Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael...
[linux-2.6.git] / security / selinux / ss / services.c
index b66b454..223c1ff 100644 (file)
@@ -2,7 +2,7 @@
  * Implementation of the security services.
  *
  * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
- *           James Morris <jmorris@redhat.com>
+ *          James Morris <jmorris@redhat.com>
  *
  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
  *
  *
  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
  *
- *     Added conditional policy language extensions
+ *     Added conditional policy language extensions
  *
  * Updated: Hewlett-Packard <paul.moore@hp.com>
  *
  *      Added support for NetLabel
+ *      Added support for the policy capability bitmap
  *
  * Updated: Chad Sellers <csellers@tresys.com>
  *
  *  Added validation of kernel classes and permissions
  *
- * Copyright (C) 2006 Hewlett-Packard Development Company, L.P.
+ * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
+ *
+ *  Added support for bounds domain and audit messaged on masked permissions
+ *
+ * Updated: Guido Trentalancia <guido@trentalancia.com>
+ *
+ *  Added support for runtime switching of the policy type
+ *
+ * Copyright (C) 2008, 2009 NEC Corporation
+ * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
  * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
  *     This program is free software; you can redistribute it and/or modify
- *     it under the terms of the GNU General Public License as published by
+ *     it under the terms of the GNU General Public License as published by
  *     the Free Software Foundation, version 2.
  */
 #include <linux/kernel.h>
@@ -39,7 +49,9 @@
 #include <linux/sched.h>
 #include <linux/audit.h>
 #include <linux/mutex.h>
-#include <net/sock.h>
+#include <linux/selinux.h>
+#include <linux/flex_array.h>
+#include <linux/vmalloc.h>
 #include <net/netlabel.h>
 
 #include "flask.h"
 #include "conditional.h"
 #include "mls.h"
 #include "objsec.h"
-#include "selinux_netlabel.h"
+#include "netlabel.h"
+#include "xfrm.h"
+#include "ebitmap.h"
+#include "audit.h"
 
 extern void selnl_notify_policyload(u32 seqno);
-unsigned int policydb_loaded_version;
 
-/*
- * This is declared in avc.c
- */
-extern const struct selinux_class_perm selinux_class_perm;
+int selinux_policycap_netpeer;
+int selinux_policycap_openperm;
 
 static DEFINE_RWLOCK(policy_rwlock);
-#define POLICY_RDLOCK read_lock(&policy_rwlock)
-#define POLICY_WRLOCK write_lock_irq(&policy_rwlock)
-#define POLICY_RDUNLOCK read_unlock(&policy_rwlock)
-#define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock)
-
-static DEFINE_MUTEX(load_mutex);
-#define LOAD_LOCK mutex_lock(&load_mutex)
-#define LOAD_UNLOCK mutex_unlock(&load_mutex)
 
 static struct sidtab sidtab;
 struct policydb policydb;
-int ss_initialized = 0;
+int ss_initialized;
 
 /*
  * The largest sequence number that has been used when
@@ -83,12 +87,162 @@ int ss_initialized = 0;
  * The sequence number only changes when a policy change
  * occurs.
  */
-static u32 latest_granting = 0;
+static u32 latest_granting;
 
 /* Forward declaration. */
 static int context_struct_to_string(struct context *context, char **scontext,
                                    u32 *scontext_len);
 
+static void context_struct_compute_av(struct context *scontext,
+                                     struct context *tcontext,
+                                     u16 tclass,
+                                     struct av_decision *avd);
+
+struct selinux_mapping {
+       u16 value; /* policy value */
+       unsigned num_perms;
+       u32 perms[sizeof(u32) * 8];
+};
+
+static struct selinux_mapping *current_mapping;
+static u16 current_mapping_size;
+
+static int selinux_set_mapping(struct policydb *pol,
+                              struct security_class_mapping *map,
+                              struct selinux_mapping **out_map_p,
+                              u16 *out_map_size)
+{
+       struct selinux_mapping *out_map = NULL;
+       size_t size = sizeof(struct selinux_mapping);
+       u16 i, j;
+       unsigned k;
+       bool print_unknown_handle = false;
+
+       /* Find number of classes in the input mapping */
+       if (!map)
+               return -EINVAL;
+       i = 0;
+       while (map[i].name)
+               i++;
+
+       /* Allocate space for the class records, plus one for class zero */
+       out_map = kcalloc(++i, size, GFP_ATOMIC);
+       if (!out_map)
+               return -ENOMEM;
+
+       /* Store the raw class and permission values */
+       j = 0;
+       while (map[j].name) {
+               struct security_class_mapping *p_in = map + (j++);
+               struct selinux_mapping *p_out = out_map + j;
+
+               /* An empty class string skips ahead */
+               if (!strcmp(p_in->name, "")) {
+                       p_out->num_perms = 0;
+                       continue;
+               }
+
+               p_out->value = string_to_security_class(pol, p_in->name);
+               if (!p_out->value) {
+                       printk(KERN_INFO
+                              "SELinux:  Class %s not defined in policy.\n",
+                              p_in->name);
+                       if (pol->reject_unknown)
+                               goto err;
+                       p_out->num_perms = 0;
+                       print_unknown_handle = true;
+                       continue;
+               }
+
+               k = 0;
+               while (p_in->perms && p_in->perms[k]) {
+                       /* An empty permission string skips ahead */
+                       if (!*p_in->perms[k]) {
+                               k++;
+                               continue;
+                       }
+                       p_out->perms[k] = string_to_av_perm(pol, p_out->value,
+                                                           p_in->perms[k]);
+                       if (!p_out->perms[k]) {
+                               printk(KERN_INFO
+                                      "SELinux:  Permission %s in class %s not defined in policy.\n",
+                                      p_in->perms[k], p_in->name);
+                               if (pol->reject_unknown)
+                                       goto err;
+                               print_unknown_handle = true;
+                       }
+
+                       k++;
+               }
+               p_out->num_perms = k;
+       }
+
+       if (print_unknown_handle)
+               printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
+                      pol->allow_unknown ? "allowed" : "denied");
+
+       *out_map_p = out_map;
+       *out_map_size = i;
+       return 0;
+err:
+       kfree(out_map);
+       return -EINVAL;
+}
+
+/*
+ * Get real, policy values from mapped values
+ */
+
+static u16 unmap_class(u16 tclass)
+{
+       if (tclass < current_mapping_size)
+               return current_mapping[tclass].value;
+
+       return tclass;
+}
+
+static void map_decision(u16 tclass, struct av_decision *avd,
+                        int allow_unknown)
+{
+       if (tclass < current_mapping_size) {
+               unsigned i, n = current_mapping[tclass].num_perms;
+               u32 result;
+
+               for (i = 0, result = 0; i < n; i++) {
+                       if (avd->allowed & current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+                       if (allow_unknown && !current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+               }
+               avd->allowed = result;
+
+               for (i = 0, result = 0; i < n; i++)
+                       if (avd->auditallow & current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+               avd->auditallow = result;
+
+               for (i = 0, result = 0; i < n; i++) {
+                       if (avd->auditdeny & current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+                       if (!allow_unknown && !current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+               }
+               /*
+                * In case the kernel has a bug and requests a permission
+                * between num_perms and the maximum permission number, we
+                * should audit that denial
+                */
+               for (; i < (sizeof(u32)*8); i++)
+                       result |= 1<<i;
+               avd->auditdeny = result;
+       }
+}
+
+int security_mls_enabled(void)
+{
+       return policydb.mls_enabled;
+}
+
 /*
  * Return the boolean value of a constraint expression
  * when it is applied to the specified source and target
@@ -122,15 +276,15 @@ static int constraint_expr_eval(struct context *scontext,
                case CEXPR_AND:
                        BUG_ON(sp < 1);
                        sp--;
-                       s[sp] &= s[sp+1];
+                       s[sp] &= s[sp + 1];
                        break;
                case CEXPR_OR:
                        BUG_ON(sp < 1);
                        sp--;
-                       s[sp] |= s[sp+1];
+                       s[sp] |= s[sp + 1];
                        break;
                case CEXPR_ATTR:
-                       if (sp == (CEXPR_MAXDEPTH-1))
+                       if (sp == (CEXPR_MAXDEPTH - 1))
                                return 0;
                        switch (e->attr) {
                        case CEXPR_USER:
@@ -156,10 +310,10 @@ static int constraint_expr_eval(struct context *scontext,
                                                                  val1 - 1);
                                        continue;
                                case CEXPR_INCOMP:
-                                       s[++sp] = ( !ebitmap_get_bit(&r1->dominates,
-                                                                    val2 - 1) &&
-                                                   !ebitmap_get_bit(&r2->dominates,
-                                                                    val1 - 1) );
+                                       s[++sp] = (!ebitmap_get_bit(&r1->dominates,
+                                                                   val2 - 1) &&
+                                                  !ebitmap_get_bit(&r2->dominates,
+                                                                   val1 - 1));
                                        continue;
                                default:
                                        break;
@@ -275,15 +429,178 @@ mls_ops:
 }
 
 /*
- * Compute access vectors based on a context structure pair for
- * the permissions in a particular class.
+ * security_dump_masked_av - dumps masked permissions during
+ * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
  */
-static int context_struct_compute_av(struct context *scontext,
+static int dump_masked_av_helper(void *k, void *d, void *args)
+{
+       struct perm_datum *pdatum = d;
+       char **permission_names = args;
+
+       BUG_ON(pdatum->value < 1 || pdatum->value > 32);
+
+       permission_names[pdatum->value - 1] = (char *)k;
+
+       return 0;
+}
+
+static void security_dump_masked_av(struct context *scontext,
+                                   struct context *tcontext,
+                                   u16 tclass,
+                                   u32 permissions,
+                                   const char *reason)
+{
+       struct common_datum *common_dat;
+       struct class_datum *tclass_dat;
+       struct audit_buffer *ab;
+       char *tclass_name;
+       char *scontext_name = NULL;
+       char *tcontext_name = NULL;
+       char *permission_names[32];
+       int index;
+       u32 length;
+       bool need_comma = false;
+
+       if (!permissions)
+               return;
+
+       tclass_name = policydb.p_class_val_to_name[tclass - 1];
+       tclass_dat = policydb.class_val_to_struct[tclass - 1];
+       common_dat = tclass_dat->comdatum;
+
+       /* init permission_names */
+       if (common_dat &&
+           hashtab_map(common_dat->permissions.table,
+                       dump_masked_av_helper, permission_names) < 0)
+               goto out;
+
+       if (hashtab_map(tclass_dat->permissions.table,
+                       dump_masked_av_helper, permission_names) < 0)
+               goto out;
+
+       /* get scontext/tcontext in text form */
+       if (context_struct_to_string(scontext,
+                                    &scontext_name, &length) < 0)
+               goto out;
+
+       if (context_struct_to_string(tcontext,
+                                    &tcontext_name, &length) < 0)
+               goto out;
+
+       /* audit a message */
+       ab = audit_log_start(current->audit_context,
+                            GFP_ATOMIC, AUDIT_SELINUX_ERR);
+       if (!ab)
+               goto out;
+
+       audit_log_format(ab, "op=security_compute_av reason=%s "
+                        "scontext=%s tcontext=%s tclass=%s perms=",
+                        reason, scontext_name, tcontext_name, tclass_name);
+
+       for (index = 0; index < 32; index++) {
+               u32 mask = (1 << index);
+
+               if ((mask & permissions) == 0)
+                       continue;
+
+               audit_log_format(ab, "%s%s",
+                                need_comma ? "," : "",
+                                permission_names[index]
+                                ? permission_names[index] : "????");
+               need_comma = true;
+       }
+       audit_log_end(ab);
+out:
+       /* release scontext/tcontext */
+       kfree(tcontext_name);
+       kfree(scontext_name);
+
+       return;
+}
+
+/*
+ * security_boundary_permission - drops violated permissions
+ * on boundary constraint.
+ */
+static void type_attribute_bounds_av(struct context *scontext,
                                     struct context *tcontext,
                                     u16 tclass,
-                                    u32 requested,
                                     struct av_decision *avd)
 {
+       struct context lo_scontext;
+       struct context lo_tcontext;
+       struct av_decision lo_avd;
+       struct type_datum *source
+               = policydb.type_val_to_struct[scontext->type - 1];
+       struct type_datum *target
+               = policydb.type_val_to_struct[tcontext->type - 1];
+       u32 masked = 0;
+
+       if (source->bounds) {
+               memset(&lo_avd, 0, sizeof(lo_avd));
+
+               memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
+               lo_scontext.type = source->bounds;
+
+               context_struct_compute_av(&lo_scontext,
+                                         tcontext,
+                                         tclass,
+                                         &lo_avd);
+               if ((lo_avd.allowed & avd->allowed) == avd->allowed)
+                       return;         /* no masked permission */
+               masked = ~lo_avd.allowed & avd->allowed;
+       }
+
+       if (target->bounds) {
+               memset(&lo_avd, 0, sizeof(lo_avd));
+
+               memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
+               lo_tcontext.type = target->bounds;
+
+               context_struct_compute_av(scontext,
+                                         &lo_tcontext,
+                                         tclass,
+                                         &lo_avd);
+               if ((lo_avd.allowed & avd->allowed) == avd->allowed)
+                       return;         /* no masked permission */
+               masked = ~lo_avd.allowed & avd->allowed;
+       }
+
+       if (source->bounds && target->bounds) {
+               memset(&lo_avd, 0, sizeof(lo_avd));
+               /*
+                * lo_scontext and lo_tcontext are already
+                * set up.
+                */
+
+               context_struct_compute_av(&lo_scontext,
+                                         &lo_tcontext,
+                                         tclass,
+                                         &lo_avd);
+               if ((lo_avd.allowed & avd->allowed) == avd->allowed)
+                       return;         /* no masked permission */
+               masked = ~lo_avd.allowed & avd->allowed;
+       }
+
+       if (masked) {
+               /* mask violated permissions */
+               avd->allowed &= ~masked;
+
+               /* audit masked permissions */
+               security_dump_masked_av(scontext, tcontext,
+                                       tclass, masked, "bounds");
+       }
+}
+
+/*
+ * Compute access vectors based on a context structure pair for
+ * the permissions in a particular class.
+ */
+static void context_struct_compute_av(struct context *scontext,
+                                     struct context *tcontext,
+                                     u16 tclass,
+                                     struct av_decision *avd)
+{
        struct constraint_node *constraint;
        struct role_allow *ra;
        struct avtab_key avkey;
@@ -293,32 +610,17 @@ static int context_struct_compute_av(struct context *scontext,
        struct ebitmap_node *snode, *tnode;
        unsigned int i, j;
 
