Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael...
[linux-2.6.git] / security / selinux / ss / services.c
index fced6bc..223c1ff 100644 (file)
@@ -2,7 +2,7 @@
  * Implementation of the security services.
  *
  * Authors : Stephen Smalley, <sds@epoch.ncsc.mil>
- *           James Morris <jmorris@redhat.com>
+ *          James Morris <jmorris@redhat.com>
  *
  * Updated: Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
  *
@@ -11,7 +11,7 @@
  *
  * Updated: Frank Mayer <mayerf@tresys.com> and Karl MacMillan <kmacmillan@tresys.com>
  *
- *     Added conditional policy language extensions
+ *     Added conditional policy language extensions
  *
  * Updated: Hewlett-Packard <paul.moore@hp.com>
  *
  *
  *  Added validation of kernel classes and permissions
  *
+ * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
+ *
+ *  Added support for bounds domain and audit messaged on masked permissions
+ *
+ * Updated: Guido Trentalancia <guido@trentalancia.com>
+ *
+ *  Added support for runtime switching of the policy type
+ *
+ * Copyright (C) 2008, 2009 NEC Corporation
  * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
  * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
  * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
  *     This program is free software; you can redistribute it and/or modify
- *     it under the terms of the GNU General Public License as published by
+ *     it under the terms of the GNU General Public License as published by
  *     the Free Software Foundation, version 2.
  */
 #include <linux/kernel.h>
@@ -40,6 +49,9 @@
 #include <linux/sched.h>
 #include <linux/audit.h>
 #include <linux/mutex.h>
+#include <linux/selinux.h>
+#include <linux/flex_array.h>
+#include <linux/vmalloc.h>
 #include <net/netlabel.h>
 
 #include "flask.h"
 #include "netlabel.h"
 #include "xfrm.h"
 #include "ebitmap.h"
+#include "audit.h"
 
 extern void selnl_notify_policyload(u32 seqno);
-unsigned int policydb_loaded_version;
 
 int selinux_policycap_netpeer;
-
-/*
- * This is declared in avc.c
- */
-extern const struct selinux_class_perm selinux_class_perm;
+int selinux_policycap_openperm;
 
 static DEFINE_RWLOCK(policy_rwlock);
-#define POLICY_RDLOCK read_lock(&policy_rwlock)
-#define POLICY_WRLOCK write_lock_irq(&policy_rwlock)
-#define POLICY_RDUNLOCK read_unlock(&policy_rwlock)
-#define POLICY_WRUNLOCK write_unlock_irq(&policy_rwlock)
-
-static DEFINE_MUTEX(load_mutex);
-#define LOAD_LOCK mutex_lock(&load_mutex)
-#define LOAD_UNLOCK mutex_unlock(&load_mutex)
 
 static struct sidtab sidtab;
 struct policydb policydb;
-int ss_initialized = 0;
+int ss_initialized;
 
 /*
  * The largest sequence number that has been used when
@@ -87,12 +87,162 @@ int ss_initialized = 0;
  * The sequence number only changes when a policy change
  * occurs.
  */
-static u32 latest_granting = 0;
+static u32 latest_granting;
 
 /* Forward declaration. */
 static int context_struct_to_string(struct context *context, char **scontext,
                                    u32 *scontext_len);
 
+static void context_struct_compute_av(struct context *scontext,
+                                     struct context *tcontext,
+                                     u16 tclass,
+                                     struct av_decision *avd);
+
+struct selinux_mapping {
+       u16 value; /* policy value */
+       unsigned num_perms;
+       u32 perms[sizeof(u32) * 8];
+};
+
+static struct selinux_mapping *current_mapping;
+static u16 current_mapping_size;
+
+static int selinux_set_mapping(struct policydb *pol,
+                              struct security_class_mapping *map,
+                              struct selinux_mapping **out_map_p,
+                              u16 *out_map_size)
+{
+       struct selinux_mapping *out_map = NULL;
+       size_t size = sizeof(struct selinux_mapping);
+       u16 i, j;
+       unsigned k;
+       bool print_unknown_handle = false;
+
+       /* Find number of classes in the input mapping */
+       if (!map)
+               return -EINVAL;
+       i = 0;
+       while (map[i].name)
+               i++;
+
+       /* Allocate space for the class records, plus one for class zero */
+       out_map = kcalloc(++i, size, GFP_ATOMIC);
+       if (!out_map)
+               return -ENOMEM;
+
+       /* Store the raw class and permission values */
+       j = 0;
+       while (map[j].name) {
+               struct security_class_mapping *p_in = map + (j++);
+               struct selinux_mapping *p_out = out_map + j;
+
+               /* An empty class string skips ahead */
+               if (!strcmp(p_in->name, "")) {
+                       p_out->num_perms = 0;
+                       continue;
+               }
+
+               p_out->value = string_to_security_class(pol, p_in->name);
+               if (!p_out->value) {
+                       printk(KERN_INFO
+                              "SELinux:  Class %s not defined in policy.\n",
+                              p_in->name);
+                       if (pol->reject_unknown)
+                               goto err;
+                       p_out->num_perms = 0;
+                       print_unknown_handle = true;
+                       continue;
+               }
+
+               k = 0;
+               while (p_in->perms && p_in->perms[k]) {
+                       /* An empty permission string skips ahead */
+                       if (!*p_in->perms[k]) {
+                               k++;
+                               continue;
+                       }
+                       p_out->perms[k] = string_to_av_perm(pol, p_out->value,
+                                                           p_in->perms[k]);
+                       if (!p_out->perms[k]) {
+                               printk(KERN_INFO
+                                      "SELinux:  Permission %s in class %s not defined in policy.\n",
+                                      p_in->perms[k], p_in->name);
+                               if (pol->reject_unknown)
+                                       goto err;
+                               print_unknown_handle = true;
+                       }
+
+                       k++;
+               }
+               p_out->num_perms = k;
+       }
+
+       if (print_unknown_handle)
+               printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
+                      pol->allow_unknown ? "allowed" : "denied");
+
+       *out_map_p = out_map;
+       *out_map_size = i;
+       return 0;
+err:
+       kfree(out_map);
+       return -EINVAL;
+}
+
+/*
+ * Get real, policy values from mapped values
+ */
+
+static u16 unmap_class(u16 tclass)
+{
+       if (tclass < current_mapping_size)
+               return current_mapping[tclass].value;
+
+       return tclass;
+}
+
+static void map_decision(u16 tclass, struct av_decision *avd,
+                        int allow_unknown)
+{
+       if (tclass < current_mapping_size) {
+               unsigned i, n = current_mapping[tclass].num_perms;
+               u32 result;
+
+               for (i = 0, result = 0; i < n; i++) {
+                       if (avd->allowed & current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+                       if (allow_unknown && !current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+               }
+               avd->allowed = result;
+
+               for (i = 0, result = 0; i < n; i++)
+                       if (avd->auditallow & current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+               avd->auditallow = result;
+
+               for (i = 0, result = 0; i < n; i++) {
+                       if (avd->auditdeny & current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+                       if (!allow_unknown && !current_mapping[tclass].perms[i])
+                               result |= 1<<i;
+               }
+               /*
+                * In case the kernel has a bug and requests a permission
+                * between num_perms and the maximum permission number, we
+                * should audit that denial
+                */
+               for (; i < (sizeof(u32)*8); i++)
+                       result |= 1<<i;
+               avd->auditdeny = result;
+       }
+}
+
+int security_mls_enabled(void)
+{
+       return policydb.mls_enabled;
+}
+
 /*
  * Return the boolean value of a constraint expression
  * when it is applied to the specified source and target
@@ -126,15 +276,15 @@ static int constraint_expr_eval(struct context *scontext,
                case CEXPR_AND:
                        BUG_ON(sp < 1);
                        sp--;
-                       s[sp] &= s[sp+1];
+                       s[sp] &= s[sp + 1];
                        break;
                case CEXPR_OR:
                        BUG_ON(sp < 1);
                        sp--;
-                       s[sp] |= s[sp+1];
+                       s[sp] |= s[sp + 1];
                        break;
                case CEXPR_ATTR:
-                       if (sp == (CEXPR_MAXDEPTH-1))
+                       if (sp == (CEXPR_MAXDEPTH - 1))
                                return 0;
                        switch (e->attr) {
                        case CEXPR_USER:
@@ -160,10 +310,10 @@ static int constraint_expr_eval(struct context *scontext,
                                                                  val1 - 1);
                                        continue;
                                case CEXPR_INCOMP:
-                                       s[++sp] = ( !ebitmap_get_bit(&r1->dominates,
-                                                                    val2 - 1) &&
-                                                   !ebitmap_get_bit(&r2->dominates,
-                                                                    val1 - 1) );
+                                       s[++sp] = (!ebitmap_get_bit(&r1->dominates,
+                                                                   val2 - 1) &&
+                                                  !ebitmap_get_bit(&r2->dominates,
+                                                                   val1 - 1));
                                        continue;
                                default:
                                        break;
@@ -279,15 +429,178 @@ mls_ops:
 }
 
