task_setnice) (struct task_struct *p, int nice);
        int (*task_setioprio) (struct task_struct *p, int ioprio);
        int (*task_getioprio) (struct task_struct *p);
-        int (*task_setrlimit) (unsigned int resource, struct rlimit *new_rlim);
+        int (*task_setrlimit) (struct task_struct *p, unsigned int resource,
-        int (*task_setscheduler) (struct task_struct *p, int policy,
+                        struct rlimit *new_rlim);
-                                  struct sched_param *lp);
+        int (*task_setscheduler) (struct task_struct *p);
        int (*task_getscheduler) (struct task_struct *p);
        int (*task_movememory) (struct task_struct *p);
        int (*task_kill) (struct task_struct *p,
@@ -1658,8 +1567,7 @@ struct security_operations {
        int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen);
 #ifdef CONFIG_SECURITY_NETWORK
-        int (*unix_stream_connect) (struct socket *sock,
+        int (*unix_stream_connect) (struct sock *sock, struct sock *other, struct sock *newsk);
-                                    struct socket *other, struct sock *newsk);
        int (*unix_may_send) (struct socket *sock, struct socket *other);
        int (*socket_create) (int family, int type, int protocol, int kern);
@@ -1692,6 +1600,9 @@ struct security_operations {
                                  struct request_sock *req);
        void (*inet_csk_clone) (struct sock *newsk, const struct request_sock *req);
        void (*inet_conn_established) (struct sock *sk, struct sk_buff *skb);
+        int (*secmark_relabel_packet) (u32 secid);
+        void (*secmark_refcount_inc) (void);
+        void (*secmark_refcount_dec) (void);
        void (*req_classify_flow) (const struct request_sock *req, struct flowi *fl);
        int (*tun_dev_create)(void);
        void (*tun_dev_post_create)(struct sock *sk);
@@ -1724,9 +1635,6 @@ struct security_operations {
                               const struct cred *cred,
                               key_perm_t perm);
        int (*key_getsecurity)(struct key *key, char **_buffer);
-        int (*key_session_to_parent)(const struct cred *cred,
-                                     const struct cred *parent_cred,
-                                     struct key *key);
 #endif  /* CONFIG_KEYS */
 #ifdef CONFIG_AUDIT
@@ -1757,7 +1665,6 @@ int security_capset(struct cred *new, const struct cred *old,
 int security_capable(int cap);
 int security_real_capable(struct task_struct *tsk, int cap);
 int security_real_capable_noaudit(struct task_struct *tsk, int cap);
-int security_acct(struct file *file);
 int security_sysctl(struct ctl_table *table, int op);
 int security_quotactl(int cmds, int type, int id, struct super_block *sb);
 int security_quota_on(struct dentry *dentry);
@@ -1779,14 +1686,8 @@ int security_sb_show_options(struct seq_file *m, struct super_block *sb);
 int security_sb_statfs(struct dentry *dentry);
 int security_sb_mount(char *dev_name, struct path *path,
                      char *type, unsigned long flags, void *data);
-int security_sb_check_sb(struct vfsmount *mnt, struct path *path);
 int security_sb_umount(struct vfsmount *mnt, int flags);
-void security_sb_umount_close(struct vfsmount *mnt);
-void security_sb_umount_busy(struct vfsmount *mnt);
-void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data);
-void security_sb_post_addmount(struct vfsmount *mnt, struct path *mountpoint);
 int security_sb_pivotroot(struct path *old_path, struct path *new_path);
-void security_sb_post_pivotroot(struct path *old_path, struct path *new_path);
 int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts);
 void security_sb_clone_mnt_opts(const struct super_block *oldsb,
                                struct super_block *newsb);
@@ -1810,9 +1711,9 @@ int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
 int security_inode_readlink(struct dentry *dentry);
 int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd);
 int security_inode_permission(struct inode *inode, int mask);
+int security_inode_exec_permission(struct inode *inode, unsigned int flags);
 int security_inode_setattr(struct dentry *dentry, struct iattr *attr);
 int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry);
-void security_inode_delete(struct inode *inode);
 int security_inode_setxattr(struct dentry *dentry, const char *name,
                            const void *value, size_t size, int flags);
 void security_inode_post_setxattr(struct dentry *dentry, const char *name,
@@ -1846,26 +1747,22 @@ int security_task_create(unsigned long clone_flags);
 int security_cred_alloc_blank(struct cred *cred, gfp_t gfp);
 void security_cred_free(struct cred *cred);
 int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
-void security_commit_creds(struct cred *new, const struct cred *old);
 void security_transfer_creds(struct cred *new, const struct cred *old);
 int security_kernel_act_as(struct cred *new, u32 secid);