-       /*
-        * Remap extended Netlink classes for old policy versions.
-        * Do this here rather than socket_type_to_security_class()
-        * in case a newer policy version is loaded, allowing sockets
-        * to remain in the correct class.
-        */
-       if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
-               if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
-                   tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
-                       tclass = SECCLASS_NETLINK_SOCKET;
-
-       if (!tclass || tclass > policydb.p_classes.nprim) {
-               printk(KERN_ERR "security_compute_av:  unrecognized class %d\n",
-                      tclass);
-               return -EINVAL;
-       }
-       tclass_datum = policydb.class_val_to_struct[tclass - 1];
-
-       /*
-        * Initialize the access vectors to the default values.
-        */
        avd->allowed = 0;
-       avd->decided = 0xffffffff;
        avd->auditallow = 0;
        avd->auditdeny = 0xffffffff;
-       avd->seqno = latest_granting;
+
+       if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
+               if (printk_ratelimit())
+                       printk(KERN_WARNING "SELinux:  Invalid class %hu\n", tclass);
+               return;
+       }
+
+       tclass_datum = policydb.class_val_to_struct[tclass - 1];
 
        /*
         * If a specific type enforcement rule was defined for
@@ -326,18 +628,16 @@ static int context_struct_compute_av(struct context *scontext,
         */
        avkey.target_class = tclass;
        avkey.specified = AVTAB_AV;
-       sattr = &policydb.type_attr_map[scontext->type - 1];
-       tattr = &policydb.type_attr_map[tcontext->type - 1];
-       ebitmap_for_each_bit(sattr, snode, i) {
-               if (!ebitmap_node_get_bit(snode, i))
-                       continue;
-               ebitmap_for_each_bit(tattr, tnode, j) {
-                       if (!ebitmap_node_get_bit(tnode, j))
-                               continue;
+       sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1);
+       BUG_ON(!sattr);
+       tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1);
+       BUG_ON(!tattr);
+       ebitmap_for_each_positive_bit(sattr, snode, i) {
+               ebitmap_for_each_positive_bit(tattr, tnode, j) {
                        avkey.source_type = i + 1;
                        avkey.target_type = j + 1;
                        for (node = avtab_search_node(&policydb.te_avtab, &avkey);
-                            node != NULL;
+                            node;
                             node = avtab_search_node_next(node, avkey.specified)) {
                                if (node->key.specified == AVTAB_ALLOWED)
                                        avd->allowed |= node->datum.data;
@@ -362,7 +662,7 @@ static int context_struct_compute_av(struct context *scontext,
                if ((constraint->permissions & (avd->allowed)) &&
                    !constraint_expr_eval(scontext, tcontext, NULL,
                                          constraint->expr)) {
-                       avd->allowed = (avd->allowed) & ~(constraint->permissions);
+                       avd->allowed &= ~(constraint->permissions);
                }
                constraint = constraint->next;
        }
@@ -372,8 +672,8 @@ static int context_struct_compute_av(struct context *scontext,
         * role is changing, then check the (current_role, new_role)
         * pair.
         */
-       if (tclass == SECCLASS_PROCESS &&
-           (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
+       if (tclass == policydb.process_class &&
+           (avd->allowed & policydb.process_trans_perms) &&
            scontext->role != tcontext->role) {
                for (ra = policydb.role_allow; ra; ra = ra->next) {
                        if (scontext->role == ra->role &&
@@ -381,17 +681,22 @@ static int context_struct_compute_av(struct context *scontext,
                                break;
                }
                if (!ra)
-                       avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
-                                                       PROCESS__DYNTRANSITION);
+                       avd->allowed &= ~policydb.process_trans_perms;
        }
 
-       return 0;
+       /*
+        * If the given source and target types have boundary
+        * constraint, lazy checks have to mask any violated
+        * permission and notice it to userspace via audit.
+        */
+       type_attribute_bounds_av(scontext, tcontext,
+                                tclass, avd);
 }
 
 static int security_validtrans_handle_fail(struct context *ocontext,
-                                           struct context *ncontext,
-                                           struct context *tcontext,
-                                           u16 tclass)
+                                          struct context *ncontext,
+                                          struct context *tcontext,
+                                          u16 tclass)
 {
        char *o = NULL, *n = NULL, *t = NULL;
        u32 olen, nlen, tlen;
@@ -403,9 +708,9 @@ static int security_validtrans_handle_fail(struct context *ocontext,
        if (context_struct_to_string(tcontext, &t, &tlen) < 0)
                goto out;
        audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
-                 "security_validate_transition:  denied for"
-                 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
-                 o, n, t, policydb.p_class_val_to_name[tclass-1]);
+                 "security_validate_transition:  denied for"
+                 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
+                 o, n, t, policydb.p_class_val_to_name[tclass-1]);
 out:
        kfree(o);
        kfree(n);
@@ -417,34 +722,26 @@ out:
 }
 
 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
-                                 u16 tclass)
+                                u16 orig_tclass)
 {
        struct context *ocontext;
        struct context *ncontext;
        struct context *tcontext;
        struct class_datum *tclass_datum;
        struct constraint_node *constraint;
+       u16 tclass;
        int rc = 0;
 
        if (!ss_initialized)
                return 0;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
-       /*
-        * Remap extended Netlink classes for old policy versions.
-        * Do this here rather than socket_type_to_security_class()
-        * in case a newer policy version is loaded, allowing sockets
-        * to remain in the correct class.
-        */
-       if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
-               if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
-                   tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
-                       tclass = SECCLASS_NETLINK_SOCKET;
+       tclass = unmap_class(orig_tclass);
 
        if (!tclass || tclass > policydb.p_classes.nprim) {
-               printk(KERN_ERR "security_validate_transition:  "
-                      "unrecognized class %d\n", tclass);
+               printk(KERN_ERR "SELinux: %s:  unrecognized class %d\n",
+                       __func__, tclass);
                rc = -EINVAL;
                goto out;
        }
@@ -452,24 +749,24 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
 
        ocontext = sidtab_search(&sidtab, oldsid);
        if (!ocontext) {
-               printk(KERN_ERR "security_validate_transition: "
-                      " unrecognized SID %d\n", oldsid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                       __func__, oldsid);
                rc = -EINVAL;
                goto out;
        }
 
        ncontext = sidtab_search(&sidtab, newsid);
        if (!ncontext) {
-               printk(KERN_ERR "security_validate_transition: "
-                      " unrecognized SID %d\n", newsid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                       __func__, newsid);
                rc = -EINVAL;
                goto out;
        }
 
        tcontext = sidtab_search(&sidtab, tasksid);
        if (!tcontext) {
-               printk(KERN_ERR "security_validate_transition: "
-                      " unrecognized SID %d\n", tasksid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                       __func__, tasksid);
                rc = -EINVAL;
                goto out;
        }
@@ -477,72 +774,211 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
        constraint = tclass_datum->validatetrans;
        while (constraint) {
                if (!constraint_expr_eval(ocontext, ncontext, tcontext,
-                                         constraint->expr)) {
+                                         constraint->expr)) {
                        rc = security_validtrans_handle_fail(ocontext, ncontext,
-                                                            tcontext, tclass);
+                                                            tcontext, tclass);
                        goto out;
                }
                constraint = constraint->next;
        }
 
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 
+/*
+ * security_bounded_transition - check whether the given
+ * transition is directed to bounded, or not.
+ * It returns 0, if @newsid is bounded by @oldsid.
+ * Otherwise, it returns error code.
+ *
+ * @oldsid : current security identifier
+ * @newsid : destinated security identifier
+ */
+int security_bounded_transition(u32 old_sid, u32 new_sid)
+{
+       struct context *old_context, *new_context;
+       struct type_datum *type;
+       int index;
+       int rc = -EINVAL;
+
+       read_lock(&policy_rwlock);
+
+       old_context = sidtab_search(&sidtab, old_sid);
+       if (!old_context) {
+               printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
+                      __func__, old_sid);
+               goto out;
+       }
+
+       new_context = sidtab_search(&sidtab, new_sid);
+       if (!new_context) {
+               printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
+                      __func__, new_sid);
+               goto out;
+       }
+
+       /* type/domain unchanged */
+       if (old_context->type == new_context->type) {
+               rc = 0;
+               goto out;
+       }
+
+       index = new_context->type;
+       while (true) {
+               type = policydb.type_val_to_struct[index - 1];
+               BUG_ON(!type);
+
+               /* not bounded anymore */
+               if (!type->bounds) {
+                       rc = -EPERM;
+                       break;
+               }
+
+               /* @newsid is bounded by @oldsid */
+               if (type->bounds == old_context->type) {
+                       rc = 0;
+                       break;
+               }
+               index = type->bounds;
+       }
+
+       if (rc) {
+               char *old_name = NULL;
+               char *new_name = NULL;
+               u32 length;
+
+               if (!context_struct_to_string(old_context,
+                                             &old_name, &length) &&
+                   !context_struct_to_string(new_context,
+                                             &new_name, &length)) {
+                       audit_log(current->audit_context,
+                                 GFP_ATOMIC, AUDIT_SELINUX_ERR,
+                                 "op=security_bounded_transition "
+                                 "result=denied "
+                                 "oldcontext=%s newcontext=%s",
+                                 old_name, new_name);
+               }
+               kfree(new_name);
+               kfree(old_name);
+       }
+out:
+       read_unlock(&policy_rwlock);
+
+       return rc;
+}
+
+static void avd_init(struct av_decision *avd)
+{
+       avd->allowed = 0;
+       avd->auditallow = 0;
+       avd->auditdeny = 0xffffffff;
+       avd->seqno = latest_granting;
+       avd->flags = 0;
+}
+
+
 /**
  * security_compute_av - Compute access vector decisions.
  * @ssid: source security identifier
  * @tsid: target security identifier
  * @tclass: target security class
- * @requested: requested permissions
  * @avd: access vector decisions
  *
  * Compute a set of access vector decisions based on the
  * SID pair (@ssid, @tsid) for the permissions in @tclass.
- * Return -%EINVAL if any of the parameters are invalid or %0
- * if the access vector decisions were computed successfully.
  */
-int security_compute_av(u32 ssid,
-                       u32 tsid,
-                       u16 tclass,
-                       u32 requested,
-                       struct av_decision *avd)
+void security_compute_av(u32 ssid,
+                        u32 tsid,
+                        u16 orig_tclass,
+                        struct av_decision *avd)
 {
+       u16 tclass;
        struct context *scontext = NULL, *tcontext = NULL;
-       int rc = 0;
 
-       if (!ss_initialized) {
-               avd->allowed = 0xffffffff;
-               avd->decided = 0xffffffff;
-               avd->auditallow = 0;
-               avd->auditdeny = 0xffffffff;
-               avd->seqno = latest_granting;
-               return 0;
+       read_lock(&policy_rwlock);
+       avd_init(avd);
+       if (!ss_initialized)
+               goto allow;
+
+       scontext = sidtab_search(&sidtab, ssid);
+       if (!scontext) {
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, ssid);
+               goto out;
        }
 
-       POLICY_RDLOCK;
+       /* permissive domain? */
+       if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
+               avd->flags |= AVD_FLAGS_PERMISSIVE;
+
+       tcontext = sidtab_search(&sidtab, tsid);
+       if (!tcontext) {
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, tsid);
+               goto out;
+       }
+
+       tclass = unmap_class(orig_tclass);
+       if (unlikely(orig_tclass && !tclass)) {
+               if (policydb.allow_unknown)
+                       goto allow;
+               goto out;
+       }
+       context_struct_compute_av(scontext, tcontext, tclass, avd);
+       map_decision(orig_tclass, avd, policydb.allow_unknown);
+out:
+       read_unlock(&policy_rwlock);
+       return;
+allow:
+       avd->allowed = 0xffffffff;
+       goto out;
+}
+
+void security_compute_av_user(u32 ssid,
+                             u32 tsid,
+                             u16 tclass,
+                             struct av_decision *avd)
+{
+       struct context *scontext = NULL, *tcontext = NULL;
+
+       read_lock(&policy_rwlock);
+       avd_init(avd);
+       if (!ss_initialized)
+               goto allow;
 
        scontext = sidtab_search(&sidtab, ssid);
        if (!scontext) {
-               printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",
-                      ssid);
-               rc = -EINVAL;
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, ssid);
                goto out;
        }
+
+       /* permissive domain? */
+       if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
+               avd->flags |= AVD_FLAGS_PERMISSIVE;
+
        tcontext = sidtab_search(&sidtab, tsid);
        if (!tcontext) {
-               printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",
-                      tsid);
-               rc = -EINVAL;
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, tsid);
                goto out;
        }
 