 /*
- * Compute access vectors based on a context structure pair for
- * the permissions in a particular class.
+ * security_dump_masked_av - dumps masked permissions during
+ * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
  */
-static int context_struct_compute_av(struct context *scontext,
+static int dump_masked_av_helper(void *k, void *d, void *args)
+{
+       struct perm_datum *pdatum = d;
+       char **permission_names = args;
+
+       BUG_ON(pdatum->value < 1 || pdatum->value > 32);
+
+       permission_names[pdatum->value - 1] = (char *)k;
+
+       return 0;
+}
+
+static void security_dump_masked_av(struct context *scontext,
+                                   struct context *tcontext,
+                                   u16 tclass,
+                                   u32 permissions,
+                                   const char *reason)
+{
+       struct common_datum *common_dat;
+       struct class_datum *tclass_dat;
+       struct audit_buffer *ab;
+       char *tclass_name;
+       char *scontext_name = NULL;
+       char *tcontext_name = NULL;
+       char *permission_names[32];
+       int index;
+       u32 length;
+       bool need_comma = false;
+
+       if (!permissions)
+               return;
+
+       tclass_name = policydb.p_class_val_to_name[tclass - 1];
+       tclass_dat = policydb.class_val_to_struct[tclass - 1];
+       common_dat = tclass_dat->comdatum;
+
+       /* init permission_names */
+       if (common_dat &&
+           hashtab_map(common_dat->permissions.table,
+                       dump_masked_av_helper, permission_names) < 0)
+               goto out;
+
+       if (hashtab_map(tclass_dat->permissions.table,
+                       dump_masked_av_helper, permission_names) < 0)
+               goto out;
+
+       /* get scontext/tcontext in text form */
+       if (context_struct_to_string(scontext,
+                                    &scontext_name, &length) < 0)
+               goto out;
+
+       if (context_struct_to_string(tcontext,
+                                    &tcontext_name, &length) < 0)
+               goto out;
+
+       /* audit a message */
+       ab = audit_log_start(current->audit_context,
+                            GFP_ATOMIC, AUDIT_SELINUX_ERR);
+       if (!ab)
+               goto out;
+
+       audit_log_format(ab, "op=security_compute_av reason=%s "
+                        "scontext=%s tcontext=%s tclass=%s perms=",
+                        reason, scontext_name, tcontext_name, tclass_name);
+
+       for (index = 0; index < 32; index++) {
+               u32 mask = (1 << index);
+
+               if ((mask & permissions) == 0)
+                       continue;
+
+               audit_log_format(ab, "%s%s",
+                                need_comma ? "," : "",
+                                permission_names[index]
+                                ? permission_names[index] : "????");
+               need_comma = true;
+       }
+       audit_log_end(ab);
+out:
+       /* release scontext/tcontext */
+       kfree(tcontext_name);
+       kfree(scontext_name);
+
+       return;
+}
+
+/*
+ * security_boundary_permission - drops violated permissions
+ * on boundary constraint.
+ */
+static void type_attribute_bounds_av(struct context *scontext,
                                     struct context *tcontext,
                                     u16 tclass,
-                                    u32 requested,
                                     struct av_decision *avd)
 {
+       struct context lo_scontext;
+       struct context lo_tcontext;
+       struct av_decision lo_avd;
+       struct type_datum *source
+               = policydb.type_val_to_struct[scontext->type - 1];
+       struct type_datum *target
+               = policydb.type_val_to_struct[tcontext->type - 1];
+       u32 masked = 0;
+
+       if (source->bounds) {
+               memset(&lo_avd, 0, sizeof(lo_avd));
+
+               memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
+               lo_scontext.type = source->bounds;
+
+               context_struct_compute_av(&lo_scontext,
+                                         tcontext,
+                                         tclass,
+                                         &lo_avd);
+               if ((lo_avd.allowed & avd->allowed) == avd->allowed)
+                       return;         /* no masked permission */
+               masked = ~lo_avd.allowed & avd->allowed;
+       }
+
+       if (target->bounds) {
+               memset(&lo_avd, 0, sizeof(lo_avd));
+
+               memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
+               lo_tcontext.type = target->bounds;
+
+               context_struct_compute_av(scontext,
+                                         &lo_tcontext,
+                                         tclass,
+                                         &lo_avd);
+               if ((lo_avd.allowed & avd->allowed) == avd->allowed)
+                       return;         /* no masked permission */
+               masked = ~lo_avd.allowed & avd->allowed;
+       }
+
+       if (source->bounds && target->bounds) {
+               memset(&lo_avd, 0, sizeof(lo_avd));
+               /*
+                * lo_scontext and lo_tcontext are already
+                * set up.
+                */
+
+               context_struct_compute_av(&lo_scontext,
+                                         &lo_tcontext,
+                                         tclass,
+                                         &lo_avd);
+               if ((lo_avd.allowed & avd->allowed) == avd->allowed)
+                       return;         /* no masked permission */
+               masked = ~lo_avd.allowed & avd->allowed;
+       }
+
+       if (masked) {
+               /* mask violated permissions */
+               avd->allowed &= ~masked;
+
+               /* audit masked permissions */
+               security_dump_masked_av(scontext, tcontext,
+                                       tclass, masked, "bounds");
+       }
+}
+
+/*
+ * Compute access vectors based on a context structure pair for
+ * the permissions in a particular class.
+ */
+static void context_struct_compute_av(struct context *scontext,
+                                     struct context *tcontext,
+                                     u16 tclass,
+                                     struct av_decision *avd)
+{
        struct constraint_node *constraint;
        struct role_allow *ra;
        struct avtab_key avkey;
@@ -295,56 +608,17 @@ static int context_struct_compute_av(struct context *scontext,
        struct class_datum *tclass_datum;
        struct ebitmap *sattr, *tattr;
        struct ebitmap_node *snode, *tnode;
-       const struct selinux_class_perm *kdefs = &selinux_class_perm;
        unsigned int i, j;
 
-       /*
-        * Remap extended Netlink classes for old policy versions.
-        * Do this here rather than socket_type_to_security_class()
-        * in case a newer policy version is loaded, allowing sockets
-        * to remain in the correct class.
-        */
-       if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
-               if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
-                   tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
-                       tclass = SECCLASS_NETLINK_SOCKET;
-
-       /*
-        * Initialize the access vectors to the default values.
-        */
        avd->allowed = 0;
-       avd->decided = 0xffffffff;
        avd->auditallow = 0;
        avd->auditdeny = 0xffffffff;
-       avd->seqno = latest_granting;
 
-       /*
-        * Check for all the invalid cases.
-        * - tclass 0
-        * - tclass > policy and > kernel
-        * - tclass > policy but is a userspace class
-        * - tclass > policy but we do not allow unknowns
-        */
-       if (unlikely(!tclass))
-               goto inval_class;
-       if (unlikely(tclass > policydb.p_classes.nprim))
-               if (tclass > kdefs->cts_len ||
-                   !kdefs->class_to_string[tclass - 1] ||
-                   !policydb.allow_unknown)
-                       goto inval_class;
-
-       /*
-        * Kernel class and we allow unknown so pad the allow decision
-        * the pad will be all 1 for unknown classes.
-        */
-       if (tclass <= kdefs->cts_len && policydb.allow_unknown)
-               avd->allowed = policydb.undefined_perms[tclass - 1];
-
-       /*
-        * Not in policy. Since decision is completed (all 1 or all 0) return.
-        */
-       if (unlikely(tclass > policydb.p_classes.nprim))
-               return 0;
+       if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
+               if (printk_ratelimit())
+                       printk(KERN_WARNING "SELinux:  Invalid class %hu\n", tclass);
+               return;
+       }
 
        tclass_datum = policydb.class_val_to_struct[tclass - 1];
 
@@ -354,14 +628,16 @@ static int context_struct_compute_av(struct context *scontext,
         */
        avkey.target_class = tclass;
        avkey.specified = AVTAB_AV;
-       sattr = &policydb.type_attr_map[scontext->type - 1];
-       tattr = &policydb.type_attr_map[tcontext->type - 1];
+       sattr = flex_array_get(policydb.type_attr_map_array, scontext->type - 1);
+       BUG_ON(!sattr);
+       tattr = flex_array_get(policydb.type_attr_map_array, tcontext->type - 1);
+       BUG_ON(!tattr);
        ebitmap_for_each_positive_bit(sattr, snode, i) {
                ebitmap_for_each_positive_bit(tattr, tnode, j) {
                        avkey.source_type = i + 1;
                        avkey.target_type = j + 1;
                        for (node = avtab_search_node(&policydb.te_avtab, &avkey);
-                            node != NULL;
+                            node;
                             node = avtab_search_node_next(node, avkey.specified)) {
                                if (node->key.specified == AVTAB_ALLOWED)
                                        avd->allowed |= node->datum.data;
@@ -386,7 +662,7 @@ static int context_struct_compute_av(struct context *scontext,
                if ((constraint->permissions & (avd->allowed)) &&
                    !constraint_expr_eval(scontext, tcontext, NULL,
                                          constraint->expr)) {
-                       avd->allowed = (avd->allowed) & ~(constraint->permissions);
+                       avd->allowed &= ~(constraint->permissions);
                }
                constraint = constraint->next;
        }
@@ -396,8 +672,8 @@ static int context_struct_compute_av(struct context *scontext,
         * role is changing, then check the (current_role, new_role)
         * pair.
         */
-       if (tclass == SECCLASS_PROCESS &&
-           (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
+       if (tclass == policydb.process_class &&
+           (avd->allowed & policydb.process_trans_perms) &&
            scontext->role != tcontext->role) {
                for (ra = policydb.role_allow; ra; ra = ra->next) {
                        if (scontext->role == ra->role &&
@@ -405,21 +681,22 @@ static int context_struct_compute_av(struct context *scontext,
                                break;
                }
                if (!ra)
-                       avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION |
-                                                       PROCESS__DYNTRANSITION);
+                       avd->allowed &= ~policydb.process_trans_perms;
        }
 
