Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6

	spin_lock_irqsave(&notif_lock, flag);

	if (is_insert) {

		if (seqno < avc_cache.latest_notif) {

			printk(KERN_WARNING "avc:  seqno %d < latest_notif %d\n",

			printk(KERN_WARNING "SELinux: avc:  seqno %d < latest_notif %d\n",

			       seqno, avc_cache.latest_notif);

			ret = -EAGAIN;

		}

atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);

#ifdef CONFIG_SECURITY_SELINUX_DEVELOP

int selinux_enforcing = 0;

int selinux_enforcing;

static int __init enforcing_setup(char *str)

{

#endif

/* Original (dummy) security module. */

static struct security_operations *original_ops = NULL;

static struct security_operations *original_ops;

/* Minimal support for a secondary security module,

   just to allow the use of the dummy or capability modules.

   The owlsm module can alternatively be used as a secondary

   module as long as CONFIG_OWLSM_FD is not enabled. */

static struct security_operations *secondary_ops = NULL;

static struct security_operations *secondary_ops;

/* Lists of inode and superblock security structures initialized

   before the policy was loaded. */

			goto out;

		}

		rc = -EINVAL;

		printk(KERN_WARNING "Unable to set superblock options before "

		       "the security server is initialized\n");

		printk(KERN_WARNING "SELinux: Unable to set superblock options "

			"before the security server is initialized\n");

		goto out;

	}

			dentry = d_find_alias(inode);

		}

		if (!dentry) {

			printk(KERN_WARNING "%s:  no dentry for dev=%s "

			printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "

			       "ino=%ld\n", __func__, inode->i_sb->s_id,

			       inode->i_ino);

			goto out_unlock;

		dput(dentry);

		if (rc < 0) {

			if (rc != -ENODATA) {

				printk(KERN_WARNING "%s:  getxattr returned "

				printk(KERN_WARNING "SELinux: %s:  getxattr returned "

				       "%d for dev=%s ino=%ld\n", __func__,

				       -rc, inode->i_sb->s_id, inode->i_ino);

				kfree(context);

							     sbsec->def_sid,

							     GFP_NOFS);

			if (rc) {

				printk(KERN_WARNING "%s:  context_to_sid(%s) "

				printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "

				       "returned %d for dev=%s ino=%ld\n",

				       __func__, context, -rc,

				       inode->i_sb->s_id, inode->i_ino);

		av = DIR__RMDIR;

		break;

	default:

		printk(KERN_WARNING "may_link:  unrecognized kind %d\n", kind);

		printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",

			__func__, kind);

		return 0;

	}

		else if (S_ISDIR(mode))

			av |= DIR__OPEN;

		else

			printk(KERN_ERR "SELinux: WARNING: inside open_file_to_av "

				"with unknown mode:%x\n", mode);

			printk(KERN_ERR "SELinux: WARNING: inside %s with "

				"unknown mode:%x\n", __func__, mode);

	}

	return av;

}

	case Q_QUOTAOFF:

	case Q_SETINFO:

	case Q_SETQUOTA:

			rc = superblock_has_perm(current,

						 sb,

						 FILESYSTEM__QUOTAMOD, NULL);

		rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAMOD,

					 NULL);

		break;

	case Q_GETFMT:

	case Q_GETINFO:

	case Q_GETQUOTA:

			rc = superblock_has_perm(current,

						 sb,

						 FILESYSTEM__QUOTAGET, NULL);

		rc = superblock_has_perm(current, sb, FILESYSTEM__QUOTAGET,

					 NULL);

		break;

	default:

		rc = 0;  /* let the kernel handle invalid cmds */

	if (!*first) {

		**to = '|';

		*to += 1;

	}

	else

	} else

		*first = 0;

	while (current_size < len) {

	 */

	default:

		error = file_has_perm(current, file, FILE__IOCTL);

	}

	return error;

}

			tsec->sid = sid;

			task_unlock(p);

		}

	}

	else

	} else

		return -EINVAL;

	return size;

	if (register_security(&selinux_ops))

		panic("SELinux: Unable to register with kernel.\n");

	if (selinux_enforcing) {

	if (selinux_enforcing)