-       rc = context_struct_compute_av(scontext, tcontext, tclass,
-                                      requested, avd);
-out:
-       POLICY_RDUNLOCK;
-       return rc;
+       if (unlikely(!tclass)) {
+               if (policydb.allow_unknown)
+                       goto allow;
+               goto out;
+       }
+
+       context_struct_compute_av(scontext, tcontext, tclass, avd);
+ out:
+       read_unlock(&policy_rwlock);
+       return;
+allow:
+       avd->allowed = 0xffffffff;
+       goto out;
 }
 
 /*
@@ -556,20 +992,31 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
 {
        char *scontextp;
 
-       *scontext = NULL;
+       if (scontext)
+               *scontext = NULL;
        *scontext_len = 0;
 
+       if (context->len) {
+               *scontext_len = context->len;
+               *scontext = kstrdup(context->str, GFP_ATOMIC);
+               if (!(*scontext))
+                       return -ENOMEM;
+               return 0;
+       }
+
        /* Compute the size of the context. */
        *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;
        *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;
        *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;
        *scontext_len += mls_compute_context_len(context);
 
+       if (!scontext)
+               return 0;
+
        /* Allocate space for the context; caller must free this space. */
        scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
-       if (!scontextp) {
+       if (!scontextp)
                return -ENOMEM;
-       }
        *scontext = scontextp;
 
        /*
@@ -580,8 +1027,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
                policydb.p_role_val_to_name[context->role - 1],
                policydb.p_type_val_to_name[context->type - 1]);
        scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
-                    1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
-                    1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
+                    1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
+                    1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
 
        mls_sid_to_context(context, &scontextp);
 
@@ -592,27 +1039,31 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
 
 #include "initial_sid_to_string.h"
 
-/**
- * security_sid_to_context - Obtain a context for a given SID.
- * @sid: security identifier, SID
- * @scontext: security context
- * @scontext_len: length in bytes
- *
- * Write the string representation of the context associated with @sid
- * into a dynamically allocated string of the correct size.  Set @scontext
- * to point to this string and set @scontext_len to the length of the string.
- */
-int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
+const char *security_get_initial_sid_context(u32 sid)
+{
+       if (unlikely(sid > SECINITSID_NUM))
+               return NULL;
+       return initial_sid_to_string[sid];
+}
+
+static int security_sid_to_context_core(u32 sid, char **scontext,
+                                       u32 *scontext_len, int force)
 {
        struct context *context;
        int rc = 0;
 
+       if (scontext)
+               *scontext = NULL;
+       *scontext_len  = 0;
+
        if (!ss_initialized) {
                if (sid <= SECINITSID_NUM) {
                        char *scontextp;
 
                        *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
-                       scontextp = kmalloc(*scontext_len,GFP_ATOMIC);
+                       if (!scontext)
+                               goto out;
+                       scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
                        if (!scontextp) {
                                rc = -ENOMEM;
                                goto out;
@@ -621,73 +1072,72 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
                        *scontext = scontextp;
                        goto out;
                }
-               printk(KERN_ERR "security_sid_to_context:  called before initial "
-                      "load_policy on unknown SID %d\n", sid);
+               printk(KERN_ERR "SELinux: %s:  called before initial "
+                      "load_policy on unknown SID %d\n", __func__, sid);
                rc = -EINVAL;
                goto out;
        }
-       POLICY_RDLOCK;
-       context = sidtab_search(&sidtab, sid);
+       read_lock(&policy_rwlock);
+       if (force)
+               context = sidtab_search_force(&sidtab, sid);
+       else
+               context = sidtab_search(&sidtab, sid);
        if (!context) {
-               printk(KERN_ERR "security_sid_to_context:  unrecognized SID "
-                      "%d\n", sid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                       __func__, sid);
                rc = -EINVAL;
                goto out_unlock;
        }
        rc = context_struct_to_string(context, scontext, scontext_len);
 out_unlock:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
 out:
        return rc;
 
 }
 
-static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
+/**
+ * security_sid_to_context - Obtain a context for a given SID.
+ * @sid: security identifier, SID
+ * @scontext: security context
+ * @scontext_len: length in bytes
+ *
+ * Write the string representation of the context associated with @sid
+ * into a dynamically allocated string of the correct size.  Set @scontext
+ * to point to this string and set @scontext_len to the length of the string.
+ */
+int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
+{
+       return security_sid_to_context_core(sid, scontext, scontext_len, 0);
+}
+
+int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len)
+{
+       return security_sid_to_context_core(sid, scontext, scontext_len, 1);
+}
+
+/*
+ * Caveat:  Mutates scontext.
+ */
+static int string_to_context_struct(struct policydb *pol,
+                                   struct sidtab *sidtabp,
+                                   char *scontext,
+                                   u32 scontext_len,
+                                   struct context *ctx,
+                                   u32 def_sid)
 {
-       char *scontext2;
-       struct context context;
        struct role_datum *role;
        struct type_datum *typdatum;
        struct user_datum *usrdatum;
        char *scontextp, *p, oldc;
        int rc = 0;
 
-       if (!ss_initialized) {
-               int i;
-
-               for (i = 1; i < SECINITSID_NUM; i++) {
-                       if (!strcmp(initial_sid_to_string[i], scontext)) {
-                               *sid = i;
-                               goto out;
-                       }
-               }
-               *sid = SECINITSID_KERNEL;
-               goto out;
-       }
-       *sid = SECSID_NULL;
-
-       /* Copy the string so that we can modify the copy as we parse it.
-          The string should already by null terminated, but we append a
-          null suffix to the copy to avoid problems with the existing
-          attr package, which doesn't view the null terminator as part
-          of the attribute value. */
-       scontext2 = kmalloc(scontext_len+1,GFP_KERNEL);
-       if (!scontext2) {
-               rc = -ENOMEM;
-               goto out;
-       }
-       memcpy(scontext2, scontext, scontext_len);
-       scontext2[scontext_len] = 0;
-
-       context_init(&context);
-       *sid = SECSID_NULL;
-
-       POLICY_RDLOCK;
+       context_init(ctx);
 
        /* Parse the security context. */
 
        rc = -EINVAL;
-       scontextp = (char *) scontext2;
+       scontextp = (char *) scontext;
 
        /* Extract the user. */
        p = scontextp;
@@ -695,15 +1145,15 @@ static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *s
                p++;
 
        if (*p == 0)
-               goto out_unlock;
+               goto out;
 
        *p++ = 0;
 
-       usrdatum = hashtab_search(policydb.p_users.table, scontextp);
+       usrdatum = hashtab_search(pol->p_users.table, scontextp);
        if (!usrdatum)
-               goto out_unlock;
+               goto out;
 
-       context.user = usrdatum->value;
+       ctx->user = usrdatum->value;
 
        /* Extract role. */
        scontextp = p;
@@ -711,14 +1161,14 @@ static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *s
                p++;
 
        if (*p == 0)
-               goto out_unlock;
+               goto out;
 
        *p++ = 0;
 
-       role = hashtab_search(policydb.p_roles.table, scontextp);
+       role = hashtab_search(pol->p_roles.table, scontextp);
        if (!role)
-               goto out_unlock;
-       context.role = role->value;
+               goto out;
+       ctx->role = role->value;
 
        /* Extract type. */
        scontextp = p;
@@ -727,33 +1177,87 @@ static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *s
        oldc = *p;
        *p++ = 0;
 
-       typdatum = hashtab_search(policydb.p_types.table, scontextp);
-       if (!typdatum)
-               goto out_unlock;
+       typdatum = hashtab_search(pol->p_types.table, scontextp);
+       if (!typdatum || typdatum->attribute)
+               goto out;
 
-       context.type = typdatum->value;
+       ctx->type = typdatum->value;
 
-       rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid);
+       rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid);
        if (rc)
-               goto out_unlock;
+               goto out;
 
-       if ((p - scontext2) < scontext_len) {
+       if ((p - scontext) < scontext_len) {
                rc = -EINVAL;
-               goto out_unlock;
+               goto out;
        }
 
        /* Check the validity of the new context. */
-       if (!policydb_context_isvalid(&policydb, &context)) {
+       if (!policydb_context_isvalid(pol, ctx)) {
                rc = -EINVAL;
-               goto out_unlock;
+               goto out;
+       }
+       rc = 0;
+out:
+       if (rc)
+               context_destroy(ctx);
+       return rc;
+}
+
+static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
+                                       u32 *sid, u32 def_sid, gfp_t gfp_flags,
+                                       int force)
+{
+       char *scontext2, *str = NULL;
+       struct context context;
+       int rc = 0;
+
+       if (!ss_initialized) {
+               int i;
+
+               for (i = 1; i < SECINITSID_NUM; i++) {
+                       if (!strcmp(initial_sid_to_string[i], scontext)) {
+                               *sid = i;
+                               return 0;
+                       }
+               }
+               *sid = SECINITSID_KERNEL;
+               return 0;
        }
-       /* Obtain the new sid. */
+       *sid = SECSID_NULL;
+
+       /* Copy the string so that we can modify the copy as we parse it. */
+       scontext2 = kmalloc(scontext_len + 1, gfp_flags);
+       if (!scontext2)
+               return -ENOMEM;
+       memcpy(scontext2, scontext, scontext_len);
+       scontext2[scontext_len] = 0;
+
+       if (force) {
+               /* Save another copy for storing in uninterpreted form */
+               str = kstrdup(scontext2, gfp_flags);
+               if (!str) {
+                       kfree(scontext2);
+                       return -ENOMEM;
+               }
+       }
+
+       read_lock(&policy_rwlock);
+       rc = string_to_context_struct(&policydb, &sidtab,
+                                     scontext2, scontext_len,
+                                     &context, def_sid);
+       if (rc == -EINVAL && force) {
+               context.str = str;
+               context.len = scontext_len;
+               str = NULL;
+       } else if (rc)
+               goto out;
        rc = sidtab_context_to_sid(&sidtab, &context, sid);
-out_unlock:
-       POLICY_RDUNLOCK;
        context_destroy(&context);
-       kfree(scontext2);
 out:
+       read_unlock(&policy_rwlock);
+       kfree(scontext2);
+       kfree(str);
        return rc;
 }
 
@@ -768,10 +1272,10 @@ out:
  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
  * memory is available, or 0 on success.
  */
-int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
+int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid)
 {
        return security_context_to_sid_core(scontext, scontext_len,
-                                           sid, SECSID_NULL);
+                                           sid, SECSID_NULL, GFP_KERNEL, 0);
 }
 
 /**
@@ -781,20 +1285,29 @@ int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
  * @scontext: security context
  * @scontext_len: length in bytes
  * @sid: security identifier, SID
- * @def_sid: default SID to assign on errror
+ * @def_sid: default SID to assign on error
  *
  * Obtains a SID associated with the security context that
  * has the string representation specified by @scontext.
  * The default SID is passed to the MLS layer to be used to allow
  * kernel labeling of the MLS field if the MLS field is not present
  * (for upgrading to MLS without full relabel).
+ * Implicitly forces adding of the context even if it cannot be mapped yet.
  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
  * memory is available, or 0 on success.
  */
-int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
+int security_context_to_sid_default(const char *scontext, u32 scontext_len,
+                                   u32 *sid, u32 def_sid, gfp_t gfp_flags)
+{
+       return security_context_to_sid_core(scontext, scontext_len,
+                                           sid, def_sid, gfp_flags, 1);
+}
+
+int security_context_to_sid_force(const char *scontext, u32 scontext_len,
+                                 u32 *sid)
 {
        return security_context_to_sid_core(scontext, scontext_len,
-                                           sid, def_sid);
+                                           sid, SECSID_NULL, GFP_KERNEL, 1);
 }
 
 static int compute_sid_handle_invalid_context(
@@ -829,20 +1342,22 @@ out:
 
 static int security_compute_sid(u32 ssid,
                                u32 tsid,
-                               u16 tclass,
+                               u16 orig_tclass,
                                u32 specified,
-                               u32 *out_sid)
+                               u32 *out_sid,
+                               bool kern)
 {
        struct context *scontext = NULL, *tcontext = NULL, newcontext;
        struct role_trans *roletr = NULL;
        struct avtab_key avkey;
        struct avtab_datum *avdatum;
        struct avtab_node *node;
+       u16 tclass;
        int rc = 0;
 
        if (!ss_initialized) {
-               switch (tclass) {
-               case SECCLASS_PROCESS:
+               switch (orig_tclass) {
+               case SECCLASS_PROCESS: /* kernel value */
                        *out_sid = ssid;
                        break;
                default:
@@ -854,19 +1369,24 @@ static int security_compute_sid(u32 ssid,
 
        context_init(&newcontext);
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
+
+       if (kern)
+               tclass = unmap_class(orig_tclass);
+       else
+               tclass = orig_tclass;
 
        scontext = sidtab_search(&sidtab, ssid);
        if (!scontext) {
-               printk(KERN_ERR "security_compute_sid:  unrecognized SID %d\n",
-                      ssid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, ssid);
                rc = -EINVAL;
                goto out_unlock;
        }
        tcontext = sidtab_search(&sidtab, tsid);
        if (!tcontext) {
-               printk(KERN_ERR "security_compute_sid:  unrecognized SID %d\n",
-                      tsid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, tsid);
                rc = -EINVAL;
                goto out_unlock;
        }
@@ -885,13 +1405,11 @@ static int security_compute_sid(u32 ssid,
        }
 