-       return 0;
-
-inval_class:
-       printk(KERN_ERR "%s:  unrecognized class %d\n", __FUNCTION__, tclass);
-       return -EINVAL;
+       /*
+        * If the given source and target types have boundary
+        * constraint, lazy checks have to mask any violated
+        * permission and notice it to userspace via audit.
+        */
+       type_attribute_bounds_av(scontext, tcontext,
+                                tclass, avd);
 }
 
 static int security_validtrans_handle_fail(struct context *ocontext,
-                                           struct context *ncontext,
-                                           struct context *tcontext,
-                                           u16 tclass)
+                                          struct context *ncontext,
+                                          struct context *tcontext,
+                                          u16 tclass)
 {
        char *o = NULL, *n = NULL, *t = NULL;
        u32 olen, nlen, tlen;
@@ -431,9 +708,9 @@ static int security_validtrans_handle_fail(struct context *ocontext,
        if (context_struct_to_string(tcontext, &t, &tlen) < 0)
                goto out;
        audit_log(current->audit_context, GFP_ATOMIC, AUDIT_SELINUX_ERR,
-                 "security_validate_transition:  denied for"
-                 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
-                 o, n, t, policydb.p_class_val_to_name[tclass-1]);
+                 "security_validate_transition:  denied for"
+                 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
+                 o, n, t, policydb.p_class_val_to_name[tclass-1]);
 out:
        kfree(o);
        kfree(n);
@@ -445,34 +722,26 @@ out:
 }
 
 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
-                                 u16 tclass)
+                                u16 orig_tclass)
 {
        struct context *ocontext;
        struct context *ncontext;
        struct context *tcontext;
        struct class_datum *tclass_datum;
        struct constraint_node *constraint;
+       u16 tclass;
        int rc = 0;
 
        if (!ss_initialized)
                return 0;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
-       /*
-        * Remap extended Netlink classes for old policy versions.
-        * Do this here rather than socket_type_to_security_class()
-        * in case a newer policy version is loaded, allowing sockets
-        * to remain in the correct class.
-        */
-       if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
-               if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
-                   tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
-                       tclass = SECCLASS_NETLINK_SOCKET;
+       tclass = unmap_class(orig_tclass);
 
        if (!tclass || tclass > policydb.p_classes.nprim) {
-               printk(KERN_ERR "security_validate_transition:  "
-                      "unrecognized class %d\n", tclass);
+               printk(KERN_ERR "SELinux: %s:  unrecognized class %d\n",
+                       __func__, tclass);
                rc = -EINVAL;
                goto out;
        }
@@ -480,24 +749,24 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
 
        ocontext = sidtab_search(&sidtab, oldsid);
        if (!ocontext) {
-               printk(KERN_ERR "security_validate_transition: "
-                      " unrecognized SID %d\n", oldsid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                       __func__, oldsid);
                rc = -EINVAL;
                goto out;
        }
 
        ncontext = sidtab_search(&sidtab, newsid);
        if (!ncontext) {
-               printk(KERN_ERR "security_validate_transition: "
-                      " unrecognized SID %d\n", newsid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                       __func__, newsid);
                rc = -EINVAL;
                goto out;
        }
 
        tcontext = sidtab_search(&sidtab, tasksid);
        if (!tcontext) {
-               printk(KERN_ERR "security_validate_transition: "
-                      " unrecognized SID %d\n", tasksid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                       __func__, tasksid);
                rc = -EINVAL;
                goto out;
        }
@@ -505,72 +774,211 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
        constraint = tclass_datum->validatetrans;
        while (constraint) {
                if (!constraint_expr_eval(ocontext, ncontext, tcontext,
-                                         constraint->expr)) {
+                                         constraint->expr)) {
                        rc = security_validtrans_handle_fail(ocontext, ncontext,
-                                                            tcontext, tclass);
+                                                            tcontext, tclass);
                        goto out;
                }
                constraint = constraint->next;
        }
 
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 
+/*
+ * security_bounded_transition - check whether the given
+ * transition is directed to bounded, or not.
+ * It returns 0, if @newsid is bounded by @oldsid.
+ * Otherwise, it returns error code.
+ *
+ * @oldsid : current security identifier
+ * @newsid : destinated security identifier
+ */
+int security_bounded_transition(u32 old_sid, u32 new_sid)
+{
+       struct context *old_context, *new_context;
+       struct type_datum *type;
+       int index;
+       int rc = -EINVAL;
+
+       read_lock(&policy_rwlock);
+
+       old_context = sidtab_search(&sidtab, old_sid);
+       if (!old_context) {
+               printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
+                      __func__, old_sid);
+               goto out;
+       }
+
+       new_context = sidtab_search(&sidtab, new_sid);
+       if (!new_context) {
+               printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
+                      __func__, new_sid);
+               goto out;
+       }
+
+       /* type/domain unchanged */
+       if (old_context->type == new_context->type) {
+               rc = 0;
+               goto out;
+       }
+
+       index = new_context->type;
+       while (true) {
+               type = policydb.type_val_to_struct[index - 1];
+               BUG_ON(!type);
+
+               /* not bounded anymore */
+               if (!type->bounds) {
+                       rc = -EPERM;
+                       break;
+               }
+
+               /* @newsid is bounded by @oldsid */
+               if (type->bounds == old_context->type) {
+                       rc = 0;
+                       break;
+               }
+               index = type->bounds;
+       }
+
+       if (rc) {
+               char *old_name = NULL;
+               char *new_name = NULL;
+               u32 length;
+
+               if (!context_struct_to_string(old_context,
+                                             &old_name, &length) &&
+                   !context_struct_to_string(new_context,
+                                             &new_name, &length)) {
+                       audit_log(current->audit_context,
+                                 GFP_ATOMIC, AUDIT_SELINUX_ERR,
+                                 "op=security_bounded_transition "
+                                 "result=denied "
+                                 "oldcontext=%s newcontext=%s",
+                                 old_name, new_name);
+               }
+               kfree(new_name);
+               kfree(old_name);
+       }
+out:
+       read_unlock(&policy_rwlock);
+
+       return rc;
+}
+
+static void avd_init(struct av_decision *avd)
+{
+       avd->allowed = 0;
+       avd->auditallow = 0;
+       avd->auditdeny = 0xffffffff;
+       avd->seqno = latest_granting;
+       avd->flags = 0;
+}
+
+
 /**
  * security_compute_av - Compute access vector decisions.
  * @ssid: source security identifier
  * @tsid: target security identifier
  * @tclass: target security class
- * @requested: requested permissions
  * @avd: access vector decisions
  *
  * Compute a set of access vector decisions based on the
  * SID pair (@ssid, @tsid) for the permissions in @tclass.
- * Return -%EINVAL if any of the parameters are invalid or %0
- * if the access vector decisions were computed successfully.
  */
-int security_compute_av(u32 ssid,
-                       u32 tsid,
-                       u16 tclass,
-                       u32 requested,
-                       struct av_decision *avd)
+void security_compute_av(u32 ssid,
+                        u32 tsid,
+                        u16 orig_tclass,
+                        struct av_decision *avd)
 {
+       u16 tclass;
        struct context *scontext = NULL, *tcontext = NULL;
-       int rc = 0;
 
-       if (!ss_initialized) {
-               avd->allowed = 0xffffffff;
-               avd->decided = 0xffffffff;
-               avd->auditallow = 0;
-               avd->auditdeny = 0xffffffff;
-               avd->seqno = latest_granting;
-               return 0;
+       read_lock(&policy_rwlock);
+       avd_init(avd);
+       if (!ss_initialized)
+               goto allow;
+
+       scontext = sidtab_search(&sidtab, ssid);
+       if (!scontext) {
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, ssid);
+               goto out;
        }
 
-       POLICY_RDLOCK;
+       /* permissive domain? */
+       if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
+               avd->flags |= AVD_FLAGS_PERMISSIVE;
+
+       tcontext = sidtab_search(&sidtab, tsid);
+       if (!tcontext) {
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, tsid);
+               goto out;
+       }
+
+       tclass = unmap_class(orig_tclass);
+       if (unlikely(orig_tclass && !tclass)) {
+               if (policydb.allow_unknown)
+                       goto allow;
+               goto out;
+       }
+       context_struct_compute_av(scontext, tcontext, tclass, avd);
+       map_decision(orig_tclass, avd, policydb.allow_unknown);
+out:
+       read_unlock(&policy_rwlock);
+       return;
+allow:
+       avd->allowed = 0xffffffff;
+       goto out;
+}
+
+void security_compute_av_user(u32 ssid,
+                             u32 tsid,
+                             u16 tclass,
+                             struct av_decision *avd)
+{
+       struct context *scontext = NULL, *tcontext = NULL;
+
+       read_lock(&policy_rwlock);
+       avd_init(avd);
+       if (!ss_initialized)
+               goto allow;
 
        scontext = sidtab_search(&sidtab, ssid);
        if (!scontext) {
-               printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",
-                      ssid);
-               rc = -EINVAL;
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, ssid);
                goto out;
        }
+
+       /* permissive domain? */
+       if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
+               avd->flags |= AVD_FLAGS_PERMISSIVE;
+
        tcontext = sidtab_search(&sidtab, tsid);
        if (!tcontext) {
-               printk(KERN_ERR "security_compute_av:  unrecognized SID %d\n",
-                      tsid);
-               rc = -EINVAL;
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, tsid);
                goto out;
        }
 
-       rc = context_struct_compute_av(scontext, tcontext, tclass,
-                                      requested, avd);
-out:
-       POLICY_RDUNLOCK;
-       return rc;
+       if (unlikely(!tclass)) {
+               if (policydb.allow_unknown)
+                       goto allow;
+               goto out;
+       }
+
+       context_struct_compute_av(scontext, tcontext, tclass, avd);
+ out:
+       read_unlock(&policy_rwlock);
+       return;
+allow:
+       avd->allowed = 0xffffffff;
+       goto out;
 }
 
 /*
@@ -584,20 +992,31 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
 {
        char *scontextp;
 
-       *scontext = NULL;
+       if (scontext)
+               *scontext = NULL;
        *scontext_len = 0;
 