 int security_kernel_create_files_as(struct cred *new, struct inode *inode);
 int security_kernel_module_request(char *kmod_name);
-int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags);
 int security_task_fix_setuid(struct cred *new, const struct cred *old,
                             int flags);
-int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags);
 int security_task_setpgid(struct task_struct *p, pid_t pgid);
 int security_task_getpgid(struct task_struct *p);
 int security_task_getsid(struct task_struct *p);
 void security_task_getsecid(struct task_struct *p, u32 *secid);
-int security_task_setgroups(struct group_info *group_info);
 int security_task_setnice(struct task_struct *p, int nice);
 int security_task_setioprio(struct task_struct *p, int ioprio);
 int security_task_getioprio(struct task_struct *p);
-int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim);
+int security_task_setrlimit(struct task_struct *p, unsigned int resource,
-int security_task_setscheduler(struct task_struct *p,
+                struct rlimit *new_rlim);
-                                int policy, struct sched_param *lp);
+int security_task_setscheduler(struct task_struct *p);
 int security_task_getscheduler(struct task_struct *p);
 int security_task_movememory(struct task_struct *p);
 int security_task_kill(struct task_struct *p, struct siginfo *info,
@@ -1986,11 +1883,6 @@ int security_real_capable_noaudit(struct task_struct *tsk, int cap)
        return ret;
 }
-static inline int security_acct(struct file *file)
-{
-        return 0;
-}
 static inline int security_sysctl(struct ctl_table *table, int op)
 {
        return 0;
@@ -2009,7 +1901,7 @@ static inline int security_quota_on(struct dentry *dentry)
 static inline int security_syslog(int type)
 {
-        return cap_syslog(type);
+        return 0;
 }
 static inline int security_settime(struct timespec *ts, struct timezone *tz)
@@ -2095,41 +1987,17 @@ static inline int security_sb_mount(char *dev_name, struct path *path,
        return 0;
 }
-static inline int security_sb_check_sb(struct vfsmount *mnt,
-                                       struct path *path)
-{
-        return 0;
-}
 static inline int security_sb_umount(struct vfsmount *mnt, int flags)
 {
        return 0;
 }
-static inline void security_sb_umount_close(struct vfsmount *mnt)
-{ }
-static inline void security_sb_umount_busy(struct vfsmount *mnt)
-{ }
-static inline void security_sb_post_remount(struct vfsmount *mnt,
-                                             unsigned long flags, void *data)
-{ }
-static inline void security_sb_post_addmount(struct vfsmount *mnt,
-                                             struct path *mountpoint)
-{ }
 static inline int security_sb_pivotroot(struct path *old_path,
                                        struct path *new_path)
 {
        return 0;
 }
-static inline void security_sb_post_pivotroot(struct path *old_path,
-                                              struct path *new_path)
-{ }
 static inline int security_sb_set_mnt_opts(struct super_block *sb,
                                           struct security_mnt_opts *opts)
 {
@@ -2233,6 +2101,12 @@ static inline int security_inode_permission(struct inode *inode, int mask)
        return 0;
 }
+static inline int security_inode_exec_permission(struct inode *inode,
+                                                  unsigned int flags)
+{
+        return 0;
+}
 static inline int security_inode_setattr(struct dentry *dentry,
                                          struct iattr *attr)
 {
@@ -2245,9 +2119,6 @@ static inline int security_inode_getattr(struct vfsmount *mnt,
        return 0;
 }
-static inline void security_inode_delete(struct inode *inode)
-{ }
 static inline int security_inode_setxattr(struct dentry *dentry,
                const char *name, const void *value, size_t size, int flags)
 {
@@ -2394,11 +2265,6 @@ static inline int security_prepare_creds(struct cred *new,
        return 0;
 }
-static inline void security_commit_creds(struct cred *new,
-                                         const struct cred *old)
-{
-}
 static inline void security_transfer_creds(struct cred *new,
                                           const struct cred *old)
 {
@@ -2420,12 +2286,6 @@ static inline int security_kernel_module_request(char *kmod_name)
        return 0;
 }
-static inline int security_task_setuid(uid_t id0, uid_t id1, uid_t id2,
-                                       int flags)
-{
-        return 0;
-}
 static inline int security_task_fix_setuid(struct cred *new,
                                           const struct cred *old,
                                           int flags)
@@ -2433,12 +2293,6 @@ static inline int security_task_fix_setuid(struct cred *new,
        return cap_task_fix_setuid(new, old, flags);
 }
-static inline int security_task_setgid(gid_t id0, gid_t id1, gid_t id2,