        /* Set the role and type to default values. */
-       switch (tclass) {
-       case SECCLASS_PROCESS:
+       if (tclass == policydb.process_class) {
                /* Use the current role and type of process. */
                newcontext.role = scontext->role;
                newcontext.type = scontext->type;
-               break;
-       default:
+       } else {
                /* Use the well-defined object role. */
                newcontext.role = OBJECT_R_VAL;
                /* Use the type of the related object. */
@@ -906,9 +1424,9 @@ static int security_compute_sid(u32 ssid,
        avdatum = avtab_search(&policydb.te_avtab, &avkey);
 
        /* If no permanent rule, also check for enabled conditional rules */
-       if(!avdatum) {
+       if (!avdatum) {
                node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
-               for (; node != NULL; node = avtab_search_node_next(node, specified)) {
+               for (; node; node = avtab_search_node_next(node, specified)) {
                        if (node->key.specified & AVTAB_ENABLED) {
                                avdatum = &node->datum;
                                break;
@@ -922,8 +1440,7 @@ static int security_compute_sid(u32 ssid,
        }
 
        /* Check for class-specific changes. */
-       switch (tclass) {
-       case SECCLASS_PROCESS:
+       if  (tclass == policydb.process_class) {
                if (specified & AVTAB_TRANSITION) {
                        /* Look for a role transition rule. */
                        for (roletr = policydb.role_tr; roletr;
@@ -936,9 +1453,6 @@ static int security_compute_sid(u32 ssid,
                                }
                        }
                }
-               break;
-       default:
-               break;
        }
 
        /* Set the MLS attributes.
@@ -959,7 +1473,7 @@ static int security_compute_sid(u32 ssid,
        /* Obtain the sid for the context. */
        rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
 out_unlock:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        context_destroy(&newcontext);
 out:
        return rc;
@@ -983,7 +1497,17 @@ int security_transition_sid(u32 ssid,
                            u16 tclass,
                            u32 *out_sid)
 {
-       return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
+       return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
+                                   out_sid, true);
+}
+
+int security_transition_sid_user(u32 ssid,
+                                u32 tsid,
+                                u16 tclass,
+                                u32 *out_sid)
+{
+       return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
+                                   out_sid, false);
 }
 
 /**
@@ -1004,7 +1528,8 @@ int security_member_sid(u32 ssid,
                        u16 tclass,
                        u32 *out_sid)
 {
-       return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
+       return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
+                                   false);
 }
 
 /**
@@ -1025,116 +1550,8 @@ int security_change_sid(u32 ssid,
                        u16 tclass,
                        u32 *out_sid)
 {
-       return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
-}
-
-/*
- * Verify that each kernel class that is defined in the
- * policy is correct
- */
-static int validate_classes(struct policydb *p)
-{
-       int i, j;
-       struct class_datum *cladatum;
-       struct perm_datum *perdatum;
-       u32 nprim, tmp, common_pts_len, perm_val, pol_val;
-       u16 class_val;
-       const struct selinux_class_perm *kdefs = &selinux_class_perm;
-       const char *def_class, *def_perm, *pol_class;
-       struct symtab *perms;
-
-       for (i = 1; i < kdefs->cts_len; i++) {
-               def_class = kdefs->class_to_string[i];
-               if (i > p->p_classes.nprim) {
-                       printk(KERN_INFO
-                              "security:  class %s not defined in policy\n",
-                              def_class);
-                       continue;
-               }
-               pol_class = p->p_class_val_to_name[i-1];
-               if (strcmp(pol_class, def_class)) {
-                       printk(KERN_ERR
-                              "security:  class %d is incorrect, found %s but should be %s\n",
-                              i, pol_class, def_class);
-                       return -EINVAL;
-               }
-       }
-       for (i = 0; i < kdefs->av_pts_len; i++) {
-               class_val = kdefs->av_perm_to_string[i].tclass;
-               perm_val = kdefs->av_perm_to_string[i].value;
-               def_perm = kdefs->av_perm_to_string[i].name;
-               if (class_val > p->p_classes.nprim)
-                       continue;
-               pol_class = p->p_class_val_to_name[class_val-1];
-               cladatum = hashtab_search(p->p_classes.table, pol_class);
-               BUG_ON(!cladatum);
-               perms = &cladatum->permissions;
-               nprim = 1 << (perms->nprim - 1);
-               if (perm_val > nprim) {
-                       printk(KERN_INFO
-                              "security:  permission %s in class %s not defined in policy\n",
-                              def_perm, pol_class);
-                       continue;
-               }
-               perdatum = hashtab_search(perms->table, def_perm);
-               if (perdatum == NULL) {
-                       printk(KERN_ERR
-                              "security:  permission %s in class %s not found in policy\n",
-                              def_perm, pol_class);
-                       return -EINVAL;
-               }
-               pol_val = 1 << (perdatum->value - 1);
-               if (pol_val != perm_val) {
-                       printk(KERN_ERR
-                              "security:  permission %s in class %s has incorrect value\n",
-                              def_perm, pol_class);
-                       return -EINVAL;
-               }
-       }
-       for (i = 0; i < kdefs->av_inherit_len; i++) {
-               class_val = kdefs->av_inherit[i].tclass;
-               if (class_val > p->p_classes.nprim)
-                       continue;
-               pol_class = p->p_class_val_to_name[class_val-1];
-               cladatum = hashtab_search(p->p_classes.table, pol_class);
-               BUG_ON(!cladatum);
-               if (!cladatum->comdatum) {
-                       printk(KERN_ERR
-                              "security:  class %s should have an inherits clause but does not\n",
-                              pol_class);
-                       return -EINVAL;
-               }
-               tmp = kdefs->av_inherit[i].common_base;
-               common_pts_len = 0;
-               while (!(tmp & 0x01)) {
-                       common_pts_len++;
-                       tmp >>= 1;
-               }
-               perms = &cladatum->comdatum->permissions;
-               for (j = 0; j < common_pts_len; j++) {
-                       def_perm = kdefs->av_inherit[i].common_pts[j];
-                       if (j >= perms->nprim) {
-                               printk(KERN_INFO
-                                      "security:  permission %s in class %s not defined in policy\n",
-                                      def_perm, pol_class);
-                               continue;
-                       }
-                       perdatum = hashtab_search(perms->table, def_perm);
-                       if (perdatum == NULL) {
-                               printk(KERN_ERR
-                                      "security:  permission %s in class %s not found in policy\n",
-                                      def_perm, pol_class);
-                               return -EINVAL;
-                       }
-                       if (perdatum->value != j + 1) {
-                               printk(KERN_ERR
-                                      "security:  permission %s in class %s has incorrect value\n",
-                                      def_perm, pol_class);
-                               return -EINVAL;
-                       }
-               }
-       }
-       return 0;
+       return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
+                                   false);
 }
 
 /* Clone the SID into the new SID table. */
@@ -1144,7 +1561,10 @@ static int clone_sid(u32 sid,
 {
        struct sidtab *s = arg;
 
-       return sidtab_insert(s, sid, context);
+       if (sid > SECINITSID_NUM)
+               return sidtab_insert(s, sid, context);
+       else
+               return 0;
 }
 
 static inline int convert_context_handle_invalid_context(struct context *context)
@@ -1157,9 +1577,12 @@ static inline int convert_context_handle_invalid_context(struct context *context
                char *s;
                u32 len;
 
-               context_struct_to_string(context, &s, &len);
-               printk(KERN_ERR "security:  context %s is invalid\n", s);
-               kfree(s);
+               if (!context_struct_to_string(context, &s, &len)) {
+                       printk(KERN_WARNING
+                      "SELinux:  Context %s would be invalid if enforcing\n",
+                              s);
+                       kfree(s);
+               }
        }
        return rc;
 }
@@ -1182,15 +1605,51 @@ static int convert_context(u32 key,
 {
        struct convert_context_args *args;
        struct context oldc;
+       struct ocontext *oc;
+       struct mls_range *range;
        struct role_datum *role;
        struct type_datum *typdatum;
        struct user_datum *usrdatum;
        char *s;
        u32 len;
-       int rc;
+       int rc = 0;
+
+       if (key <= SECINITSID_NUM)
+               goto out;
 
        args = p;
 
+       if (c->str) {
+               struct context ctx;
+               s = kstrdup(c->str, GFP_KERNEL);
+               if (!s) {
+                       rc = -ENOMEM;
+                       goto out;
+               }
+               rc = string_to_context_struct(args->newp, NULL, s,
+                                             c->len, &ctx, SECSID_NULL);
+               kfree(s);
+               if (!rc) {
+                       printk(KERN_INFO
+                      "SELinux:  Context %s became valid (mapped).\n",
+                              c->str);
+                       /* Replace string with mapped representation. */
+                       kfree(c->str);
+                       memcpy(c, &ctx, sizeof(*c));
+                       goto out;
+               } else if (rc == -EINVAL) {
+                       /* Retain string representation for later mapping. */
+                       rc = 0;
+                       goto out;
+               } else {
+                       /* Other error condition, e.g. ENOMEM. */
+                       printk(KERN_ERR
+                      "SELinux:   Unable to map context %s, rc = %d.\n",
+                              c->str, -rc);
+                       goto out;
+               }
+       }
+
        rc = context_cpy(&oldc, c);
        if (rc)
                goto out;
@@ -1199,31 +1658,58 @@ static int convert_context(u32 key,
 
        /* Convert the user. */
        usrdatum = hashtab_search(args->newp->p_users.table,
-                                 args->oldp->p_user_val_to_name[c->user - 1]);
-       if (!usrdatum) {
+                                 args->oldp->p_user_val_to_name[c->user - 1]);
+       if (!usrdatum)
                goto bad;
-       }
        c->user = usrdatum->value;
 
        /* Convert the role. */
        role = hashtab_search(args->newp->p_roles.table,
-                             args->oldp->p_role_val_to_name[c->role - 1]);
-       if (!role) {
+                             args->oldp->p_role_val_to_name[c->role - 1]);
+       if (!role)
                goto bad;
-       }
        c->role = role->value;
 
        /* Convert the type. */
        typdatum = hashtab_search(args->newp->p_types.table,
-                                 args->oldp->p_type_val_to_name[c->type - 1]);
-       if (!typdatum) {
+                                 args->oldp->p_type_val_to_name[c->type - 1]);
+       if (!typdatum)
                goto bad;
-       }
        c->type = typdatum->value;
 
-       rc = mls_convert_context(args->oldp, args->newp, c);
-       if (rc)
-               goto bad;
+       /* Convert the MLS fields if dealing with MLS policies */
+       if (args->oldp->mls_enabled && args->newp->mls_enabled) {
+               rc = mls_convert_context(args->oldp, args->newp, c);
+               if (rc)
+                       goto bad;
+       } else if (args->oldp->mls_enabled && !args->newp->mls_enabled) {
+               /*
+                * Switching between MLS and non-MLS policy:
+                * free any storage used by the MLS fields in the
+                * context for all existing entries in the sidtab.
+                */
+               mls_context_destroy(c);
+       } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
+               /*
+                * Switching between non-MLS and MLS policy:
+                * ensure that the MLS fields of the context for all
+                * existing entries in the sidtab are filled in with a
+                * suitable default value, likely taken from one of the
+                * initial SIDs.
+                */
+               oc = args->newp->ocontexts[OCON_ISID];
+               while (oc && oc->sid[0] != SECINITSID_UNLABELED)
+                       oc = oc->next;
+               if (!oc) {
+                       printk(KERN_ERR "SELinux:  unable to look up"
+                               " the initial SIDs list\n");
+                       goto bad;
+               }
+               range = &oc->context[0].range;
+               rc = mls_range_set(c, range);
+               if (rc)
+                       goto bad;
+       }
 
        /* Check the validity of the new context. */
        if (!policydb_context_isvalid(args->newp, c)) {
@@ -1233,17 +1719,34 @@ static int convert_context(u32 key,
        }
 
        context_destroy(&oldc);
+       rc = 0;
 out:
        return rc;
 bad:
-       context_struct_to_string(&oldc, &s, &len);
+       /* Map old representation to string and save it. */
+       if (context_struct_to_string(&oldc, &s, &len))
+               return -ENOMEM;
        context_destroy(&oldc);
-       printk(KERN_ERR "security:  invalidating context %s\n", s);
-       kfree(s);
+       context_destroy(c);
+       c->str = s;
+       c->len = len;
+       printk(KERN_INFO
+              "SELinux:  Context %s became invalid (unmapped).\n",
+              c->str);
+       rc = 0;
        goto out;
 }
 
+static void security_load_policycaps(void)
+{
+       selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
+                                                 POLICYDB_CAPABILITY_NETPEER);
+       selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
+                                                 POLICYDB_CAPABILITY_OPENPERM);
+}
+
 extern void selinux_complete_init(void);
+static int security_preserve_bools(struct policydb *p);
 
 /**
  * security_load_policy - Load a security policy configuration.
@@ -1259,44 +1762,47 @@ int security_load_policy(void *data, size_t len)
 {
        struct policydb oldpolicydb, newpolicydb;
        struct sidtab oldsidtab, newsidtab;
+       struct selinux_mapping *oldmap, *map = NULL;
        struct convert_context_args args;
        u32 seqno;
+       u16 map_size;
        int rc = 0;
        struct policy_file file = { data, len }, *fp = &file;
 