+       if (context->len) {
+               *scontext_len = context->len;
+               *scontext = kstrdup(context->str, GFP_ATOMIC);
+               if (!(*scontext))
+                       return -ENOMEM;
+               return 0;
+       }
+
        /* Compute the size of the context. */
        *scontext_len += strlen(policydb.p_user_val_to_name[context->user - 1]) + 1;
        *scontext_len += strlen(policydb.p_role_val_to_name[context->role - 1]) + 1;
        *scontext_len += strlen(policydb.p_type_val_to_name[context->type - 1]) + 1;
        *scontext_len += mls_compute_context_len(context);
 
+       if (!scontext)
+               return 0;
+
        /* Allocate space for the context; caller must free this space. */
        scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
-       if (!scontextp) {
+       if (!scontextp)
                return -ENOMEM;
-       }
        *scontext = scontextp;
 
        /*
@@ -608,8 +1027,8 @@ static int context_struct_to_string(struct context *context, char **scontext, u3
                policydb.p_role_val_to_name[context->role - 1],
                policydb.p_type_val_to_name[context->type - 1]);
        scontextp += strlen(policydb.p_user_val_to_name[context->user - 1]) +
-                    1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
-                    1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
+                    1 + strlen(policydb.p_role_val_to_name[context->role - 1]) +
+                    1 + strlen(policydb.p_type_val_to_name[context->type - 1]);
 
        mls_sid_to_context(context, &scontextp);
 
@@ -627,22 +1046,14 @@ const char *security_get_initial_sid_context(u32 sid)
        return initial_sid_to_string[sid];
 }
 
-/**
- * security_sid_to_context - Obtain a context for a given SID.
- * @sid: security identifier, SID
- * @scontext: security context
- * @scontext_len: length in bytes
- *
- * Write the string representation of the context associated with @sid
- * into a dynamically allocated string of the correct size.  Set @scontext
- * to point to this string and set @scontext_len to the length of the string.
- */
-int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
+static int security_sid_to_context_core(u32 sid, char **scontext,
+                                       u32 *scontext_len, int force)
 {
        struct context *context;
        int rc = 0;
 
-       *scontext = NULL;
+       if (scontext)
+               *scontext = NULL;
        *scontext_len  = 0;
 
        if (!ss_initialized) {
@@ -650,7 +1061,9 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
                        char *scontextp;
 
                        *scontext_len = strlen(initial_sid_to_string[sid]) + 1;
-                       scontextp = kmalloc(*scontext_len,GFP_ATOMIC);
+                       if (!scontext)
+                               goto out;
+                       scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
                        if (!scontextp) {
                                rc = -ENOMEM;
                                goto out;
@@ -659,73 +1072,72 @@ int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
                        *scontext = scontextp;
                        goto out;
                }
-               printk(KERN_ERR "security_sid_to_context:  called before initial "
-                      "load_policy on unknown SID %d\n", sid);
+               printk(KERN_ERR "SELinux: %s:  called before initial "
+                      "load_policy on unknown SID %d\n", __func__, sid);
                rc = -EINVAL;
                goto out;
        }
-       POLICY_RDLOCK;
-       context = sidtab_search(&sidtab, sid);
+       read_lock(&policy_rwlock);
+       if (force)
+               context = sidtab_search_force(&sidtab, sid);
+       else
+               context = sidtab_search(&sidtab, sid);
        if (!context) {
-               printk(KERN_ERR "security_sid_to_context:  unrecognized SID "
-                      "%d\n", sid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                       __func__, sid);
                rc = -EINVAL;
                goto out_unlock;
        }
        rc = context_struct_to_string(context, scontext, scontext_len);
 out_unlock:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
 out:
        return rc;
 
 }
 
-static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
+/**
+ * security_sid_to_context - Obtain a context for a given SID.
+ * @sid: security identifier, SID
+ * @scontext: security context
+ * @scontext_len: length in bytes
+ *
+ * Write the string representation of the context associated with @sid
+ * into a dynamically allocated string of the correct size.  Set @scontext
+ * to point to this string and set @scontext_len to the length of the string.
+ */
+int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len)
+{
+       return security_sid_to_context_core(sid, scontext, scontext_len, 0);
+}
+
+int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len)
+{
+       return security_sid_to_context_core(sid, scontext, scontext_len, 1);
+}
+
+/*
+ * Caveat:  Mutates scontext.
+ */
+static int string_to_context_struct(struct policydb *pol,
+                                   struct sidtab *sidtabp,
+                                   char *scontext,
+                                   u32 scontext_len,
+                                   struct context *ctx,
+                                   u32 def_sid)
 {
-       char *scontext2;
-       struct context context;
        struct role_datum *role;
        struct type_datum *typdatum;
        struct user_datum *usrdatum;
        char *scontextp, *p, oldc;
        int rc = 0;
 
-       if (!ss_initialized) {
-               int i;
-
-               for (i = 1; i < SECINITSID_NUM; i++) {
-                       if (!strcmp(initial_sid_to_string[i], scontext)) {
-                               *sid = i;
-                               goto out;
-                       }
-               }
-               *sid = SECINITSID_KERNEL;
-               goto out;
-       }
-       *sid = SECSID_NULL;
-
-       /* Copy the string so that we can modify the copy as we parse it.
-          The string should already by null terminated, but we append a
-          null suffix to the copy to avoid problems with the existing
-          attr package, which doesn't view the null terminator as part
-          of the attribute value. */
-       scontext2 = kmalloc(scontext_len+1,GFP_KERNEL);
-       if (!scontext2) {
-               rc = -ENOMEM;
-               goto out;
-       }
-       memcpy(scontext2, scontext, scontext_len);
-       scontext2[scontext_len] = 0;
-
-       context_init(&context);
-       *sid = SECSID_NULL;
-
-       POLICY_RDLOCK;
+       context_init(ctx);
 
        /* Parse the security context. */
 
        rc = -EINVAL;
-       scontextp = (char *) scontext2;
+       scontextp = (char *) scontext;
 
        /* Extract the user. */
        p = scontextp;
@@ -733,15 +1145,15 @@ static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *s
                p++;
 
        if (*p == 0)
-               goto out_unlock;
+               goto out;
 
        *p++ = 0;
 
-       usrdatum = hashtab_search(policydb.p_users.table, scontextp);
+       usrdatum = hashtab_search(pol->p_users.table, scontextp);
        if (!usrdatum)
-               goto out_unlock;
+               goto out;
 
-       context.user = usrdatum->value;
+       ctx->user = usrdatum->value;
 
        /* Extract role. */
        scontextp = p;
@@ -749,14 +1161,14 @@ static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *s
                p++;
 
        if (*p == 0)
-               goto out_unlock;
+               goto out;
 
        *p++ = 0;
 
-       role = hashtab_search(policydb.p_roles.table, scontextp);
+       role = hashtab_search(pol->p_roles.table, scontextp);
        if (!role)
-               goto out_unlock;
-       context.role = role->value;
+               goto out;
+       ctx->role = role->value;
 
        /* Extract type. */
        scontextp = p;
@@ -765,33 +1177,87 @@ static int security_context_to_sid_core(char *scontext, u32 scontext_len, u32 *s
        oldc = *p;
        *p++ = 0;
 
-       typdatum = hashtab_search(policydb.p_types.table, scontextp);
-       if (!typdatum)
-               goto out_unlock;
+       typdatum = hashtab_search(pol->p_types.table, scontextp);
+       if (!typdatum || typdatum->attribute)
+               goto out;
 
-       context.type = typdatum->value;
+       ctx->type = typdatum->value;
 
-       rc = mls_context_to_sid(oldc, &p, &context, &sidtab, def_sid);
+       rc = mls_context_to_sid(pol, oldc, &p, ctx, sidtabp, def_sid);
        if (rc)
-               goto out_unlock;
+               goto out;
 
-       if ((p - scontext2) < scontext_len) {
+       if ((p - scontext) < scontext_len) {
                rc = -EINVAL;
-               goto out_unlock;
+               goto out;
        }
 
        /* Check the validity of the new context. */
-       if (!policydb_context_isvalid(&policydb, &context)) {
+       if (!policydb_context_isvalid(pol, ctx)) {
                rc = -EINVAL;
-               goto out_unlock;
+               goto out;
        }
-       /* Obtain the new sid. */
+       rc = 0;
+out:
+       if (rc)
+               context_destroy(ctx);
+       return rc;
+}
+
+static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
+                                       u32 *sid, u32 def_sid, gfp_t gfp_flags,
+                                       int force)
+{
+       char *scontext2, *str = NULL;
+       struct context context;
+       int rc = 0;
+
+       if (!ss_initialized) {
+               int i;
+
+               for (i = 1; i < SECINITSID_NUM; i++) {
+                       if (!strcmp(initial_sid_to_string[i], scontext)) {
+                               *sid = i;
+                               return 0;
+                       }
+               }
+               *sid = SECINITSID_KERNEL;
+               return 0;
+       }
+       *sid = SECSID_NULL;
+
+       /* Copy the string so that we can modify the copy as we parse it. */
+       scontext2 = kmalloc(scontext_len + 1, gfp_flags);
+       if (!scontext2)
+               return -ENOMEM;
+       memcpy(scontext2, scontext, scontext_len);
+       scontext2[scontext_len] = 0;
+
+       if (force) {
+               /* Save another copy for storing in uninterpreted form */
+               str = kstrdup(scontext2, gfp_flags);
+               if (!str) {
+                       kfree(scontext2);
+                       return -ENOMEM;
+               }
+       }
+
+       read_lock(&policy_rwlock);
+       rc = string_to_context_struct(&policydb, &sidtab,
+                                     scontext2, scontext_len,
+                                     &context, def_sid);
+       if (rc == -EINVAL && force) {
+               context.str = str;
+               context.len = scontext_len;
+               str = NULL;
+       } else if (rc)
+               goto out;
        rc = sidtab_context_to_sid(&sidtab, &context, sid);
-out_unlock:
-       POLICY_RDUNLOCK;
        context_destroy(&context);
-       kfree(scontext2);
 out:
+       read_unlock(&policy_rwlock);
+       kfree(scontext2);
+       kfree(str);
        return rc;
 }
 