-                                       int flags)
-{
-        return 0;
-}
 static inline int security_task_setpgid(struct task_struct *p, pid_t pgid)
 {
        return 0;
@@ -2459,11 +2313,6 @@ static inline void security_task_getsecid(struct task_struct *p, u32 *secid)
        *secid = 0;
 }
-static inline int security_task_setgroups(struct group_info *group_info)
-{
-        return 0;
-}
 static inline int security_task_setnice(struct task_struct *p, int nice)
 {
        return cap_task_setnice(p, nice);
@@ -2479,17 +2328,16 @@ static inline int security_task_getioprio(struct task_struct *p)
        return 0;
 }
-static inline int security_task_setrlimit(unsigned int resource,
+static inline int security_task_setrlimit(struct task_struct *p,
+                                          unsigned int resource,
                                          struct rlimit *new_rlim)
 {
        return 0;
 }
-static inline int security_task_setscheduler(struct task_struct *p,
+static inline int security_task_setscheduler(struct task_struct *p)
-                                             int policy,
-                                             struct sched_param *lp)
 {
-        return cap_task_setscheduler(p, policy, lp);
+        return cap_task_setscheduler(p);
 }
 static inline int security_task_getscheduler(struct task_struct *p)
@@ -2682,8 +2530,7 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32
 #ifdef CONFIG_SECURITY_NETWORK
-int security_unix_stream_connect(struct socket *sock, struct socket *other,
+int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk);
-                                 struct sock *newsk);
 int security_unix_may_send(struct socket *sock,  struct socket *other);
 int security_socket_create(int family, int type, int protocol, int kern);
 int security_socket_post_create(struct socket *sock, int family,
@@ -2716,13 +2563,16 @@ void security_inet_csk_clone(struct sock *newsk,
                        const struct request_sock *req);
 void security_inet_conn_established(struct sock *sk,
                        struct sk_buff *skb);
+int security_secmark_relabel_packet(u32 secid);
+void security_secmark_refcount_inc(void);
+void security_secmark_refcount_dec(void);
 int security_tun_dev_create(void);
 void security_tun_dev_post_create(struct sock *sk);
 int security_tun_dev_attach(struct sock *sk);
 #else   /* CONFIG_SECURITY_NETWORK */
-static inline int security_unix_stream_connect(struct socket *sock,
+static inline int security_unix_stream_connect(struct sock *sock,
-                                               struct socket *other,
+                                               struct sock *other,
                                               struct sock *newsk)
 {
        return 0;
@@ -2870,6 +2720,19 @@ static inline void security_inet_conn_established(struct sock *sk,
 {
 }
+static inline int security_secmark_relabel_packet(u32 secid)
+{
+        return 0;
+}
+static inline void security_secmark_refcount_inc(void)
+{
+}
+static inline void security_secmark_refcount_dec(void)
+{
+}
 static inline int security_tun_dev_create(void)
 {
        return 0;
@@ -2972,8 +2835,7 @@ int security_path_mkdir(struct path *dir, struct dentry *dentry, int mode);
 int security_path_rmdir(struct path *dir, struct dentry *dentry);
 int security_path_mknod(struct path *dir, struct dentry *dentry, int mode,
                        unsigned int dev);
-int security_path_truncate(struct path *path, loff_t length,
+int security_path_truncate(struct path *path);
-                           unsigned int time_attrs);
 int security_path_symlink(struct path *dir, struct dentry *dentry,
                          const char *old_name);
 int security_path_link(struct dentry *old_dentry, struct path *new_dir,
@@ -3007,8 +2869,7 @@ static inline int security_path_mknod(struct path *dir, struct dentry *dentry,
        return 0;
 }
-static inline int security_path_truncate(struct path *path, loff_t length,
+static inline int security_path_truncate(struct path *path)
-                                         unsigned int time_attrs)
 {
        return 0;
 }
@@ -3060,9 +2921,6 @@ void security_key_free(struct key *key);
 int security_key_permission(key_ref_t key_ref,
                            const struct cred *cred, key_perm_t perm);
 int security_key_getsecurity(struct key *key, char **_buffer);
-int security_key_session_to_parent(const struct cred *cred,
-                                   const struct cred *parent_cred,
-                                   struct key *key);
 #else
@@ -3090,13 +2948,6 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
        return 0;
 }
-static inline int security_key_session_to_parent(const struct cred *cred,
-                                                 const struct cred *parent_cred,
-                                                 struct key *key)
-{
-        return 0;
-}
 #endif
 #endif /* CONFIG_KEYS */