-       LOAD_LOCK;
-
        if (!ss_initialized) {
                avtab_cache_init();
-               if (policydb_read(&policydb, fp)) {
-                       LOAD_UNLOCK;
+               rc = policydb_read(&policydb, fp);
+               if (rc) {
                        avtab_cache_destroy();
-                       return -EINVAL;
+                       return rc;
                }
-               if (policydb_load_isids(&policydb, &sidtab)) {
-                       LOAD_UNLOCK;
+
+               policydb.len = len;
+               rc = selinux_set_mapping(&policydb, secclass_map,
+                                        &current_mapping,
+                                        &current_mapping_size);
+               if (rc) {
                        policydb_destroy(&policydb);
                        avtab_cache_destroy();
-                       return -EINVAL;
+                       return rc;
                }
-               /* Verify that the kernel defined classes are correct. */
-               if (validate_classes(&policydb)) {
-                       printk(KERN_ERR
-                              "security:  the definition of a class is incorrect\n");
-                       LOAD_UNLOCK;
-                       sidtab_destroy(&sidtab);
+
+               rc = policydb_load_isids(&policydb, &sidtab);
+               if (rc) {
                        policydb_destroy(&policydb);
                        avtab_cache_destroy();
-                       return -EINVAL;
+                       return rc;
                }
-               policydb_loaded_version = policydb.policyvers;
+
+               security_load_policycaps();
                ss_initialized = 1;
                seqno = ++latest_granting;
-               LOAD_UNLOCK;
                selinux_complete_init();
                avc_ss_reset(seqno);
                selnl_notify_policyload(seqno);
+               selinux_status_update_policyload(seqno);
                selinux_netlbl_cache_invalidate();
+               selinux_xfrm_notify_policyload();
                return 0;
        }
 
@@ -1304,83 +1810,114 @@ int security_load_policy(void *data, size_t len)
        sidtab_hash_eval(&sidtab, "sids");
 #endif
 
-       if (policydb_read(&newpolicydb, fp)) {
-               LOAD_UNLOCK;
-               return -EINVAL;
+       rc = policydb_read(&newpolicydb, fp);
+       if (rc)
+               return rc;
+
+       newpolicydb.len = len;
+       /* If switching between different policy types, log MLS status */
+       if (policydb.mls_enabled && !newpolicydb.mls_enabled)
+               printk(KERN_INFO "SELinux: Disabling MLS support...\n");
+       else if (!policydb.mls_enabled && newpolicydb.mls_enabled)
+               printk(KERN_INFO "SELinux: Enabling MLS support...\n");
+
+       rc = policydb_load_isids(&newpolicydb, &newsidtab);
+       if (rc) {
+               printk(KERN_ERR "SELinux:  unable to load the initial SIDs\n");
+               policydb_destroy(&newpolicydb);
+               return rc;
        }
 
-       sidtab_init(&newsidtab);
+       rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size);
+       if (rc)
+               goto err;
 
-       /* Verify that the kernel defined classes are correct. */
-       if (validate_classes(&newpolicydb)) {
-               printk(KERN_ERR
-                      "security:  the definition of a class is incorrect\n");
-               rc = -EINVAL;
+       rc = security_preserve_bools(&newpolicydb);
+       if (rc) {
+               printk(KERN_ERR "SELinux:  unable to preserve booleans\n");
                goto err;
        }
 
        /* Clone the SID table. */
        sidtab_shutdown(&sidtab);
-       if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
-               rc = -ENOMEM;
+
+       rc = sidtab_map(&sidtab, clone_sid, &newsidtab);
+       if (rc)
                goto err;
-       }
 
-       /* Convert the internal representations of contexts
-          in the new SID table and remove invalid SIDs. */
+       /*
+        * Convert the internal representations of contexts
+        * in the new SID table.
+        */
        args.oldp = &policydb;
        args.newp = &newpolicydb;
-       sidtab_map_remove_on_error(&newsidtab, convert_context, &args);
+       rc = sidtab_map(&newsidtab, convert_context, &args);
+       if (rc) {
+               printk(KERN_ERR "SELinux:  unable to convert the internal"
+                       " representation of contexts in the new SID"
+                       " table\n");
+               goto err;
+       }
 
        /* Save the old policydb and SID table to free later. */
        memcpy(&oldpolicydb, &policydb, sizeof policydb);
        sidtab_set(&oldsidtab, &sidtab);
 
        /* Install the new policydb and SID table. */
-       POLICY_WRLOCK;
+       write_lock_irq(&policy_rwlock);
        memcpy(&policydb, &newpolicydb, sizeof policydb);
        sidtab_set(&sidtab, &newsidtab);
+       security_load_policycaps();
+       oldmap = current_mapping;
+       current_mapping = map;
+       current_mapping_size = map_size;
        seqno = ++latest_granting;
-       policydb_loaded_version = policydb.policyvers;
-       POLICY_WRUNLOCK;
-       LOAD_UNLOCK;
+       write_unlock_irq(&policy_rwlock);
 
        /* Free the old policydb and SID table. */
        policydb_destroy(&oldpolicydb);
        sidtab_destroy(&oldsidtab);
+       kfree(oldmap);
 
        avc_ss_reset(seqno);
        selnl_notify_policyload(seqno);
+       selinux_status_update_policyload(seqno);
        selinux_netlbl_cache_invalidate();
+       selinux_xfrm_notify_policyload();
 
        return 0;
 
 err:
-       LOAD_UNLOCK;
+       kfree(map);
        sidtab_destroy(&newsidtab);
        policydb_destroy(&newpolicydb);
        return rc;
 
 }
 
+size_t security_policydb_len(void)
+{
+       size_t len;
+
+       read_lock(&policy_rwlock);
+       len = policydb.len;
+       read_unlock(&policy_rwlock);
+
+       return len;
+}
+
 /**
  * security_port_sid - Obtain the SID for a port.
- * @domain: communication domain aka address family
- * @type: socket type
  * @protocol: protocol number
  * @port: port number
  * @out_sid: security identifier
  */
-int security_port_sid(u16 domain,
-                     u16 type,
-                     u8 protocol,
-                     u16 port,
-                     u32 *out_sid)
+int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
 {
        struct ocontext *c;
        int rc = 0;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        c = policydb.ocontexts[OCON_PORT];
        while (c) {
@@ -1405,7 +1942,7 @@ int security_port_sid(u16 domain,
        }
 
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 
@@ -1413,16 +1950,13 @@ out:
  * security_netif_sid - Obtain the SID for a network interface.
  * @name: interface name
  * @if_sid: interface SID
- * @msg_sid: default SID for received packets
  */
-int security_netif_sid(char *name,
-                      u32 *if_sid,
-                      u32 *msg_sid)
+int security_netif_sid(char *name, u32 *if_sid)
 {
        int rc = 0;
        struct ocontext *c;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        c = policydb.ocontexts[OCON_NETIF];
        while (c) {
@@ -1445,14 +1979,11 @@ int security_netif_sid(char *name,
                                goto out;
                }
                *if_sid = c->sid[0];
-               *msg_sid = c->sid[1];
-       } else {
+       } else
                *if_sid = SECINITSID_NETIF;
-               *msg_sid = SECINITSID_NETMSG;
-       }
 
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 
@@ -1460,8 +1991,8 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
 {
        int i, fail = 0;
 
-       for(i = 0; i < 4; i++)
-               if(addr[i] != (input[i] & mask[i])) {
+       for (i = 0; i < 4; i++)
+               if (addr[i] != (input[i] & mask[i])) {
                        fail = 1;
                        break;
                }
@@ -1484,7 +2015,7 @@ int security_node_sid(u16 domain,
        int rc = 0;
        struct ocontext *c;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        switch (domain) {
        case AF_INET: {
@@ -1539,7 +2070,7 @@ int security_node_sid(u16 domain,
        }
 
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 
@@ -1560,26 +2091,27 @@ out:
  */
 
 int security_get_user_sids(u32 fromsid,
-                          char *username,
+                          char *username,
                           u32 **sids,
                           u32 *nel)
 {
        struct context *fromcon, usercon;
-       u32 *mysids, *mysids2, sid;
+       u32 *mysids = NULL, *mysids2, sid;
        u32 mynel = 0, maxnel = SIDS_NEL;
        struct user_datum *user;
        struct role_datum *role;
-       struct av_decision avd;
        struct ebitmap_node *rnode, *tnode;
        int rc = 0, i, j;
 
-       if (!ss_initialized) {
-               *sids = NULL;
-               *nel = 0;
+       *sids = NULL;
+       *nel = 0;
+
+       if (!ss_initialized)
                goto out;
-       }
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
+
+       context_init(&usercon);
 
        fromcon = sidtab_search(&sidtab, fromsid);
        if (!fromcon) {
@@ -1600,30 +2132,18 @@ int security_get_user_sids(u32 fromsid,
                goto out_unlock;
        }
 
-       ebitmap_for_each_bit(&user->roles, rnode, i) {
-               if (!ebitmap_node_get_bit(rnode, i))
-                       continue;
+       ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
                role = policydb.role_val_to_struct[i];
-               usercon.role = i+1;
-               ebitmap_for_each_bit(&role->types, tnode, j) {
-                       if (!ebitmap_node_get_bit(tnode, j))
-                               continue;
-                       usercon.type = j+1;
+               usercon.role = i + 1;
+               ebitmap_for_each_positive_bit(&role->types, tnode, j) {
+                       usercon.type = j + 1;
 
                        if (mls_setup_user_range(fromcon, user, &usercon))
                                continue;
 
-                       rc = context_struct_compute_av(fromcon, &usercon,
-                                                      SECCLASS_PROCESS,
-                                                      PROCESS__TRANSITION,
-                                                      &avd);
-                       if (rc ||  !(avd.allowed & PROCESS__TRANSITION))
-                               continue;
                        rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
-                       if (rc) {
-                               kfree(mysids);
+                       if (rc)
                                goto out_unlock;
-                       }
                        if (mynel < maxnel) {
                                mysids[mynel++] = sid;
                        } else {
@@ -1631,7 +2151,6 @@ int security_get_user_sids(u32 fromsid,
                                mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
                                if (!mysids2) {
                                        rc = -ENOMEM;
-                                       kfree(mysids);
                                        goto out_unlock;
                                }
                                memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
@@ -1642,11 +2161,32 @@ int security_get_user_sids(u32 fromsid,
                }
        }
 
-       *sids = mysids;
-       *nel = mynel;
-
 out_unlock:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
+       if (rc || !mynel) {
+               kfree(mysids);
+               goto out;
+       }
+
+       mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
+       if (!mysids2) {
+               rc = -ENOMEM;
+               kfree(mysids);
+               goto out;
+       }
+       for (i = 0, j = 0; i < mynel; i++) {
+               rc = avc_has_perm_noaudit(fromsid, mysids[i],
+                                         SECCLASS_PROCESS, /* kernel value */
+                                         PROCESS__TRANSITION, AVC_STRICT,
+                                         NULL);
+               if (!rc)
+                       mysids2[j++] = mysids[i];
+               cond_resched();
+       }
+       rc = 0;
+       kfree(mysids);
+       *sids = mysids2;
+       *nel = j;
 out:
        return rc;
 }
@@ -1663,16 +2203,22 @@ out:
  * transition SIDs or task SIDs.
  */
 int security_genfs_sid(const char *fstype,
-                      char *path,
-                      u16 sclass,
+                      char *path,
+                      u16 orig_sclass,
                       u32 *sid)
 {
        int len;
+       u16 sclass;
        struct genfs *genfs;
        struct ocontext *c;
        int rc = 0, cmp = 0;
 
-       POLICY_RDLOCK;
+       while (path[0] == '/' && path[1] == '/')
+               path++;
+
+       read_lock(&policy_rwlock);
+
+       sclass = unmap_class(orig_sclass);
 
        for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
                cmp = strcmp(fstype, genfs->fstype);
@@ -1709,7 +2255,7 @@ int security_genfs_sid(const char *fstype,
 
        *sid = c->sid[0];
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 
@@ -1727,7 +2273,7 @@ int security_fs_use(
        int rc = 0;
        struct ocontext *c;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        c = policydb.ocontexts[OCON_FSUSE];
        while (c) {
@@ -1757,7 +2303,7 @@ int security_fs_use(
        }
 
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 
@@ -1765,7 +2311,7 @@ int security_get_bools(int *len, char ***names, int **values)
 {
        int i, rc = -ENOMEM;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
        *names = NULL;
        *values = NULL;
 
@@ -1775,7 +2321,7 @@ int security_get_bools(int *len, char ***names, int **values)
                goto out;
        }
 
-       *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC);
+       *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
        if (!*names)
                goto err;
 
@@ -1787,7 +2333,7 @@ int security_get_bools(int *len, char ***names, int **values)
                size_t name_len;
                (*values)[i] = policydb.bool_val_to_struct[i]->state;
                name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
-               (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
+              (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
                if (!(*names)[i])
                        goto err;
                strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
@@ -1795,7 +2341,7 @@ int security_get_bools(int *len, char ***names, int **values)
        }
        rc = 0;
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 err:
        if (*names) {
@@ -1813,7 +2359,7 @@ int security_set_bools(int len, int *values)
        int lenp, seqno = 0;
        struct cond_node *cur;
 
-       POLICY_WRLOCK;
+       write_lock_irq(&policy_rwlock);
 
        lenp = policydb.p_bools.nprim;
        if (len != lenp) {
@@ -1825,20 +2371,20 @@ int security_set_bools(int len, int *values)
                if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
                        audit_log(current->audit_context, GFP_ATOMIC,
                                AUDIT_MAC_CONFIG_CHANGE,
-                               "bool=%s val=%d old_val=%d auid=%u",
+                               "bool=%s val=%d old_val=%d auid=%u ses=%u",
                                policydb.p_bool_val_to_name[i],
                                !!values[i],
                                policydb.bool_val_to_struct[i]->state,
-                               audit_get_loginuid(current->audit_context));
+                               audit_get_loginuid(current),
+                               audit_get_sessionid(current));
                }
-               if (values[i]) {
+               if (values[i])
                        policydb.bool_val_to_struct[i]->state = 1;
-               } else {
+               else
                        policydb.bool_val_to_struct[i]->state = 0;
-               }
        }
 