@@ -806,10 +1272,10 @@ out:
  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
  * memory is available, or 0 on success.
  */
-int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
+int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid)
 {
        return security_context_to_sid_core(scontext, scontext_len,
-                                           sid, SECSID_NULL);
+                                           sid, SECSID_NULL, GFP_KERNEL, 0);
 }
 
 /**
@@ -826,13 +1292,22 @@ int security_context_to_sid(char *scontext, u32 scontext_len, u32 *sid)
  * The default SID is passed to the MLS layer to be used to allow
  * kernel labeling of the MLS field if the MLS field is not present
  * (for upgrading to MLS without full relabel).
+ * Implicitly forces adding of the context even if it cannot be mapped yet.
  * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient
  * memory is available, or 0 on success.
  */
-int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, u32 def_sid)
+int security_context_to_sid_default(const char *scontext, u32 scontext_len,
+                                   u32 *sid, u32 def_sid, gfp_t gfp_flags)
+{
+       return security_context_to_sid_core(scontext, scontext_len,
+                                           sid, def_sid, gfp_flags, 1);
+}
+
+int security_context_to_sid_force(const char *scontext, u32 scontext_len,
+                                 u32 *sid)
 {
        return security_context_to_sid_core(scontext, scontext_len,
-                                           sid, def_sid);
+                                           sid, SECSID_NULL, GFP_KERNEL, 1);
 }
 
 static int compute_sid_handle_invalid_context(
@@ -867,20 +1342,22 @@ out:
 
 static int security_compute_sid(u32 ssid,
                                u32 tsid,
-                               u16 tclass,
+                               u16 orig_tclass,
                                u32 specified,
-                               u32 *out_sid)
+                               u32 *out_sid,
+                               bool kern)
 {
        struct context *scontext = NULL, *tcontext = NULL, newcontext;
        struct role_trans *roletr = NULL;
        struct avtab_key avkey;
        struct avtab_datum *avdatum;
        struct avtab_node *node;
+       u16 tclass;
        int rc = 0;
 
        if (!ss_initialized) {
-               switch (tclass) {
-               case SECCLASS_PROCESS:
+               switch (orig_tclass) {
+               case SECCLASS_PROCESS: /* kernel value */
                        *out_sid = ssid;
                        break;
                default:
@@ -892,19 +1369,24 @@ static int security_compute_sid(u32 ssid,
 
        context_init(&newcontext);
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
+
+       if (kern)
+               tclass = unmap_class(orig_tclass);
+       else
+               tclass = orig_tclass;
 
        scontext = sidtab_search(&sidtab, ssid);
        if (!scontext) {
-               printk(KERN_ERR "security_compute_sid:  unrecognized SID %d\n",
-                      ssid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, ssid);
                rc = -EINVAL;
                goto out_unlock;
        }
        tcontext = sidtab_search(&sidtab, tsid);
        if (!tcontext) {
-               printk(KERN_ERR "security_compute_sid:  unrecognized SID %d\n",
-                      tsid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, tsid);
                rc = -EINVAL;
                goto out_unlock;
        }
@@ -923,13 +1405,11 @@ static int security_compute_sid(u32 ssid,
        }
 
        /* Set the role and type to default values. */
-       switch (tclass) {
-       case SECCLASS_PROCESS:
+       if (tclass == policydb.process_class) {
                /* Use the current role and type of process. */
                newcontext.role = scontext->role;
                newcontext.type = scontext->type;
-               break;
-       default:
+       } else {
                /* Use the well-defined object role. */
                newcontext.role = OBJECT_R_VAL;
                /* Use the type of the related object. */
@@ -944,9 +1424,9 @@ static int security_compute_sid(u32 ssid,
        avdatum = avtab_search(&policydb.te_avtab, &avkey);
 
        /* If no permanent rule, also check for enabled conditional rules */
-       if(!avdatum) {
+       if (!avdatum) {
                node = avtab_search_node(&policydb.te_cond_avtab, &avkey);
-               for (; node != NULL; node = avtab_search_node_next(node, specified)) {
+               for (; node; node = avtab_search_node_next(node, specified)) {
                        if (node->key.specified & AVTAB_ENABLED) {
                                avdatum = &node->datum;
                                break;
@@ -960,8 +1440,7 @@ static int security_compute_sid(u32 ssid,
        }
 
        /* Check for class-specific changes. */
-       switch (tclass) {
-       case SECCLASS_PROCESS:
+       if  (tclass == policydb.process_class) {
                if (specified & AVTAB_TRANSITION) {
                        /* Look for a role transition rule. */
                        for (roletr = policydb.role_tr; roletr;
@@ -974,9 +1453,6 @@ static int security_compute_sid(u32 ssid,
                                }
                        }
                }
-               break;
-       default:
-               break;
        }
 
        /* Set the MLS attributes.
@@ -997,7 +1473,7 @@ static int security_compute_sid(u32 ssid,
        /* Obtain the sid for the context. */
        rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
 out_unlock:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        context_destroy(&newcontext);
 out:
        return rc;
@@ -1021,7 +1497,17 @@ int security_transition_sid(u32 ssid,
                            u16 tclass,
                            u32 *out_sid)
 {
-       return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
+       return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
+                                   out_sid, true);
+}
+
+int security_transition_sid_user(u32 ssid,
+                                u32 tsid,
+                                u16 tclass,
+                                u32 *out_sid)
+{
+       return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
+                                   out_sid, false);
 }
 
 /**
@@ -1042,7 +1528,8 @@ int security_member_sid(u32 ssid,
                        u16 tclass,
                        u32 *out_sid)
 {
-       return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
+       return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
+                                   false);
 }
 
 /**
@@ -1063,137 +1550,8 @@ int security_change_sid(u32 ssid,
                        u16 tclass,
                        u32 *out_sid)
 {
-       return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
-}
-
-/*
- * Verify that each kernel class that is defined in the
- * policy is correct
- */
-static int validate_classes(struct policydb *p)
-{
-       int i, j;
-       struct class_datum *cladatum;
-       struct perm_datum *perdatum;
-       u32 nprim, tmp, common_pts_len, perm_val, pol_val;
-       u16 class_val;
-       const struct selinux_class_perm *kdefs = &selinux_class_perm;
-       const char *def_class, *def_perm, *pol_class;
-       struct symtab *perms;
-
-       if (p->allow_unknown) {
-               u32 num_classes = kdefs->cts_len;
-               p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL);
-               if (!p->undefined_perms)
-                       return -ENOMEM;
-       }
-
-       for (i = 1; i < kdefs->cts_len; i++) {
-               def_class = kdefs->class_to_string[i];
-               if (!def_class)
-                       continue;
-               if (i > p->p_classes.nprim) {
-                       printk(KERN_INFO
-                              "security:  class %s not defined in policy\n",
-                              def_class);
-                       if (p->reject_unknown)
-                               return -EINVAL;
-                       if (p->allow_unknown)
-                               p->undefined_perms[i-1] = ~0U;
-                       continue;
-               }
-               pol_class = p->p_class_val_to_name[i-1];
-               if (strcmp(pol_class, def_class)) {
-                       printk(KERN_ERR
-                              "security:  class %d is incorrect, found %s but should be %s\n",
-                              i, pol_class, def_class);
-                       return -EINVAL;
-               }
-       }
-       for (i = 0; i < kdefs->av_pts_len; i++) {
-               class_val = kdefs->av_perm_to_string[i].tclass;
-               perm_val = kdefs->av_perm_to_string[i].value;
-               def_perm = kdefs->av_perm_to_string[i].name;
-               if (class_val > p->p_classes.nprim)
-                       continue;
-               pol_class = p->p_class_val_to_name[class_val-1];
-               cladatum = hashtab_search(p->p_classes.table, pol_class);
-               BUG_ON(!cladatum);
-               perms = &cladatum->permissions;
-               nprim = 1 << (perms->nprim - 1);
-               if (perm_val > nprim) {
-                       printk(KERN_INFO
-                              "security:  permission %s in class %s not defined in policy\n",
-                              def_perm, pol_class);
-                       if (p->reject_unknown)
-                               return -EINVAL;
-                       if (p->allow_unknown)
-                               p->undefined_perms[class_val-1] |= perm_val;
-                       continue;
-               }
-               perdatum = hashtab_search(perms->table, def_perm);
-               if (perdatum == NULL) {
-                       printk(KERN_ERR
-                              "security:  permission %s in class %s not found in policy, bad policy\n",
-                              def_perm, pol_class);
-                       return -EINVAL;
-               }
-               pol_val = 1 << (perdatum->value - 1);
-               if (pol_val != perm_val) {
-                       printk(KERN_ERR
-                              "security:  permission %s in class %s has incorrect value\n",
-                              def_perm, pol_class);
-                       return -EINVAL;
-               }
-       }
-       for (i = 0; i < kdefs->av_inherit_len; i++) {
-               class_val = kdefs->av_inherit[i].tclass;
-               if (class_val > p->p_classes.nprim)
-                       continue;
-               pol_class = p->p_class_val_to_name[class_val-1];
-               cladatum = hashtab_search(p->p_classes.table, pol_class);
-               BUG_ON(!cladatum);
-               if (!cladatum->comdatum) {
-                       printk(KERN_ERR
-                              "security:  class %s should have an inherits clause but does not\n",
-                              pol_class);
-                       return -EINVAL;
-               }
-               tmp = kdefs->av_inherit[i].common_base;
-               common_pts_len = 0;
-               while (!(tmp & 0x01)) {
-                       common_pts_len++;
-                       tmp >>= 1;
-               }
-               perms = &cladatum->comdatum->permissions;
-               for (j = 0; j < common_pts_len; j++) {
-                       def_perm = kdefs->av_inherit[i].common_pts[j];
-                       if (j >= perms->nprim) {
-                               printk(KERN_INFO
-                                      "security:  permission %s in class %s not defined in policy\n",
-                                      def_perm, pol_class);
-                               if (p->reject_unknown)
-                                       return -EINVAL;
-                               if (p->allow_unknown)
-                                       p->undefined_perms[class_val-1] |= (1 << j);
-                               continue;
-                       }
-                       perdatum = hashtab_search(perms->table, def_perm);
-                       if (perdatum == NULL) {
-                               printk(KERN_ERR
-                                      "security:  permission %s in class %s not found in policy, bad policy\n",
-                                      def_perm, pol_class);
-                               return -EINVAL;
-                       }
-                       if (perdatum->value != j + 1) {
-                               printk(KERN_ERR
-                                      "security:  permission %s in class %s has incorrect value\n",
-                                      def_perm, pol_class);
-                               return -EINVAL;
-                       }
-               }
-       }
-       return 0;
+       return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
+                                   false);
 }
 