		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");

	} else {

	else

		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");

	}

#ifdef CONFIG_KEYS

	/* Add security information to initial keyrings */

#endif /* CONFIG_NETFILTER */

#ifdef CONFIG_SECURITY_SELINUX_DISABLE

static int selinux_disabled;

int selinux_disable(void)

{

	extern void exit_sel_fs(void);

	static int selinux_disabled = 0;

	if (ss_initialized) {

		/* Not permitted after initial policy load. */

#define SEL_NETIF_HASH_SIZE	64

#define SEL_NETIF_HASH_MAX	1024

struct sel_netif

{

struct sel_netif {

	struct list_head list;

	struct netif_security_struct nsec;

	struct rcu_head rcu_head;

#include "flask.h"

#include "av_permissions.h"

struct nlmsg_perm

{

struct nlmsg_perm {

	u16	nlmsg_type;

	u32	perm;

};

static DEFINE_MUTEX(sel_mutex);

/* global data for booleans */

static struct dentry *bool_dir = NULL;

static int bool_num = 0;

static struct dentry *bool_dir;

static int bool_num;

static char **bool_pending_names;

static int *bool_pending_values = NULL;

static int *bool_pending_values;

/* global data for classes */

static struct dentry *class_dir = NULL;

static struct dentry *class_dir;

static unsigned long last_class_ino;

/* global data for policy capabilities */

static struct dentry *policycap_dir = NULL;

static struct dentry *policycap_dir;

extern void selnl_notify_setenforce(int val);

		return length;

	if (len > SIMPLE_TRANSACTION_LIMIT) {

		printk(KERN_ERR "%s:  context size (%u) exceeds payload "

		       "max\n", __func__, len);

		printk(KERN_ERR "SELinux: %s:  context size (%u) exceeds "

			"payload max\n", __func__, len);

		length = -ERANGE;

		goto out;

	}

		goto out2;

	if (len > SIMPLE_TRANSACTION_LIMIT) {

		printk(KERN_ERR "%s:  context size (%u) exceeds payload "

		       "max\n", __func__, len);

		printk(KERN_ERR "SELinux: %s:  context size (%u) exceeds "

			"payload max\n", __func__, len);

		length = -ERANGE;

		goto out3;

	}

		goto out2;

	if (len > SIMPLE_TRANSACTION_LIMIT) {

		printk(KERN_ERR "%s:  context size (%u) exceeds payload "

		       "max\n", __func__, len);

		printk(KERN_ERR "SELinux: %s:  context size (%u) exceeds "

			"payload max\n", __func__, len);

		length = -ERANGE;

		goto out3;

	}

		ret = -EINVAL;

		goto out;

	}

	if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) {

	page = (char *)get_zeroed_page(GFP_KERNEL);

	if (!page) {

		ret = -ENOMEM;

		goto out;

	}

	if (sscanf(page, "%d", &new_value) != 1)

		goto out;

	if (new_value && bool_pending_values) {

	if (new_value && bool_pending_values)

		security_set_bools(bool_num, bool_pending_values);

	}

	length = count;

	sel_remove_entries(dir);

	if (!(page = (char*)get_zeroed_page(GFP_KERNEL)))

	page = (char *)get_zeroed_page(GFP_KERNEL);

	if (!page)

		return -ENOMEM;

	ret = security_get_bools(&num, &names, &values);

			goto err;

		}

		isec = (struct inode_security_struct *)inode->i_security;

		if ((ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid)))

		ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);

		if (ret)

			goto err;

		isec->sid = sid;

		isec->initialized = 1;

#define NULL_FILE_NAME "null"

struct dentry *selinux_null = NULL;

struct dentry *selinux_null;

static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,

					    size_t count, loff_t *ppos)

out:

	return ret;

err:

	printk(KERN_ERR "%s:  failed while creating inodes\n", __func__);

	printk(KERN_ERR "SELinux: %s:  failed while creating inodes\n",

		__func__);

	goto out;

}