-       for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
+       for (cur = policydb.cond_list; cur; cur = cur->next) {
                rc = evaluate_cond_node(&policydb, cur);
                if (rc)
                        goto out;
@@ -1847,10 +2393,12 @@ int security_set_bools(int len, int *values)
        seqno = ++latest_granting;
 
 out:
-       POLICY_WRUNLOCK;
+       write_unlock_irq(&policy_rwlock);
        if (!rc) {
                avc_ss_reset(seqno);
                selnl_notify_policyload(seqno);
+               selinux_status_update_policyload(seqno);
+               selinux_xfrm_notify_policyload();
        }
        return rc;
 }
@@ -1860,7 +2408,7 @@ int security_get_bool_value(int bool)
        int rc = 0;
        int len;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        len = policydb.p_bools.nprim;
        if (bool >= len) {
@@ -1870,7 +2418,38 @@ int security_get_bool_value(int bool)
 
        rc = policydb.bool_val_to_struct[bool]->state;
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
+       return rc;
+}
+
+static int security_preserve_bools(struct policydb *p)
+{
+       int rc, nbools = 0, *bvalues = NULL, i;
+       char **bnames = NULL;
+       struct cond_bool_datum *booldatum;
+       struct cond_node *cur;
+
+       rc = security_get_bools(&nbools, &bnames, &bvalues);
+       if (rc)
+               goto out;
+       for (i = 0; i < nbools; i++) {
+               booldatum = hashtab_search(p->p_bools.table, bnames[i]);
+               if (booldatum)
+                       booldatum->state = bvalues[i];
+       }
+       for (cur = p->cond_list; cur; cur = cur->next) {
+               rc = evaluate_cond_node(p, cur);
+               if (rc)
+                       goto out;
+       }
+
+out:
+       if (bnames) {
+               for (i = 0; i < nbools; i++)
+                       kfree(bnames[i]);
+       }
+       kfree(bnames);
+       kfree(bvalues);
        return rc;
 }
 
@@ -1887,26 +2466,26 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
        u32 len;
        int rc = 0;
 
-       if (!ss_initialized || !selinux_mls_enabled) {
+       if (!ss_initialized || !policydb.mls_enabled) {
                *new_sid = sid;
                goto out;
        }
 
        context_init(&newcon);
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
        context1 = sidtab_search(&sidtab, sid);
        if (!context1) {
-               printk(KERN_ERR "security_sid_mls_copy:  unrecognized SID "
-                      "%d\n", sid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                       __func__, sid);
                rc = -EINVAL;
                goto out_unlock;
        }
 
        context2 = sidtab_search(&sidtab, mls_sid);
        if (!context2) {
-               printk(KERN_ERR "security_sid_mls_copy:  unrecognized SID "
-                      "%d\n", mls_sid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                       __func__, mls_sid);
                rc = -EINVAL;
                goto out_unlock;
        }
@@ -1914,11 +2493,10 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
        newcon.user = context1->user;
        newcon.role = context1->role;
        newcon.type = context1->type;
-       rc = mls_copy_context(&newcon, context2);
+       rc = mls_context_cpy(&newcon, context2);
        if (rc)
                goto out_unlock;
 
-
        /* Check the validity of the new context. */
        if (!policydb_context_isvalid(&policydb, &newcon)) {
                rc = convert_context_handle_invalid_context(&newcon);
@@ -1937,38 +2515,249 @@ bad:
        }
 
 out_unlock:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        context_destroy(&newcon);
 out:
        return rc;
 }
 
+/**
+ * security_net_peersid_resolve - Compare and resolve two network peer SIDs
+ * @nlbl_sid: NetLabel SID
+ * @nlbl_type: NetLabel labeling protocol type
+ * @xfrm_sid: XFRM SID
+ *
+ * Description:
+ * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be
+ * resolved into a single SID it is returned via @peer_sid and the function
+ * returns zero.  Otherwise @peer_sid is set to SECSID_NULL and the function
+ * returns a negative value.  A table summarizing the behavior is below:
+ *
+ *                                 | function return |      @sid
+ *   ------------------------------+-----------------+-----------------
+ *   no peer labels                |        0        |    SECSID_NULL
+ *   single peer label             |        0        |    <peer_label>
+ *   multiple, consistent labels   |        0        |    <peer_label>
+ *   multiple, inconsistent labels |    -<errno>     |    SECSID_NULL
+ *
+ */
+int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
+                                u32 xfrm_sid,
+                                u32 *peer_sid)
+{
+       int rc;
+       struct context *nlbl_ctx;
+       struct context *xfrm_ctx;
+
+       /* handle the common (which also happens to be the set of easy) cases
+        * right away, these two if statements catch everything involving a
+        * single or absent peer SID/label */
+       if (xfrm_sid == SECSID_NULL) {
+               *peer_sid = nlbl_sid;
+               return 0;
+       }
+       /* NOTE: an nlbl_type == NETLBL_NLTYPE_UNLABELED is a "fallback" label
+        * and is treated as if nlbl_sid == SECSID_NULL when a XFRM SID/label
+        * is present */
+       if (nlbl_sid == SECSID_NULL || nlbl_type == NETLBL_NLTYPE_UNLABELED) {
+               *peer_sid = xfrm_sid;
+               return 0;
+       }
+
+       /* we don't need to check ss_initialized here since the only way both
+        * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
+        * security server was initialized and ss_initialized was true */
+       if (!policydb.mls_enabled) {
+               *peer_sid = SECSID_NULL;
+               return 0;
+       }
+
+       read_lock(&policy_rwlock);
+
+       nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
+       if (!nlbl_ctx) {
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, nlbl_sid);
+               rc = -EINVAL;
+               goto out_slowpath;
+       }
+       xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
+       if (!xfrm_ctx) {
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, xfrm_sid);
+               rc = -EINVAL;
+               goto out_slowpath;
+       }
+       rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES);
+
+out_slowpath:
+       read_unlock(&policy_rwlock);
+       if (rc == 0)
+               /* at present NetLabel SIDs/labels really only carry MLS
+                * information so if the MLS portion of the NetLabel SID
+                * matches the MLS portion of the labeled XFRM SID/label
+                * then pass along the XFRM SID as it is the most
+                * expressive */
+               *peer_sid = xfrm_sid;
+       else
+               *peer_sid = SECSID_NULL;
+       return rc;
+}
+
+static int get_classes_callback(void *k, void *d, void *args)
+{
+       struct class_datum *datum = d;
+       char *name = k, **classes = args;
+       int value = datum->value - 1;
+
+       classes[value] = kstrdup(name, GFP_ATOMIC);
+       if (!classes[value])
+               return -ENOMEM;
+
+       return 0;
+}
+
+int security_get_classes(char ***classes, int *nclasses)
+{
+       int rc = -ENOMEM;
+
+       read_lock(&policy_rwlock);
+
+       *nclasses = policydb.p_classes.nprim;
+       *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);
+       if (!*classes)
+               goto out;
+
+       rc = hashtab_map(policydb.p_classes.table, get_classes_callback,
+                       *classes);
+       if (rc < 0) {
+               int i;
+               for (i = 0; i < *nclasses; i++)
+                       kfree((*classes)[i]);
+               kfree(*classes);
+       }
+
+out:
+       read_unlock(&policy_rwlock);
+       return rc;
+}
+
+static int get_permissions_callback(void *k, void *d, void *args)
+{
+       struct perm_datum *datum = d;
+       char *name = k, **perms = args;
+       int value = datum->value - 1;
+
+       perms[value] = kstrdup(name, GFP_ATOMIC);
+       if (!perms[value])
+               return -ENOMEM;
+
+       return 0;
+}
+
+int security_get_permissions(char *class, char ***perms, int *nperms)
+{
+       int rc = -ENOMEM, i;
+       struct class_datum *match;
+
+       read_lock(&policy_rwlock);
+
+       match = hashtab_search(policydb.p_classes.table, class);
+       if (!match) {
+               printk(KERN_ERR "SELinux: %s:  unrecognized class %s\n",
+                       __func__, class);
+               rc = -EINVAL;
+               goto out;
+       }
+
+       *nperms = match->permissions.nprim;
+       *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);
+       if (!*perms)
+               goto out;
+
+       if (match->comdatum) {
+               rc = hashtab_map(match->comdatum->permissions.table,
+                               get_permissions_callback, *perms);
+               if (rc < 0)
+                       goto err;
+       }
+
+       rc = hashtab_map(match->permissions.table, get_permissions_callback,
+                       *perms);
+       if (rc < 0)
+               goto err;
+
+out:
+       read_unlock(&policy_rwlock);
+       return rc;
+
+err:
+       read_unlock(&policy_rwlock);
+       for (i = 0; i < *nperms; i++)
+               kfree((*perms)[i]);
+       kfree(*perms);
+       return rc;
+}
+
+int security_get_reject_unknown(void)
+{
+       return policydb.reject_unknown;
+}
+
+int security_get_allow_unknown(void)
+{
+       return policydb.allow_unknown;
+}
+
+/**
+ * security_policycap_supported - Check for a specific policy capability
+ * @req_cap: capability
+ *
+ * Description:
+ * This function queries the currently loaded policy to see if it supports the
+ * capability specified by @req_cap.  Returns true (1) if the capability is
+ * supported, false (0) if it isn't supported.
+ *
+ */
+int security_policycap_supported(unsigned int req_cap)
+{
+       int rc;
+
+       read_lock(&policy_rwlock);
+       rc = ebitmap_get_bit(&policydb.policycaps, req_cap);
+       read_unlock(&policy_rwlock);
+
+       return rc;
+}
+
 struct selinux_audit_rule {
        u32 au_seqno;
        struct context au_ctxt;
 };
 
-void selinux_audit_rule_free(struct selinux_audit_rule *rule)
+void selinux_audit_rule_free(void *vrule)
 {
+       struct selinux_audit_rule *rule = vrule;
+
        if (rule) {
                context_destroy(&rule->au_ctxt);
                kfree(rule);
        }
 }
 
-int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
-                            struct selinux_audit_rule **rule)
+int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
 {
        struct selinux_audit_rule *tmprule;
        struct role_datum *roledatum;
        struct type_datum *typedatum;
        struct user_datum *userdatum;
+       struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule;
        int rc = 0;
 
        *rule = NULL;
 
        if (!ss_initialized)
-               return -ENOTSUPP;
+               return -EOPNOTSUPP;
 
        switch (field) {
        case AUDIT_SUBJ_USER:
@@ -1978,7 +2767,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
        case AUDIT_OBJ_ROLE:
        case AUDIT_OBJ_TYPE:
                /* only 'equals' and 'not equals' fit user, role, and type */
-               if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)
+               if (op != Audit_equal && op != Audit_not_equal)
                        return -EINVAL;
                break;
        case AUDIT_SUBJ_SEN:
@@ -2000,7 +2789,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
 
        context_init(&tmprule->au_ctxt);
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        tmprule->au_seqno = latest_granting;
 
@@ -2037,7 +2826,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
                break;
        }
 
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
 
        if (rc) {
                selinux_audit_rule_free(tmprule);
@@ -2049,25 +2838,50 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
        return rc;
 }
 
-int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
-                             struct selinux_audit_rule *rule,
-                             struct audit_context *actx)
+/* Check to see if the rule contains any selinux fields */
+int selinux_audit_rule_known(struct audit_krule *rule)
+{
+       int i;
+
+       for (i = 0; i < rule->field_count; i++) {
+               struct audit_field *f = &rule->fields[i];
+               switch (f->type) {
+               case AUDIT_SUBJ_USER:
+               case AUDIT_SUBJ_ROLE:
+               case AUDIT_SUBJ_TYPE:
+               case AUDIT_SUBJ_SEN:
+               case AUDIT_SUBJ_CLR:
+               case AUDIT_OBJ_USER:
+               case AUDIT_OBJ_ROLE:
+               case AUDIT_OBJ_TYPE:
+               case AUDIT_OBJ_LEV_LOW:
+               case AUDIT_OBJ_LEV_HIGH:
+                       return 1;
+               }
+       }
+
+       return 0;
+}
+
+int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+                            struct audit_context *actx)
 {
        struct context *ctxt;
        struct mls_level *level;
+       struct selinux_audit_rule *rule = vrule;
        int match = 0;
 