 /* Clone the SID into the new SID table. */
@@ -1203,7 +1561,10 @@ static int clone_sid(u32 sid,
 {
        struct sidtab *s = arg;
 
-       return sidtab_insert(s, sid, context);
+       if (sid > SECINITSID_NUM)
+               return sidtab_insert(s, sid, context);
+       else
+               return 0;
 }
 
 static inline int convert_context_handle_invalid_context(struct context *context)
@@ -1216,9 +1577,12 @@ static inline int convert_context_handle_invalid_context(struct context *context
                char *s;
                u32 len;
 
-               context_struct_to_string(context, &s, &len);
-               printk(KERN_ERR "security:  context %s is invalid\n", s);
-               kfree(s);
+               if (!context_struct_to_string(context, &s, &len)) {
+                       printk(KERN_WARNING
+                      "SELinux:  Context %s would be invalid if enforcing\n",
+                              s);
+                       kfree(s);
+               }
        }
        return rc;
 }
@@ -1241,15 +1605,51 @@ static int convert_context(u32 key,
 {
        struct convert_context_args *args;
        struct context oldc;
+       struct ocontext *oc;
+       struct mls_range *range;
        struct role_datum *role;
        struct type_datum *typdatum;
        struct user_datum *usrdatum;
        char *s;
        u32 len;
-       int rc;
+       int rc = 0;
+
+       if (key <= SECINITSID_NUM)
+               goto out;
 
        args = p;
 
+       if (c->str) {
+               struct context ctx;
+               s = kstrdup(c->str, GFP_KERNEL);
+               if (!s) {
+                       rc = -ENOMEM;
+                       goto out;
+               }
+               rc = string_to_context_struct(args->newp, NULL, s,
+                                             c->len, &ctx, SECSID_NULL);
+               kfree(s);
+               if (!rc) {
+                       printk(KERN_INFO
+                      "SELinux:  Context %s became valid (mapped).\n",
+                              c->str);
+                       /* Replace string with mapped representation. */
+                       kfree(c->str);
+                       memcpy(c, &ctx, sizeof(*c));
+                       goto out;
+               } else if (rc == -EINVAL) {
+                       /* Retain string representation for later mapping. */
+                       rc = 0;
+                       goto out;
+               } else {
+                       /* Other error condition, e.g. ENOMEM. */
+                       printk(KERN_ERR
+                      "SELinux:   Unable to map context %s, rc = %d.\n",
+                              c->str, -rc);
+                       goto out;
+               }
+       }
+
        rc = context_cpy(&oldc, c);
        if (rc)
                goto out;
@@ -1258,31 +1658,58 @@ static int convert_context(u32 key,
 
        /* Convert the user. */
        usrdatum = hashtab_search(args->newp->p_users.table,
-                                 args->oldp->p_user_val_to_name[c->user - 1]);
-       if (!usrdatum) {
+                                 args->oldp->p_user_val_to_name[c->user - 1]);
+       if (!usrdatum)
                goto bad;
-       }
        c->user = usrdatum->value;
 
        /* Convert the role. */
        role = hashtab_search(args->newp->p_roles.table,
-                             args->oldp->p_role_val_to_name[c->role - 1]);
-       if (!role) {
+                             args->oldp->p_role_val_to_name[c->role - 1]);
+       if (!role)
                goto bad;
-       }
        c->role = role->value;
 
        /* Convert the type. */
        typdatum = hashtab_search(args->newp->p_types.table,
-                                 args->oldp->p_type_val_to_name[c->type - 1]);
-       if (!typdatum) {
+                                 args->oldp->p_type_val_to_name[c->type - 1]);
+       if (!typdatum)
                goto bad;
-       }
        c->type = typdatum->value;
 
-       rc = mls_convert_context(args->oldp, args->newp, c);
-       if (rc)
-               goto bad;
+       /* Convert the MLS fields if dealing with MLS policies */
+       if (args->oldp->mls_enabled && args->newp->mls_enabled) {
+               rc = mls_convert_context(args->oldp, args->newp, c);
+               if (rc)
+                       goto bad;
+       } else if (args->oldp->mls_enabled && !args->newp->mls_enabled) {
+               /*
+                * Switching between MLS and non-MLS policy:
+                * free any storage used by the MLS fields in the
+                * context for all existing entries in the sidtab.
+                */
+               mls_context_destroy(c);
+       } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
+               /*
+                * Switching between non-MLS and MLS policy:
+                * ensure that the MLS fields of the context for all
+                * existing entries in the sidtab are filled in with a
+                * suitable default value, likely taken from one of the
+                * initial SIDs.
+                */
+               oc = args->newp->ocontexts[OCON_ISID];
+               while (oc && oc->sid[0] != SECINITSID_UNLABELED)
+                       oc = oc->next;
+               if (!oc) {
+                       printk(KERN_ERR "SELinux:  unable to look up"
+                               " the initial SIDs list\n");
+                       goto bad;
+               }
+               range = &oc->context[0].range;
+               rc = mls_range_set(c, range);
+               if (rc)
+                       goto bad;
+       }
 
        /* Check the validity of the new context. */
        if (!policydb_context_isvalid(args->newp, c)) {
@@ -1292,13 +1719,21 @@ static int convert_context(u32 key,
        }
 
        context_destroy(&oldc);
+       rc = 0;
 out:
        return rc;
 bad:
-       context_struct_to_string(&oldc, &s, &len);
+       /* Map old representation to string and save it. */
+       if (context_struct_to_string(&oldc, &s, &len))
+               return -ENOMEM;
        context_destroy(&oldc);
-       printk(KERN_ERR "security:  invalidating context %s\n", s);
-       kfree(s);
+       context_destroy(c);
+       c->str = s;
+       c->len = len;
+       printk(KERN_INFO
+              "SELinux:  Context %s became invalid (unmapped).\n",
+              c->str);
+       rc = 0;
        goto out;
 }
 
@@ -1306,6 +1741,8 @@ static void security_load_policycaps(void)
 {
        selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
                                                  POLICYDB_CAPABILITY_NETPEER);
+       selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
+                                                 POLICYDB_CAPABILITY_OPENPERM);
 }
 
 extern void selinux_complete_init(void);
@@ -1325,44 +1762,45 @@ int security_load_policy(void *data, size_t len)
 {
        struct policydb oldpolicydb, newpolicydb;
        struct sidtab oldsidtab, newsidtab;
+       struct selinux_mapping *oldmap, *map = NULL;
        struct convert_context_args args;
        u32 seqno;
+       u16 map_size;
        int rc = 0;
        struct policy_file file = { data, len }, *fp = &file;
 
-       LOAD_LOCK;
-
        if (!ss_initialized) {
                avtab_cache_init();
-               if (policydb_read(&policydb, fp)) {
-                       LOAD_UNLOCK;
+               rc = policydb_read(&policydb, fp);
+               if (rc) {
                        avtab_cache_destroy();
-                       return -EINVAL;
+                       return rc;
                }
-               if (policydb_load_isids(&policydb, &sidtab)) {
-                       LOAD_UNLOCK;
+
+               policydb.len = len;
+               rc = selinux_set_mapping(&policydb, secclass_map,
+                                        &current_mapping,
+                                        &current_mapping_size);
+               if (rc) {
                        policydb_destroy(&policydb);
                        avtab_cache_destroy();
-                       return -EINVAL;
+                       return rc;
                }
-               /* Verify that the kernel defined classes are correct. */
-               if (validate_classes(&policydb)) {
-                       printk(KERN_ERR
-                              "security:  the definition of a class is incorrect\n");
-                       LOAD_UNLOCK;
-                       sidtab_destroy(&sidtab);
+
+               rc = policydb_load_isids(&policydb, &sidtab);
+               if (rc) {
                        policydb_destroy(&policydb);
                        avtab_cache_destroy();
-                       return -EINVAL;
+                       return rc;
                }
+
                security_load_policycaps();
-               policydb_loaded_version = policydb.policyvers;
                ss_initialized = 1;
                seqno = ++latest_granting;
-               LOAD_UNLOCK;
                selinux_complete_init();
                avc_ss_reset(seqno);
                selnl_notify_policyload(seqno);
+               selinux_status_update_policyload(seqno);
                selinux_netlbl_cache_invalidate();
                selinux_xfrm_notify_policyload();
                return 0;
@@ -1372,91 +1810,114 @@ int security_load_policy(void *data, size_t len)
        sidtab_hash_eval(&sidtab, "sids");
 #endif
 
-       if (policydb_read(&newpolicydb, fp)) {
-               LOAD_UNLOCK;
-               return -EINVAL;
-       }
+       rc = policydb_read(&newpolicydb, fp);
+       if (rc)
+               return rc;
 
