6 files changed, 37 insertions, 1 deletions
diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h
index b0e6b12931c9..a68fdd55597f 100644
--- a/security/selinux/include/av_inherit.h
+++ b/security/selinux/include/av_inherit.h
@@ -29,3 +29,4 @@
   S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
   S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
   S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL)
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 591e98d9315a..70ee65a58817 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -239,3 +239,6 @@
   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
+   S_(SECCLASS_PACKET, PACKET__SEND, "send")
+   S_(SECCLASS_PACKET, PACKET__RECV, "recv")
+   S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index d7f02edf3930..1d9cf3d306bc 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -933,3 +933,29 @@
 #define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG   0x00100000UL
 #define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND  0x00200000UL
+#define APPLETALK_SOCKET__IOCTL                   0x00000001UL
+#define APPLETALK_SOCKET__READ                    0x00000002UL
+#define APPLETALK_SOCKET__WRITE                   0x00000004UL
+#define APPLETALK_SOCKET__CREATE                  0x00000008UL
+#define APPLETALK_SOCKET__GETATTR                 0x00000010UL
+#define APPLETALK_SOCKET__SETATTR                 0x00000020UL
+#define APPLETALK_SOCKET__LOCK                    0x00000040UL
+#define APPLETALK_SOCKET__RELABELFROM             0x00000080UL
+#define APPLETALK_SOCKET__RELABELTO               0x00000100UL
+#define APPLETALK_SOCKET__APPEND                  0x00000200UL
+#define APPLETALK_SOCKET__BIND                    0x00000400UL
+#define APPLETALK_SOCKET__CONNECT                 0x00000800UL
+#define APPLETALK_SOCKET__LISTEN                  0x00001000UL
+#define APPLETALK_SOCKET__ACCEPT                  0x00002000UL
+#define APPLETALK_SOCKET__GETOPT                  0x00004000UL
+#define APPLETALK_SOCKET__SETOPT                  0x00008000UL
+#define APPLETALK_SOCKET__SHUTDOWN                0x00010000UL
+#define APPLETALK_SOCKET__RECVFROM                0x00020000UL
+#define APPLETALK_SOCKET__SENDTO                  0x00040000UL
+#define APPLETALK_SOCKET__RECV_MSG                0x00080000UL
+#define APPLETALK_SOCKET__SEND_MSG                0x00100000UL
+#define APPLETALK_SOCKET__NAME_BIND               0x00200000UL
+#define PACKET__SEND                              0x00000001UL
+#define PACKET__RECV                              0x00000002UL
+#define PACKET__RELABELTO                         0x00000004UL
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
index 77b2c5996f35..3aec75fee4f7 100644
--- a/security/selinux/include/class_to_string.h
+++ b/security/selinux/include/class_to_string.h
@@ -58,3 +58,5 @@
    S_("nscd")
    S_("association")
    S_("netlink_kobject_uevent_socket")
+    S_("appletalk_socket")
+    S_("packet")
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index eb9f50823f6e..a0eb9e281d18 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -60,6 +60,8 @@
 #define SECCLASS_NSCD                                    53
 #define SECCLASS_ASSOCIATION                             54
 #define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET           55
+#define SECCLASS_APPLETALK_SOCKET                        56
+#define SECCLASS_PACKET                                  57
 /*
 * Security identifier indices for initial entities
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index c10f1fc41502..c96498a10eb8 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -9,8 +9,10 @@
 int selinux_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx);
 int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new);
 void selinux_xfrm_policy_free(struct xfrm_policy *xp);
+int selinux_xfrm_policy_delete(struct xfrm_policy *xp);
 int selinux_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);
 void selinux_xfrm_state_free(struct xfrm_state *x);
+int selinux_xfrm_state_delete(struct xfrm_state *x);
 int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir);
 /*
@@ -49,7 +51,7 @@ static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
 static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
 {
-        return NF_ACCEPT;
+        return 0;
 }
 static inline int selinux_socket_getpeer_stream(struct sock *sk)

diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h index b0e6b12931c9..a68fdd55597f 100644 --- a/security/selinux/include/av_inherit.h +++ b/security/selinux/include/av_inherit.h
@@ -29,3 +29,4 @@
29	S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)	29	S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
30	S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)	30	S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
31	S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)	31	S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
		32	S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL)


diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index 591e98d9315a..70ee65a58817 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h
@@ -239,3 +239,6 @@
239	S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")	239	S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
240	S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")	240	S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
241	S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")	241	S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
		242	S_(SECCLASS_PACKET, PACKET__SEND, "send")
		243	S_(SECCLASS_PACKET, PACKET__RECV, "recv")
		244	S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")


diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index d7f02edf3930..1d9cf3d306bc 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h
@@ -933,3 +933,29 @@
933	#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL	933	#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL
934	#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL	934	#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL
935		935
		936	#define APPLETALK_SOCKET__IOCTL 0x00000001UL
		937	#define APPLETALK_SOCKET__READ 0x00000002UL
		938	#define APPLETALK_SOCKET__WRITE 0x00000004UL
		939	#define APPLETALK_SOCKET__CREATE 0x00000008UL
		940	#define APPLETALK_SOCKET__GETATTR 0x00000010UL
		941	#define APPLETALK_SOCKET__SETATTR 0x00000020UL
		942	#define APPLETALK_SOCKET__LOCK 0x00000040UL
		943	#define APPLETALK_SOCKET__RELABELFROM 0x00000080UL
		944	#define APPLETALK_SOCKET__RELABELTO 0x00000100UL
		945	#define APPLETALK_SOCKET__APPEND 0x00000200UL
		946	#define APPLETALK_SOCKET__BIND 0x00000400UL
		947	#define APPLETALK_SOCKET__CONNECT 0x00000800UL
		948	#define APPLETALK_SOCKET__LISTEN 0x00001000UL
		949	#define APPLETALK_SOCKET__ACCEPT 0x00002000UL
		950	#define APPLETALK_SOCKET__GETOPT 0x00004000UL
		951	#define APPLETALK_SOCKET__SETOPT 0x00008000UL
		952	#define APPLETALK_SOCKET__SHUTDOWN 0x00010000UL
		953	#define APPLETALK_SOCKET__RECVFROM 0x00020000UL
		954	#define APPLETALK_SOCKET__SENDTO 0x00040000UL
		955	#define APPLETALK_SOCKET__RECV_MSG 0x00080000UL
		956	#define APPLETALK_SOCKET__SEND_MSG 0x00100000UL
		957	#define APPLETALK_SOCKET__NAME_BIND 0x00200000UL
		958
		959	#define PACKET__SEND 0x00000001UL
		960	#define PACKET__RECV 0x00000002UL
		961	#define PACKET__RELABELTO 0x00000004UL


diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h index 77b2c5996f35..3aec75fee4f7 100644 --- a/security/selinux/include/class_to_string.h +++ b/security/selinux/include/class_to_string.h
@@ -58,3 +58,5 @@
58	S_("nscd")	58	S_("nscd")
59	S_("association")	59	S_("association")
60	S_("netlink_kobject_uevent_socket")	60	S_("netlink_kobject_uevent_socket")
		61	S_("appletalk_socket")
		62	S_("packet")


diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h index eb9f50823f6e..a0eb9e281d18 100644 --- a/security/selinux/include/flask.h +++ b/security/selinux/include/flask.h
@@ -60,6 +60,8 @@
60	#define SECCLASS_NSCD 53	60	#define SECCLASS_NSCD 53
61	#define SECCLASS_ASSOCIATION 54	61	#define SECCLASS_ASSOCIATION 54
62	#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55	62	#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
		63	#define SECCLASS_APPLETALK_SOCKET 56
		64	#define SECCLASS_PACKET 57
63		65
64	/*	66	/*
65	* Security identifier indices for initial entities	67	* Security identifier indices for initial entities


diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h index c10f1fc41502..c96498a10eb8 100644 --- a/security/selinux/include/xfrm.h +++ b/security/selinux/include/xfrm.h
@@ -9,8 +9,10 @@
9	int selinux_xfrm_policy_alloc(struct xfrm_policy xp, struct xfrm_user_sec_ctx sec_ctx);	9	int selinux_xfrm_policy_alloc(struct xfrm_policy xp, struct xfrm_user_sec_ctx sec_ctx);
10	int selinux_xfrm_policy_clone(struct xfrm_policy old, struct xfrm_policy new);	10	int selinux_xfrm_policy_clone(struct xfrm_policy old, struct xfrm_policy new);
11	void selinux_xfrm_policy_free(struct xfrm_policy *xp);	11	void selinux_xfrm_policy_free(struct xfrm_policy *xp);
		12	int selinux_xfrm_policy_delete(struct xfrm_policy *xp);
12	int selinux_xfrm_state_alloc(struct xfrm_state x, struct xfrm_user_sec_ctx sec_ctx);	13	int selinux_xfrm_state_alloc(struct xfrm_state x, struct xfrm_user_sec_ctx sec_ctx);
13	void selinux_xfrm_state_free(struct xfrm_state *x);	14	void selinux_xfrm_state_free(struct xfrm_state *x);
		15	int selinux_xfrm_state_delete(struct xfrm_state *x);
14	int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir);	16	int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir);
15		17
16	/*	18	/*
@@ -49,7 +51,7 @@ static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb)
49		51
50	static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)	52	static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb)
51	{	53	{
52	return NF_ACCEPT;	54	return 0;
53	}	55	}
54		56
55	static inline int selinux_socket_getpeer_stream(struct sock *sk)	57	static inline int selinux_socket_getpeer_stream(struct sock *sk)