        if (!rule) {
                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
-                         "selinux_audit_rule_match: missing rule\n");
+                         "selinux_audit_rule_match: missing rule\n");
                return -ENOENT;
        }
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        if (rule->au_seqno < latest_granting) {
                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
-                         "selinux_audit_rule_match: stale rule\n");
+                         "selinux_audit_rule_match: stale rule\n");
                match = -ESTALE;
                goto out;
        }
@@ -2075,8 +2889,8 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
        ctxt = sidtab_search(&sidtab, sid);
        if (!ctxt) {
                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
-                         "selinux_audit_rule_match: unrecognized SID %d\n",
-                         sid);
+                         "selinux_audit_rule_match: unrecognized SID %d\n",
+                         sid);
                match = -ENOENT;
                goto out;
        }
@@ -2087,10 +2901,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
        case AUDIT_SUBJ_USER:
        case AUDIT_OBJ_USER:
                switch (op) {
-               case AUDIT_EQUAL:
+               case Audit_equal:
                        match = (ctxt->user == rule->au_ctxt.user);
                        break;
-               case AUDIT_NOT_EQUAL:
+               case Audit_not_equal:
                        match = (ctxt->user != rule->au_ctxt.user);
                        break;
                }
@@ -2098,10 +2912,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
        case AUDIT_SUBJ_ROLE:
        case AUDIT_OBJ_ROLE:
                switch (op) {
-               case AUDIT_EQUAL:
+               case Audit_equal:
                        match = (ctxt->role == rule->au_ctxt.role);
                        break;
-               case AUDIT_NOT_EQUAL:
+               case Audit_not_equal:
                        match = (ctxt->role != rule->au_ctxt.role);
                        break;
                }
@@ -2109,10 +2923,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
        case AUDIT_SUBJ_TYPE:
        case AUDIT_OBJ_TYPE:
                switch (op) {
-               case AUDIT_EQUAL:
+               case Audit_equal:
                        match = (ctxt->type == rule->au_ctxt.type);
                        break;
-               case AUDIT_NOT_EQUAL:
+               case Audit_not_equal:
                        match = (ctxt->type != rule->au_ctxt.type);
                        break;
                }
@@ -2122,49 +2936,49 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
        case AUDIT_OBJ_LEV_LOW:
        case AUDIT_OBJ_LEV_HIGH:
                level = ((field == AUDIT_SUBJ_SEN ||
-                         field == AUDIT_OBJ_LEV_LOW) ?
-                        &ctxt->range.level[0] : &ctxt->range.level[1]);
+                         field == AUDIT_OBJ_LEV_LOW) ?
+                        &ctxt->range.level[0] : &ctxt->range.level[1]);
                switch (op) {
-               case AUDIT_EQUAL:
+               case Audit_equal:
                        match = mls_level_eq(&rule->au_ctxt.range.level[0],
-                                            level);
+                                            level);
                        break;
-               case AUDIT_NOT_EQUAL:
+               case Audit_not_equal:
                        match = !mls_level_eq(&rule->au_ctxt.range.level[0],
-                                             level);
+                                             level);
                        break;
-               case AUDIT_LESS_THAN:
+               case Audit_lt:
                        match = (mls_level_dom(&rule->au_ctxt.range.level[0],
-                                              level) &&
-                                !mls_level_eq(&rule->au_ctxt.range.level[0],
-                                              level));
+                                              level) &&
+                                !mls_level_eq(&rule->au_ctxt.range.level[0],
+                                              level));
                        break;
-               case AUDIT_LESS_THAN_OR_EQUAL:
+               case Audit_le:
                        match = mls_level_dom(&rule->au_ctxt.range.level[0],
-                                             level);
+                                             level);
                        break;
-               case AUDIT_GREATER_THAN:
+               case Audit_gt:
                        match = (mls_level_dom(level,
-                                             &rule->au_ctxt.range.level[0]) &&
-                                !mls_level_eq(level,
-                                              &rule->au_ctxt.range.level[0]));
+                                             &rule->au_ctxt.range.level[0]) &&
+                                !mls_level_eq(level,
+                                              &rule->au_ctxt.range.level[0]));
                        break;
-               case AUDIT_GREATER_THAN_OR_EQUAL:
+               case Audit_ge:
                        match = mls_level_dom(level,
-                                             &rule->au_ctxt.range.level[0]);
+                                             &rule->au_ctxt.range.level[0]);
                        break;
                }
        }
 
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return match;
 }
 
-static int (*aurule_callback)(void) = NULL;
+static int (*aurule_callback)(void) = audit_update_lsm_rules;
 
 static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
-                               u16 class, u32 perms, u32 *retained)
+                              u16 class, u32 perms, u32 *retained)
 {
        int err = 0;
 
@@ -2178,7 +2992,7 @@ static int __init aurule_init(void)
        int err;
 
        err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
-                              SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
+                              SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
        if (err)
                panic("avc_add_callback() failed, error %d\n", err);
 
@@ -2186,192 +3000,90 @@ static int __init aurule_init(void)
 }
 __initcall(aurule_init);
 
-void selinux_audit_set_callback(int (*callback)(void))
-{
-       aurule_callback = callback;
-}
-
 #ifdef CONFIG_NETLABEL
-/*
- * This is the structure we store inside the NetLabel cache block.
- */
-#define NETLBL_CACHE(x)           ((struct netlbl_cache *)(x))
-#define NETLBL_CACHE_T_NONE       0
-#define NETLBL_CACHE_T_SID        1
-#define NETLBL_CACHE_T_MLS        2
-struct netlbl_cache {
-       u32 type;
-       union {
-               u32 sid;
-               struct mls_range mls_label;
-       } data;
-};
-
 /**
- * selinux_netlbl_cache_free - Free the NetLabel cached data
- * @data: the data to free
+ * security_netlbl_cache_add - Add an entry to the NetLabel cache
+ * @secattr: the NetLabel packet security attributes
+ * @sid: the SELinux SID
  *
  * Description:
- * This function is intended to be used as the free() callback inside the
- * netlbl_lsm_cache structure.
+ * Attempt to cache the context in @ctx, which was derived from the packet in
+ * @skb, in the NetLabel subsystem cache.  This function assumes @secattr has
+ * already been initialized.
  *
  */
-static void selinux_netlbl_cache_free(const void *data)
+static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr,
+                                     u32 sid)
 {
-       struct netlbl_cache *cache;
+       u32 *sid_cache;
 
-       if (data == NULL)
+       sid_cache = kmalloc(sizeof(*sid_cache), GFP_ATOMIC);
+       if (sid_cache == NULL)
+               return;
+       secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
+       if (secattr->cache == NULL) {
+               kfree(sid_cache);
                return;
-
-       cache = NETLBL_CACHE(data);
-       switch (cache->type) {
-       case NETLBL_CACHE_T_MLS:
-               ebitmap_destroy(&cache->data.mls_label.level[0].cat);
-               break;
        }
-       kfree(data);
-}
 
-/**
- * selinux_netlbl_cache_add - Add an entry to the NetLabel cache
- * @skb: the packet
- * @ctx: the SELinux context
- *
- * Description:
- * Attempt to cache the context in @ctx, which was derived from the packet in
- * @skb, in the NetLabel subsystem cache.
- *
- */
-static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx)
-{
-       struct netlbl_cache *cache = NULL;
-       struct netlbl_lsm_secattr secattr;
-
-       netlbl_secattr_init(&secattr);
-       secattr.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
-       if (secattr.cache == NULL)
-               goto netlbl_cache_add_return;
-
-       cache = kzalloc(sizeof(*cache), GFP_ATOMIC);
-       if (cache == NULL)
-               goto netlbl_cache_add_return;
-
-       cache->type = NETLBL_CACHE_T_MLS;
-       if (ebitmap_cpy(&cache->data.mls_label.level[0].cat,
-                       &ctx->range.level[0].cat) != 0)
-               goto netlbl_cache_add_return;
-       cache->data.mls_label.level[1].cat.highbit =
-               cache->data.mls_label.level[0].cat.highbit;
-       cache->data.mls_label.level[1].cat.node =
-               cache->data.mls_label.level[0].cat.node;
-       cache->data.mls_label.level[0].sens = ctx->range.level[0].sens;
-       cache->data.mls_label.level[1].sens = ctx->range.level[0].sens;
-
-       secattr.cache->free = selinux_netlbl_cache_free;
-       secattr.cache->data = (void *)cache;
-       secattr.flags = NETLBL_SECATTR_CACHE;
-
-       netlbl_cache_add(skb, &secattr);
-
-netlbl_cache_add_return:
-       netlbl_secattr_destroy(&secattr);
-}
-
-/**
- * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache
- *
- * Description:
- * Invalidate the NetLabel security attribute mapping cache.
- *
- */
-void selinux_netlbl_cache_invalidate(void)
-{
-       netlbl_cache_invalidate();
+       *sid_cache = sid;
+       secattr->cache->free = kfree;
+       secattr->cache->data = sid_cache;
+       secattr->flags |= NETLBL_SECATTR_CACHE;
 }
 
 /**
- * selinux_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
- * @skb: the network packet
+ * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID
  * @secattr: the NetLabel packet security attributes
- * @base_sid: the SELinux SID to use as a context for MLS only attributes
  * @sid: the SELinux SID
  *
  * Description:
- * Convert the given NetLabel packet security attributes in @secattr into a
+ * Convert the given NetLabel security attributes in @secattr into a
  * SELinux SID.  If the @secattr field does not contain a full SELinux
- * SID/context then use the context in @base_sid as the foundation.  If @skb
- * is not NULL attempt to cache as much data as possibile.  Returns zero on
- * success, negative values on failure.
+ * SID/context then use SECINITSID_NETMSG as the foundation.  If possibile the
+ * 'cache' field of @secattr is set and the CACHE flag is set; this is to
+ * allow the @secattr to be used by NetLabel to cache the secattr to SID
+ * conversion for future lookups.  Returns zero on success, negative values on
+ * failure.
  *
  */
-static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
-                                        struct netlbl_lsm_secattr *secattr,
-                                        u32 base_sid,
-                                        u32 *sid)
+int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
+                                  u32 *sid)
 {
        int rc = -EIDRM;
        struct context *ctx;
        struct context ctx_new;
-       struct netlbl_cache *cache;
 
-       POLICY_RDLOCK;
+       if (!ss_initialized) {
+               *sid = SECSID_NULL;
+               return 0;
+       }
 
-       if (secattr->flags & NETLBL_SECATTR_CACHE) {
-               cache = NETLBL_CACHE(secattr->cache->data);
-               switch (cache->type) {
-               case NETLBL_CACHE_T_SID:
-                       *sid = cache->data.sid;
-                       rc = 0;
-                       break;
-               case NETLBL_CACHE_T_MLS:
-                       ctx = sidtab_search(&sidtab, base_sid);
-                       if (ctx == NULL)
-                               goto netlbl_secattr_to_sid_return;
+       read_lock(&policy_rwlock);
 
-                       ctx_new.user = ctx->user;
-                       ctx_new.role = ctx->role;
-                       ctx_new.type = ctx->type;
-                       ctx_new.range.level[0].sens =
-                               cache->data.mls_label.level[0].sens;
-                       ctx_new.range.level[0].cat.highbit =
-                               cache->data.mls_label.level[0].cat.highbit;
-                       ctx_new.range.level[0].cat.node =
-                               cache->data.mls_label.level[0].cat.node;
-                       ctx_new.range.level[1].sens =
-                               cache->data.mls_label.level[1].sens;
-                       ctx_new.range.level[1].cat.highbit =
-                               cache->data.mls_label.level[1].cat.highbit;
-                       ctx_new.range.level[1].cat.node =
-                               cache->data.mls_label.level[1].cat.node;
-
-                       rc = sidtab_context_to_sid(&sidtab, &ctx_new, sid);
-                       break;
-               default:
-                       goto netlbl_secattr_to_sid_return;
-               }
+       if (secattr->flags & NETLBL_SECATTR_CACHE) {
+               *sid = *(u32 *)secattr->cache->data;
+               rc = 0;
+       } else if (secattr->flags & NETLBL_SECATTR_SECID) {
+               *sid = secattr->attr.secid;
+               rc = 0;
        } else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
-               ctx = sidtab_search(&sidtab, base_sid);
+               ctx = sidtab_search(&sidtab, SECINITSID_NETMSG);
                if (ctx == NULL)
                        goto netlbl_secattr_to_sid_return;
 
+               context_init(&ctx_new);
                ctx_new.user = ctx->user;
                ctx_new.role = ctx->role;
                ctx_new.type = ctx->type;
-               mls_import_lvl(&ctx_new, secattr->mls_lvl, secattr->mls_lvl);
+               mls_import_netlbl_lvl(&ctx_new, secattr);
                if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
-                       if (mls_import_cat(&ctx_new,
-                                          secattr->mls_cat,
-                                          secattr->mls_cat_len,
-                                          NULL,
-                                          0) != 0)
+                       if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat,
+                                                 secattr->attr.mls.cat) != 0)
                                goto netlbl_secattr_to_sid_return;
-                       ctx_new.range.level[1].cat.highbit =
-                               ctx_new.range.level[0].cat.highbit;
-                       ctx_new.range.level[1].cat.node =
-                               ctx_new.range.level[0].cat.node;
-               } else {
-                       ebitmap_init(&ctx_new.range.level[0].cat);
-                       ebitmap_init(&ctx_new.range.level[1].cat);
+                       memcpy(&ctx_new.range.level[1].cat,
+                              &ctx_new.range.level[0].cat,
+                              sizeof(ctx_new.range.level[0].cat));
                }
                if (mls_context_isvalid(&policydb, &ctx_new) != 1)
                        goto netlbl_secattr_to_sid_return_cleanup;
@@ -2380,8 +3092,8 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
                if (rc != 0)
                        goto netlbl_secattr_to_sid_return_cleanup;
 
-               if (skb != NULL)
-                       selinux_netlbl_cache_add(skb, &ctx_new);
+               security_netlbl_cache_add(secattr, *sid);
+
                ebitmap_destroy(&ctx_new.range.level[0].cat);
        } else {
                *sid = SECSID_NULL;
@@ -2389,7 +3101,7 @@ static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb,
        }
 
 netlbl_secattr_to_sid_return:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 netlbl_secattr_to_sid_return_cleanup:
        ebitmap_destroy(&ctx_new.range.level[0].cat);
@@ -2397,404 +3109,82 @@ netlbl_secattr_to_sid_return_cleanup:
 }
 