-       sidtab_init(&newsidtab);
+       newpolicydb.len = len;
+       /* If switching between different policy types, log MLS status */
+       if (policydb.mls_enabled && !newpolicydb.mls_enabled)
+               printk(KERN_INFO "SELinux: Disabling MLS support...\n");
+       else if (!policydb.mls_enabled && newpolicydb.mls_enabled)
+               printk(KERN_INFO "SELinux: Enabling MLS support...\n");
 
-       /* Verify that the kernel defined classes are correct. */
-       if (validate_classes(&newpolicydb)) {
-               printk(KERN_ERR
-                      "security:  the definition of a class is incorrect\n");
-               rc = -EINVAL;
-               goto err;
+       rc = policydb_load_isids(&newpolicydb, &newsidtab);
+       if (rc) {
+               printk(KERN_ERR "SELinux:  unable to load the initial SIDs\n");
+               policydb_destroy(&newpolicydb);
+               return rc;
        }
 
+       rc = selinux_set_mapping(&newpolicydb, secclass_map, &map, &map_size);
+       if (rc)
+               goto err;
+
        rc = security_preserve_bools(&newpolicydb);
        if (rc) {
-               printk(KERN_ERR "security:  unable to preserve booleans\n");
+               printk(KERN_ERR "SELinux:  unable to preserve booleans\n");
                goto err;
        }
 
        /* Clone the SID table. */
        sidtab_shutdown(&sidtab);
-       if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
-               rc = -ENOMEM;
+
+       rc = sidtab_map(&sidtab, clone_sid, &newsidtab);
+       if (rc)
                goto err;
-       }
 
-       /* Convert the internal representations of contexts
-          in the new SID table and remove invalid SIDs. */
+       /*
+        * Convert the internal representations of contexts
+        * in the new SID table.
+        */
        args.oldp = &policydb;
        args.newp = &newpolicydb;
-       sidtab_map_remove_on_error(&newsidtab, convert_context, &args);
+       rc = sidtab_map(&newsidtab, convert_context, &args);
+       if (rc) {
+               printk(KERN_ERR "SELinux:  unable to convert the internal"
+                       " representation of contexts in the new SID"
+                       " table\n");
+               goto err;
+       }
 
        /* Save the old policydb and SID table to free later. */
        memcpy(&oldpolicydb, &policydb, sizeof policydb);
        sidtab_set(&oldsidtab, &sidtab);
 
        /* Install the new policydb and SID table. */
-       POLICY_WRLOCK;
+       write_lock_irq(&policy_rwlock);
        memcpy(&policydb, &newpolicydb, sizeof policydb);
        sidtab_set(&sidtab, &newsidtab);
        security_load_policycaps();
+       oldmap = current_mapping;
+       current_mapping = map;
+       current_mapping_size = map_size;
        seqno = ++latest_granting;
-       policydb_loaded_version = policydb.policyvers;
-       POLICY_WRUNLOCK;
-       LOAD_UNLOCK;
+       write_unlock_irq(&policy_rwlock);
 
        /* Free the old policydb and SID table. */
        policydb_destroy(&oldpolicydb);
        sidtab_destroy(&oldsidtab);
+       kfree(oldmap);
 
        avc_ss_reset(seqno);
        selnl_notify_policyload(seqno);
+       selinux_status_update_policyload(seqno);
        selinux_netlbl_cache_invalidate();
        selinux_xfrm_notify_policyload();
 
        return 0;
 
 err:
-       LOAD_UNLOCK;
+       kfree(map);
        sidtab_destroy(&newsidtab);
        policydb_destroy(&newpolicydb);
        return rc;
 
 }
 
+size_t security_policydb_len(void)
+{
+       size_t len;
+
+       read_lock(&policy_rwlock);
+       len = policydb.len;
+       read_unlock(&policy_rwlock);
+
+       return len;
+}
+
 /**
  * security_port_sid - Obtain the SID for a port.
- * @domain: communication domain aka address family
- * @type: socket type
  * @protocol: protocol number
  * @port: port number
  * @out_sid: security identifier
  */
-int security_port_sid(u16 domain,
-                     u16 type,
-                     u8 protocol,
-                     u16 port,
-                     u32 *out_sid)
+int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
 {
        struct ocontext *c;
        int rc = 0;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        c = policydb.ocontexts[OCON_PORT];
        while (c) {
@@ -1481,7 +1942,7 @@ int security_port_sid(u16 domain,
        }
 
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 
@@ -1495,7 +1956,7 @@ int security_netif_sid(char *name, u32 *if_sid)
        int rc = 0;
        struct ocontext *c;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        c = policydb.ocontexts[OCON_NETIF];
        while (c) {
@@ -1522,7 +1983,7 @@ int security_netif_sid(char *name, u32 *if_sid)
                *if_sid = SECINITSID_NETIF;
 
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 
@@ -1530,8 +1991,8 @@ static int match_ipv6_addrmask(u32 *input, u32 *addr, u32 *mask)
 {
        int i, fail = 0;
 
-       for(i = 0; i < 4; i++)
-               if(addr[i] != (input[i] & mask[i])) {
+       for (i = 0; i < 4; i++)
+               if (addr[i] != (input[i] & mask[i])) {
                        fail = 1;
                        break;
                }
@@ -1554,7 +2015,7 @@ int security_node_sid(u16 domain,
        int rc = 0;
        struct ocontext *c;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        switch (domain) {
        case AF_INET: {
@@ -1609,7 +2070,7 @@ int security_node_sid(u16 domain,
        }
 
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 
@@ -1630,7 +2091,7 @@ out:
  */
 
 int security_get_user_sids(u32 fromsid,
-                          char *username,
+                          char *username,
                           u32 **sids,
                           u32 *nel)
 {
@@ -1648,7 +2109,9 @@ int security_get_user_sids(u32 fromsid,
        if (!ss_initialized)
                goto out;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
+
+       context_init(&usercon);
 
        fromcon = sidtab_search(&sidtab, fromsid);
        if (!fromcon) {
@@ -1671,9 +2134,9 @@ int security_get_user_sids(u32 fromsid,
 
        ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
                role = policydb.role_val_to_struct[i];
-               usercon.role = i+1;
+               usercon.role = i + 1;
                ebitmap_for_each_positive_bit(&role->types, tnode, j) {
-                       usercon.type = j+1;
+                       usercon.type = j + 1;
 
                        if (mls_setup_user_range(fromcon, user, &usercon))
                                continue;
@@ -1699,7 +2162,7 @@ int security_get_user_sids(u32 fromsid,
        }
 
 out_unlock:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        if (rc || !mynel) {
                kfree(mysids);
                goto out;
@@ -1713,7 +2176,7 @@ out_unlock:
        }
        for (i = 0, j = 0; i < mynel; i++) {
                rc = avc_has_perm_noaudit(fromsid, mysids[i],
-                                         SECCLASS_PROCESS,
+                                         SECCLASS_PROCESS, /* kernel value */
                                          PROCESS__TRANSITION, AVC_STRICT,
                                          NULL);
                if (!rc)
@@ -1740,11 +2203,12 @@ out:
  * transition SIDs or task SIDs.
  */
 int security_genfs_sid(const char *fstype,
-                      char *path,
-                      u16 sclass,
+                      char *path,
+                      u16 orig_sclass,
                       u32 *sid)
 {
        int len;
+       u16 sclass;
        struct genfs *genfs;
        struct ocontext *c;
        int rc = 0, cmp = 0;
@@ -1752,7 +2216,9 @@ int security_genfs_sid(const char *fstype,
        while (path[0] == '/' && path[1] == '/')
                path++;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
+
+       sclass = unmap_class(orig_sclass);
 
        for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
                cmp = strcmp(fstype, genfs->fstype);
@@ -1789,7 +2255,7 @@ int security_genfs_sid(const char *fstype,
 
        *sid = c->sid[0];
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 
@@ -1807,7 +2273,7 @@ int security_fs_use(
        int rc = 0;
        struct ocontext *c;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        c = policydb.ocontexts[OCON_FSUSE];
        while (c) {
@@ -1837,7 +2303,7 @@ int security_fs_use(
        }
 
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 
@@ -1845,7 +2311,7 @@ int security_get_bools(int *len, char ***names, int **values)
 {
        int i, rc = -ENOMEM;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
        *names = NULL;
        *values = NULL;
 
@@ -1855,7 +2321,7 @@ int security_get_bools(int *len, char ***names, int **values)
                goto out;
        }
 
-       *names = kcalloc(*len, sizeof(char*), GFP_ATOMIC);
+       *names = kcalloc(*len, sizeof(char *), GFP_ATOMIC);
        if (!*names)
                goto err;
 
@@ -1867,7 +2333,7 @@ int security_get_bools(int *len, char ***names, int **values)
                size_t name_len;
                (*values)[i] = policydb.bool_val_to_struct[i]->state;
                name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
-               (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
+              (*names)[i] = kmalloc(sizeof(char) * name_len, GFP_ATOMIC);
                if (!(*names)[i])
                        goto err;
                strncpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
@@ -1875,7 +2341,7 @@ int security_get_bools(int *len, char ***names, int **values)
        }
        rc = 0;
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 err:
        if (*names) {
@@ -1893,7 +2359,7 @@ int security_set_bools(int len, int *values)
        int lenp, seqno = 0;
        struct cond_node *cur;
 
-       POLICY_WRLOCK;
+       write_lock_irq(&policy_rwlock);
 
        lenp = policydb.p_bools.nprim;
        if (len != lenp) {
@@ -1912,14 +2378,13 @@ int security_set_bools(int len, int *values)
                                audit_get_loginuid(current),
                                audit_get_sessionid(current));
                }
-               if (values[i]) {
+               if (values[i])
                        policydb.bool_val_to_struct[i]->state = 1;
-               } else {
+               else
                        policydb.bool_val_to_struct[i]->state = 0;
-               }
        }
 
