4 files changed, 65 insertions, 7 deletions

diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 7b9769f5e775..d12ff1a9c0aa 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -12,6 +12,7 @@
 #include <linux/kdev_t.h>
 #include <linux/spinlock.h>
 #include <linux/init.h>
+#include <linux/audit.h>
 #include <linux/in6.h>
 #include <linux/path.h>
 #include <asm/system.h>
@@ -126,6 +127,9 @@ int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
                      u32 events, u32 ssid, u32 tsid,
                      u16 tclass, u32 perms);
 
+/* Shows permission in human readable form */
+void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av);
+
 /* Exported to selinuxfs */
 int avc_get_hash_stats(char *page);
 extern unsigned int avc_cache_threshold;
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 487a7d81fe20..b913c8d06038 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -39,6 +39,9 @@
 #ifdef CONFIG_NETLABEL
 void selinux_netlbl_cache_invalidate(void);
 
+void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway);
+
+void selinux_netlbl_sk_security_free(struct sk_security_struct *ssec);
 void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
                                       int family);
 
@@ -46,8 +49,11 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
                                  u16 family,
                                  u32 *type,
                                  u32 *sid);
+int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
+                                 u16 family,
+                                 u32 sid);
 
-void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
+void selinux_netlbl_inet_conn_established(struct sock *sk, u16 family);
 int selinux_netlbl_socket_post_create(struct socket *sock);
 int selinux_netlbl_inode_permission(struct inode *inode, int mask);
 int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
@@ -57,12 +63,27 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
 int selinux_netlbl_socket_setsockopt(struct socket *sock,
                                      int level,
                                      int optname);
+int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr);
+
 #else
 static inline void selinux_netlbl_cache_invalidate(void)
 {
         return;
 }
 
+static inline void selinux_netlbl_err(struct sk_buff *skb,
+                                      int error,
+                                      int gateway)
+{
+        return;
+}
+
+static inline void selinux_netlbl_sk_security_free(
+                                               struct sk_security_struct *ssec)
+{
+        return;
+}
+
 static inline void selinux_netlbl_sk_security_reset(
                                                struct sk_security_struct *ssec,
                                                int family)
@@ -79,9 +100,21 @@ static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
         *sid = SECSID_NULL;
         return 0;
 }
+static inline int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
+                                               u16 family,
+                                               u32 sid)
+{
+        return 0;
+}
 
-static inline void selinux_netlbl_sock_graft(struct sock *sk,
-                                             struct socket *sock)
+static inline int selinux_netlbl_conn_setsid(struct sock *sk,
+                                             struct sockaddr *addr)
+{
+        return 0;
+}
+
+static inline void selinux_netlbl_inet_conn_established(struct sock *sk,
+                                                        u16 family)
 {
         return;
 }
@@ -107,6 +140,11 @@ static inline int selinux_netlbl_socket_setsockopt(struct socket *sock,
 {
         return 0;
 }
+static inline int selinux_netlbl_socket_connect(struct sock *sk,
+                                                struct sockaddr *addr)
+{
+        return 0;
+}
 #endif /* CONFIG_NETLABEL */
 
 #endif
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 91070ab874ce..f8be8d7fa26d 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -109,16 +109,19 @@ struct netport_security_struct {
 };
 
 struct sk_security_struct {
-        u32 sid;                        /* SID of this object */
-        u32 peer_sid;                   /* SID of peer */
-        u16 sclass;                     /* sock security class */
 #ifdef CONFIG_NETLABEL
         enum {                          /* NetLabel state */
                 NLBL_UNSET = 0,
                 NLBL_REQUIRE,
                 NLBL_LABELED,
+                NLBL_REQSKB,
+                NLBL_CONNLABELED,
         } nlbl_state;
+        struct netlbl_lsm_secattr *nlbl_secattr; /* NetLabel sec attributes */
 #endif
+        u32 sid;                        /* SID of this object */
+        u32 peer_sid;                   /* SID of peer */
+        u16 sclass;                     /* sock security class */
 };
 
 struct key_security_struct {
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 7c543003d653..72447370bc95 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -27,13 +27,14 @@
 #define POLICYDB_VERSION_RANGETRANS     21
 #define POLICYDB_VERSION_POLCAP         22
 #define POLICYDB_VERSION_PERMISSIVE     23
+#define POLICYDB_VERSION_BOUNDARY       24
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
 #define POLICYDB_VERSION_MAX    CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 #else
-#define POLICYDB_VERSION_MAX    POLICYDB_VERSION_PERMISSIVE
+#define POLICYDB_VERSION_MAX    POLICYDB_VERSION_BOUNDARY
 #endif
 
 #define CONTEXT_MNT     0x01
@@ -62,6 +63,16 @@ enum {
 extern int selinux_policycap_netpeer;
 extern int selinux_policycap_openperm;
 
+/*
+ * type_datum properties
+ * available at the kernel policy version >= POLICYDB_VERSION_BOUNDARY
+ */
+#define TYPEDATUM_PROPERTY_PRIMARY      0x0001
+#define TYPEDATUM_PROPERTY_ATTRIBUTE    0x0002
+
+/* limitation of boundary depth  */
+#define POLICYDB_BOUNDS_MAXDEPTH        4
+
 int security_load_policy(void *data, size_t len);
 
 int security_policycap_supported(unsigned int req_cap);
@@ -117,6 +128,8 @@ int security_node_sid(u16 domain, void *addr, u32 addrlen,
 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
                                  u16 tclass);
 
+int security_bounded_transition(u32 oldsid, u32 newsid);
+
 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);
 
 int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,