 /**
- * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel
- * @skb: the packet
- * @base_sid: the SELinux SID to use as a context for MLS only attributes
- * @sid: the SID
+ * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr
+ * @sid: the SELinux SID
+ * @secattr: the NetLabel packet security attributes
  *
  * Description:
- * Call the NetLabel mechanism to get the security attributes of the given
- * packet and use those attributes to determine the correct context/SID to
- * assign to the packet.  Returns zero on success, negative values on failure.
+ * Convert the given SELinux SID in @sid into a NetLabel security attribute.
+ * Returns zero on success, negative values on failure.
  *
  */
-static int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
-                                       u32 base_sid,
-                                       u32 *sid)
+int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
 {
        int rc;
-       struct netlbl_lsm_secattr secattr;
-
-       netlbl_secattr_init(&secattr);
-       rc = netlbl_skbuff_getattr(skb, &secattr);
-       if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
-               rc = selinux_netlbl_secattr_to_sid(skb,
-                                                  &secattr,
-                                                  base_sid,
-                                                  sid);
-       else
-               *sid = SECSID_NULL;
-       netlbl_secattr_destroy(&secattr);
-
-       return rc;
-}
-
-/**
- * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism
- * @sock: the socket to label
- * @sid: the SID to use
- *
- * Description:
- * Attempt to label a socket using the NetLabel mechanism using the given
- * SID.  Returns zero values on success, negative values on failure.  The
- * caller is responsibile for calling rcu_read_lock() before calling this
- * this function and rcu_read_unlock() after this function returns.
- *
- */
-static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid)
-{
-       int rc = -ENOENT;
-       struct sk_security_struct *sksec = sock->sk->sk_security;
-       struct netlbl_lsm_secattr secattr;
        struct context *ctx;
 
        if (!ss_initialized)
                return 0;
 
-       netlbl_secattr_init(&secattr);
-
-       POLICY_RDLOCK;
-
+       read_lock(&policy_rwlock);
        ctx = sidtab_search(&sidtab, sid);
-       if (ctx == NULL)
-               goto netlbl_socket_setsid_return;
-
-       secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
-                                GFP_ATOMIC);
-       mls_export_lvl(ctx, &secattr.mls_lvl, NULL);
-       rc = mls_export_cat(ctx,
-                           &secattr.mls_cat,
-                           &secattr.mls_cat_len,
-                           NULL,
-                           NULL);
-       if (rc != 0)
-               goto netlbl_socket_setsid_return;
-
-       secattr.flags |= NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
-       if (secattr.mls_cat)
-               secattr.flags |= NETLBL_SECATTR_MLS_CAT;
-
-       rc = netlbl_socket_setattr(sock, &secattr);
-       if (rc == 0) {
-               spin_lock(&sksec->nlbl_lock);
-               sksec->nlbl_state = NLBL_LABELED;
-               spin_unlock(&sksec->nlbl_lock);
+       if (ctx == NULL) {
+               rc = -ENOENT;
+               goto netlbl_sid_to_secattr_failure;
        }
-
-netlbl_socket_setsid_return:
-       POLICY_RDUNLOCK;
-       netlbl_secattr_destroy(&secattr);
-       return rc;
-}
-
-/**
- * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
- * @ssec: the sk_security_struct
- * @family: the socket family
- *
- * Description:
- * Called when the NetLabel state of a sk_security_struct needs to be reset.
- * The caller is responsibile for all the NetLabel sk_security_struct locking.
- *
- */
-void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
-                                     int family)
-{
-        if (family == PF_INET)
-               ssec->nlbl_state = NLBL_REQUIRE;
-       else
-               ssec->nlbl_state = NLBL_UNSET;
-}
-
-/**
- * selinux_netlbl_sk_security_init - Setup the NetLabel fields
- * @ssec: the sk_security_struct
- * @family: the socket family
- *
- * Description:
- * Called when a new sk_security_struct is allocated to initialize the NetLabel
- * fields.
- *
- */
-void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
-                                    int family)
-{
-       /* No locking needed, we are the only one who has access to ssec */
-       selinux_netlbl_sk_security_reset(ssec, family);
-       spin_lock_init(&ssec->nlbl_lock);
-}
-
-/**
- * selinux_netlbl_sk_security_clone - Copy the NetLabel fields
- * @ssec: the original sk_security_struct
- * @newssec: the cloned sk_security_struct
- *
- * Description:
- * Clone the NetLabel specific sk_security_struct fields from @ssec to
- * @newssec.
- *
- */
-void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
-                                     struct sk_security_struct *newssec)
-{
-       /* We don't need to take newssec->nlbl_lock because we are the only
-        * thread with access to newssec, but we do need to take the RCU read
-        * lock as other threads could have access to ssec */
-       rcu_read_lock();
-       selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family);
-       newssec->sclass = ssec->sclass;
-       rcu_read_unlock();
-}
-
-/**
- * selinux_netlbl_socket_post_create - Label a socket using NetLabel
- * @sock: the socket to label
- *
- * Description:
- * Attempt to label a socket using the NetLabel mechanism using the given
- * SID.  Returns zero values on success, negative values on failure.
- *
- */
-int selinux_netlbl_socket_post_create(struct socket *sock)
-{
-       int rc = 0;
-       struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
-       struct sk_security_struct *sksec = sock->sk->sk_security;
-
-       sksec->sclass = isec->sclass;
-
-       rcu_read_lock();
-       if (sksec->nlbl_state == NLBL_REQUIRE)
-               rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
-       rcu_read_unlock();
-
-       return rc;
-}
-
-/**
- * selinux_netlbl_sock_graft - Netlabel the new socket
- * @sk: the new connection
- * @sock: the new socket
- *
- * Description:
- * The connection represented by @sk is being grafted onto @sock so set the
- * socket's NetLabel to match the SID of @sk.
- *
- */
-void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock)
-{
-       struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
-       struct sk_security_struct *sksec = sk->sk_security;
-       struct netlbl_lsm_secattr secattr;
-       u32 nlbl_peer_sid;
-
-       sksec->sclass = isec->sclass;
-
-       rcu_read_lock();
-
-       if (sksec->nlbl_state != NLBL_REQUIRE) {
-               rcu_read_unlock();
-               return;
+       secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
+                                 GFP_ATOMIC);
+       if (secattr->domain == NULL) {
+               rc = -ENOMEM;
+               goto netlbl_sid_to_secattr_failure;
        }
-
-       netlbl_secattr_init(&secattr);
-       if (netlbl_sock_getattr(sk, &secattr) == 0 &&
-           secattr.flags != NETLBL_SECATTR_NONE &&
-           selinux_netlbl_secattr_to_sid(NULL,
-                                         &secattr,
-                                         SECINITSID_UNLABELED,
-                                         &nlbl_peer_sid) == 0)
-               sksec->peer_sid = nlbl_peer_sid;
-       netlbl_secattr_destroy(&secattr);
-
-       /* Try to set the NetLabel on the socket to save time later, if we fail
-        * here we will pick up the pieces in later calls to
-        * selinux_netlbl_inode_permission(). */
-       selinux_netlbl_socket_setsid(sock, sksec->sid);
-
-       rcu_read_unlock();
-}
-
-/**
- * selinux_netlbl_inet_conn_request - Handle a new connection request
- * @skb: the packet
- * @sock_sid: the SID of the parent socket
- *
- * Description:
- * If present, use the security attributes of the packet in @skb and the
- * parent sock's SID to arrive at a SID for the new child sock.  Returns the
- * SID of the connection or SECSID_NULL on failure.
- *
- */
-u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid)
-{
-       int rc;
-       u32 peer_sid;
-
-       rc = selinux_netlbl_skbuff_getsid(skb, sock_sid, &peer_sid);
+       secattr->attr.secid = sid;
+       secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID;
+       mls_export_netlbl_lvl(ctx, secattr);
+       rc = mls_export_netlbl_cat(ctx, secattr);
        if (rc != 0)
-               return SECSID_NULL;
-
-       return peer_sid;
-}
-
-/**
- * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled
- * @inode: the file descriptor's inode
- * @mask: the permission mask
- *
- * Description:
- * Looks at a file's inode and if it is marked as a socket protected by
- * NetLabel then verify that the socket has been labeled, if not try to label
- * the socket now with the inode's SID.  Returns zero on success, negative
- * values on failure.
- *
- */
-int selinux_netlbl_inode_permission(struct inode *inode, int mask)
-{
-       int rc;
-       struct sk_security_struct *sksec;
-       struct socket *sock;
+               goto netlbl_sid_to_secattr_failure;
+       read_unlock(&policy_rwlock);
 
-       if (!S_ISSOCK(inode->i_mode) ||
-           ((mask & (MAY_WRITE | MAY_APPEND)) == 0))
-               return 0;
-       sock = SOCKET_I(inode);
-       sksec = sock->sk->sk_security;
-
-       rcu_read_lock();
-       if (sksec->nlbl_state != NLBL_REQUIRE) {
-               rcu_read_unlock();
-               return 0;
-       }
-       lock_sock(sock->sk);
-       rc = selinux_netlbl_socket_setsid(sock, sksec->sid);
-       release_sock(sock->sk);
-       rcu_read_unlock();
+       return 0;
 
+netlbl_sid_to_secattr_failure:
+       read_unlock(&policy_rwlock);
        return rc;
 }
+#endif /* CONFIG_NETLABEL */
 
 /**
- * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel
- * @sksec: the sock's sk_security_struct
- * @skb: the packet
- * @ad: the audit data
- *
- * Description:
- * Fetch the NetLabel security attributes from @skb and perform an access check
- * against the receiving socket.  Returns zero on success, negative values on
- * error.
+ * security_read_policy - read the policy.
+ * @data: binary policy data
+ * @len: length of data in bytes
  *
  */
-int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
-                               struct sk_buff *skb,
-                               struct avc_audit_data *ad)
+int security_read_policy(void **data, ssize_t *len)
 {
        int rc;
-       u32 netlbl_sid;
-       u32 recv_perm;
-
-       rc = selinux_netlbl_skbuff_getsid(skb,
-                                         SECINITSID_UNLABELED,
-                                         &netlbl_sid);
-       if (rc != 0)
-               return rc;
+       struct policy_file fp;
 
-       if (netlbl_sid == SECSID_NULL)
-               return 0;
-
-       switch (sksec->sclass) {
-       case SECCLASS_UDP_SOCKET:
-               recv_perm = UDP_SOCKET__RECVFROM;
-               break;
-       case SECCLASS_TCP_SOCKET:
-               recv_perm = TCP_SOCKET__RECVFROM;
-               break;
-       default:
-               recv_perm = RAWIP_SOCKET__RECVFROM;
-       }
-
-       rc = avc_has_perm(sksec->sid,
-                         netlbl_sid,
-                         sksec->sclass,
-                         recv_perm,
-                         ad);
-       if (rc == 0)
-               return 0;
+       if (!ss_initialized)
+               return -EINVAL;
 
-       netlbl_skbuff_err(skb, rc);
-       return rc;
-}
+       *len = security_policydb_len();
 
-/**
- * selinux_netlbl_socket_getpeersec_stream - Return the connected peer's SID
- * @sock: the socket
- *
- * Description:
- * Examine @sock to find the connected peer's SID.  Returns the SID on success
- * or SECSID_NULL on error.
- *
- */
-u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
-{
-       struct sk_security_struct *sksec = sock->sk->sk_security;
-       return sksec->peer_sid;
-}
-
-/**
- * selinux_netlbl_socket_getpeersec_dgram - Return the SID of a NetLabel packet
- * @skb: the packet
- *
- * Description:
- * Examine @skb to find the SID assigned to it by NetLabel.  Returns the SID on
- * success, SECSID_NULL on error.
- *
- */
-u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
-{
-       int peer_sid;
+       *data = vmalloc_user(*len);
+       if (!*data)
+               return -ENOMEM;
 
-       if (selinux_netlbl_skbuff_getsid(skb,
-                                        SECINITSID_UNLABELED,
-                                        &peer_sid) != 0)
-               return SECSID_NULL;
+       fp.data = *data;
+       fp.len = *len;
 
-       return peer_sid;
-}
+       read_lock(&policy_rwlock);
+       rc = policydb_write(&policydb, &fp);
+       read_unlock(&policy_rwlock);
 
-/**
- * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel
- * @sock: the socket
- * @level: the socket level or protocol
- * @optname: the socket option name
- *
- * Description:
- * Check the setsockopt() call and if the user is trying to replace the IP
- * options on a socket and a NetLabel is in place for the socket deny the
- * access; otherwise allow the access.  Returns zero when the access is
- * allowed, -EACCES when denied, and other negative values on error.
- *
- */
-int selinux_netlbl_socket_setsockopt(struct socket *sock,
-                                    int level,
-                                    int optname)
-{
-       int rc = 0;
-       struct sk_security_struct *sksec = sock->sk->sk_security;
-       struct netlbl_lsm_secattr secattr;
+       if (rc)
+               return rc;
 
-       rcu_read_lock();
-       if (level == IPPROTO_IP && optname == IP_OPTIONS &&
-           sksec->nlbl_state == NLBL_LABELED) {
-               netlbl_secattr_init(&secattr);
-               rc = netlbl_socket_getattr(sock, &secattr);
-               if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE)
-                       rc = -EACCES;
-               netlbl_secattr_destroy(&secattr);
-       }
-       rcu_read_unlock();
+       *len = (unsigned long)fp.data - (unsigned long)*data;
+       return 0;
 
-       return rc;
 }
-#endif /* CONFIG_NETLABEL */