Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into for-linus

M:	Eric Paris <eparis@parisplace.org>

L:	selinux@tycho.nsa.gov (subscribers-only, general discussion)

W:	http://selinuxproject.org

T:	git git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6.git

T:	git git://git.infradead.org/users/eparis/selinux.git

S:	Supported

F:	include/linux/selinux*

F:	security/selinux/

F:	scripts/selinux/

APPARMOR SECURITY MODULE

M:	John Johansen <john.johansen@canonical.com>

/* Auxiliary data to use in generating the audit record. */

struct common_audit_data {

	char type;

#define LSM_AUDIT_DATA_FS	1

#define LSM_AUDIT_DATA_PATH	1

#define LSM_AUDIT_DATA_NET	2

#define LSM_AUDIT_DATA_CAP	3

#define LSM_AUDIT_DATA_IPC	4

#define LSM_AUDIT_DATA_KEY	6

#define LSM_AUDIT_DATA_NONE	7

#define LSM_AUDIT_DATA_KMOD	8

#define LSM_AUDIT_DATA_INODE	9

#define LSM_AUDIT_DATA_DENTRY	10

	struct task_struct *tsk;

	union 	{

		struct {

		struct path path;

		struct dentry *dentry;

		struct inode *inode;

		} fs;

		struct {

			int netif;

			struct sock *sk;

					gfp_t flags)

{

	struct flex_array *ret;

	int max_size = FLEX_ARRAY_NR_BASE_PTRS *

	int max_size = 0;

	if (element_size)

		max_size = FLEX_ARRAY_NR_BASE_PTRS *

			   FLEX_ARRAY_ELEMENTS_PER_PART(element_size);

	/* max_size will end up 0 if element_size > PAGE_SIZE */

int flex_array_put(struct flex_array *fa, unsigned int element_nr, void *src,

			gfp_t flags)

{

	int part_nr = fa_element_to_part_nr(fa, element_nr);

	int part_nr;

	struct flex_array_part *part;

	void *dst;

	if (element_nr >= fa->total_nr_elements)

		return -ENOSPC;

	if (!fa->element_size)

		return 0;

	if (elements_fit_in_base(fa))

		part = (struct flex_array_part *)&fa->parts[0];

	else {

		part_nr = fa_element_to_part_nr(fa, element_nr);

		part = __fa_get_part(fa, part_nr, flags);

		if (!part)

			return -ENOMEM;

 */

int flex_array_clear(struct flex_array *fa, unsigned int element_nr)

{

	int part_nr = fa_element_to_part_nr(fa, element_nr);

	int part_nr;

	struct flex_array_part *part;

	void *dst;

	if (element_nr >= fa->total_nr_elements)

		return -ENOSPC;

	if (!fa->element_size)

		return 0;

	if (elements_fit_in_base(fa))

		part = (struct flex_array_part *)&fa->parts[0];

	else {

		part_nr = fa_element_to_part_nr(fa, element_nr);

		part = fa->parts[part_nr];

		if (!part)

			return -EINVAL;

	if (end >= fa->total_nr_elements)

		return -ENOSPC;

	if (!fa->element_size)

		return 0;

	if (elements_fit_in_base(fa))

		return 0;

	start_part = fa_element_to_part_nr(fa, start);

 */

void *flex_array_get(struct flex_array *fa, unsigned int element_nr)

{

	int part_nr = fa_element_to_part_nr(fa, element_nr);

	int part_nr;

	struct flex_array_part *part;

	if (!fa->element_size)

		return NULL;

	if (element_nr >= fa->total_nr_elements)

		return NULL;

	if (elements_fit_in_base(fa))

		part = (struct flex_array_part *)&fa->parts[0];

	else {

		part_nr = fa_element_to_part_nr(fa, element_nr);

		part = fa->parts[part_nr];

		if (!part)

			return NULL;

	int part_nr;

	int ret = 0;

	if (!fa->total_nr_elements)

	if (!fa->total_nr_elements || !fa->element_size)

		return 0;

	if (elements_fit_in_base(fa))

		return ret;

static void dump_common_audit_data(struct audit_buffer *ab,

				   struct common_audit_data *a)

{

	struct inode *inode = NULL;

	struct task_struct *tsk = current;

	if (a->tsk)

	case LSM_AUDIT_DATA_CAP:

		audit_log_format(ab, " capability=%d ", a->u.cap);

		break;

	case LSM_AUDIT_DATA_FS:

		if (a->u.fs.path.dentry) {

			struct dentry *dentry = a->u.fs.path.dentry;

			if (a->u.fs.path.mnt) {

				audit_log_d_path(ab, "path=", &a->u.fs.path);

			} else {

	case LSM_AUDIT_DATA_PATH: {

		struct inode *inode;

		audit_log_d_path(ab, "path=", &a->u.path);

		inode = a->u.path.dentry->d_inode;

		if (inode)

			audit_log_format(ab, " dev=%s ino=%lu",

					inode->i_sb->s_id,

					inode->i_ino);

		break;

	}

	case LSM_AUDIT_DATA_DENTRY: {

		struct inode *inode;

		audit_log_format(ab, " name=");

				audit_log_untrustedstring(ab,

						 dentry->d_name.name);

		audit_log_untrustedstring(ab, a->u.dentry->d_name.name);

		inode = a->u.dentry->d_inode;

		if (inode)

			audit_log_format(ab, " dev=%s ino=%lu",

					inode->i_sb->s_id,

					inode->i_ino);

		break;

	}

			inode = dentry->d_inode;

		} else if (a->u.fs.inode) {

	case LSM_AUDIT_DATA_INODE: {

		struct dentry *dentry;

			inode = a->u.fs.inode;

		struct inode *inode;

		inode = a->u.inode;

		dentry = d_find_alias(inode);

		if (dentry) {

			audit_log_format(ab, " name=");

					 dentry->d_name.name);

			dput(dentry);

		}

		}

		if (inode)

			audit_log_format(ab, " dev=%s ino=%lu",

					inode->i_sb->s_id,

		audit_log_format(ab, " dev=%s ino=%lu", inode->i_sb->s_id,

				 inode->i_ino);

		break;

	}

	case LSM_AUDIT_DATA_TASK:

		tsk = a->u.tsk;

		if (tsk && tsk->pid) {

	 * during retry. However this is logically just as if the operation

	 * happened a little later.

	 */

	if ((a->type == LSM_AUDIT_DATA_FS) &&

	if ((a->type == LSM_AUDIT_DATA_INODE) &&

	    (flags & IPERM_FLAG_RCU))

		return -ECHILD;