-       for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
+       for (cur = policydb.cond_list; cur; cur = cur->next) {
                rc = evaluate_cond_node(&policydb, cur);
                if (rc)
                        goto out;
@@ -1928,10 +2393,11 @@ int security_set_bools(int len, int *values)
        seqno = ++latest_granting;
 
 out:
-       POLICY_WRUNLOCK;
+       write_unlock_irq(&policy_rwlock);
        if (!rc) {
                avc_ss_reset(seqno);
                selnl_notify_policyload(seqno);
+               selinux_status_update_policyload(seqno);
                selinux_xfrm_notify_policyload();
        }
        return rc;
@@ -1942,7 +2408,7 @@ int security_get_bool_value(int bool)
        int rc = 0;
        int len;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        len = policydb.p_bools.nprim;
        if (bool >= len) {
@@ -1952,7 +2418,7 @@ int security_get_bool_value(int bool)
 
        rc = policydb.bool_val_to_struct[bool]->state;
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 
@@ -1971,7 +2437,7 @@ static int security_preserve_bools(struct policydb *p)
                if (booldatum)
                        booldatum->state = bvalues[i];
        }
-       for (cur = p->cond_list; cur != NULL; cur = cur->next) {
+       for (cur = p->cond_list; cur; cur = cur->next) {
                rc = evaluate_cond_node(p, cur);
                if (rc)
                        goto out;
@@ -2000,26 +2466,26 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
        u32 len;
        int rc = 0;
 
-       if (!ss_initialized || !selinux_mls_enabled) {
+       if (!ss_initialized || !policydb.mls_enabled) {
                *new_sid = sid;
                goto out;
        }
 
        context_init(&newcon);
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
        context1 = sidtab_search(&sidtab, sid);
        if (!context1) {
-               printk(KERN_ERR "security_sid_mls_copy:  unrecognized SID "
-                      "%d\n", sid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                       __func__, sid);
                rc = -EINVAL;
                goto out_unlock;
        }
 
        context2 = sidtab_search(&sidtab, mls_sid);
        if (!context2) {
-               printk(KERN_ERR "security_sid_mls_copy:  unrecognized SID "
-                      "%d\n", mls_sid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                       __func__, mls_sid);
                rc = -EINVAL;
                goto out_unlock;
        }
@@ -2049,7 +2515,7 @@ bad:
        }
 
 out_unlock:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        context_destroy(&newcon);
 out:
        return rc;
@@ -2101,33 +2567,31 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
        /* we don't need to check ss_initialized here since the only way both
         * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
         * security server was initialized and ss_initialized was true */
-       if (!selinux_mls_enabled) {
+       if (!policydb.mls_enabled) {
                *peer_sid = SECSID_NULL;
                return 0;
        }
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
        if (!nlbl_ctx) {
-               printk(KERN_ERR
-                      "security_sid_mls_cmp:  unrecognized SID %d\n",
-                      nlbl_sid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, nlbl_sid);
                rc = -EINVAL;
                goto out_slowpath;
        }
        xfrm_ctx = sidtab_search(&sidtab, xfrm_sid);
        if (!xfrm_ctx) {
-               printk(KERN_ERR
-                      "security_sid_mls_cmp:  unrecognized SID %d\n",
-                      xfrm_sid);
+               printk(KERN_ERR "SELinux: %s:  unrecognized SID %d\n",
+                      __func__, xfrm_sid);
                rc = -EINVAL;
                goto out_slowpath;
        }
        rc = (mls_context_cmp(nlbl_ctx, xfrm_ctx) ? 0 : -EACCES);
 
 out_slowpath:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        if (rc == 0)
                /* at present NetLabel SIDs/labels really only carry MLS
                 * information so if the MLS portion of the NetLabel SID
@@ -2157,10 +2621,10 @@ int security_get_classes(char ***classes, int *nclasses)
 {
        int rc = -ENOMEM;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        *nclasses = policydb.p_classes.nprim;
-       *classes = kcalloc(*nclasses, sizeof(*classes), GFP_ATOMIC);
+       *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);
        if (!*classes)
                goto out;
 
@@ -2174,7 +2638,7 @@ int security_get_classes(char ***classes, int *nclasses)
        }
 
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 
@@ -2196,18 +2660,18 @@ int security_get_permissions(char *class, char ***perms, int *nperms)
        int rc = -ENOMEM, i;
        struct class_datum *match;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        match = hashtab_search(policydb.p_classes.table, class);
        if (!match) {
-               printk(KERN_ERR "%s:  unrecognized class %s\n",
-                       __FUNCTION__, class);
+               printk(KERN_ERR "SELinux: %s:  unrecognized class %s\n",
+                       __func__, class);
                rc = -EINVAL;
                goto out;
        }
 
        *nperms = match->permissions.nprim;
-       *perms = kcalloc(*nperms, sizeof(*perms), GFP_ATOMIC);
+       *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);
        if (!*perms)
                goto out;
 
@@ -2224,11 +2688,11 @@ int security_get_permissions(char *class, char ***perms, int *nperms)
                goto err;
 
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 
 err:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        for (i = 0; i < *nperms; i++)
                kfree((*perms)[i]);
        kfree(*perms);
@@ -2246,39 +2710,6 @@ int security_get_allow_unknown(void)
 }
 
 /**
- * security_get_policycaps - Query the loaded policy for its capabilities
- * @len: the number of capability bits
- * @values: the capability bit array
- *
- * Description:
- * Get an array of the policy capabilities in @values where each entry in
- * @values is either true (1) or false (0) depending the policy's support of
- * that feature.  The policy capabilities are defined by the
- * POLICYDB_CAPABILITY_* enums.  The size of the array is stored in @len and it
- * is up to the caller to free the array in @values.  Returns zero on success,
- * negative values on failure.
- *
- */
-int security_get_policycaps(int *len, int **values)
-{
-       int rc = -ENOMEM;
-       unsigned int iter;
-
-       POLICY_RDLOCK;
-
-       *values = kcalloc(POLICYDB_CAPABILITY_MAX, sizeof(int), GFP_ATOMIC);
-       if (*values == NULL)
-               goto out;
-       for (iter = 0; iter < POLICYDB_CAPABILITY_MAX; iter++)
-               (*values)[iter] = ebitmap_get_bit(&policydb.policycaps, iter);
-       *len = POLICYDB_CAPABILITY_MAX;
-
-out:
-       POLICY_RDUNLOCK;
-       return rc;
-}
-
-/**
  * security_policycap_supported - Check for a specific policy capability
  * @req_cap: capability
  *
@@ -2292,9 +2723,9 @@ int security_policycap_supported(unsigned int req_cap)
 {
        int rc;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
        rc = ebitmap_get_bit(&policydb.policycaps, req_cap);
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
 
        return rc;
 }
@@ -2304,21 +2735,23 @@ struct selinux_audit_rule {
        struct context au_ctxt;
 };
 
-void selinux_audit_rule_free(struct selinux_audit_rule *rule)
+void selinux_audit_rule_free(void *vrule)
 {
+       struct selinux_audit_rule *rule = vrule;
+
        if (rule) {
                context_destroy(&rule->au_ctxt);
                kfree(rule);
        }
 }
 
-int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
-                            struct selinux_audit_rule **rule)
+int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
 {
        struct selinux_audit_rule *tmprule;
        struct role_datum *roledatum;
        struct type_datum *typedatum;
        struct user_datum *userdatum;
+       struct selinux_audit_rule **rule = (struct selinux_audit_rule **)vrule;
        int rc = 0;
 
        *rule = NULL;
@@ -2334,7 +2767,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
        case AUDIT_OBJ_ROLE:
        case AUDIT_OBJ_TYPE:
                /* only 'equals' and 'not equals' fit user, role, and type */
-               if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL)
+               if (op != Audit_equal && op != Audit_not_equal)
                        return -EINVAL;
                break;
        case AUDIT_SUBJ_SEN:
@@ -2356,7 +2789,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
 
        context_init(&tmprule->au_ctxt);
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        tmprule->au_seqno = latest_granting;
 
@@ -2393,7 +2826,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
                break;
        }
 
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
 
        if (rc) {
                selinux_audit_rule_free(tmprule);
@@ -2405,25 +2838,50 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
        return rc;
 }
 
-int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
-                             struct selinux_audit_rule *rule,
-                             struct audit_context *actx)
+/* Check to see if the rule contains any selinux fields */
+int selinux_audit_rule_known(struct audit_krule *rule)
+{
+       int i;
+
+       for (i = 0; i < rule->field_count; i++) {
+               struct audit_field *f = &rule->fields[i];
+               switch (f->type) {
+               case AUDIT_SUBJ_USER:
+               case AUDIT_SUBJ_ROLE:
+               case AUDIT_SUBJ_TYPE:
+               case AUDIT_SUBJ_SEN:
+               case AUDIT_SUBJ_CLR:
+               case AUDIT_OBJ_USER:
+               case AUDIT_OBJ_ROLE:
+               case AUDIT_OBJ_TYPE:
+               case AUDIT_OBJ_LEV_LOW:
+               case AUDIT_OBJ_LEV_HIGH:
+                       return 1;
+               }
+       }
+
+       return 0;
+}
+
+int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+                            struct audit_context *actx)
 {
        struct context *ctxt;
        struct mls_level *level;
+       struct selinux_audit_rule *rule = vrule;
        int match = 0;
 
        if (!rule) {
                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
-                         "selinux_audit_rule_match: missing rule\n");
+                         "selinux_audit_rule_match: missing rule\n");
                return -ENOENT;
        }
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        if (rule->au_seqno < latest_granting) {
                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
-                         "selinux_audit_rule_match: stale rule\n");
+                         "selinux_audit_rule_match: stale rule\n");
                match = -ESTALE;
                goto out;
        }
@@ -2431,8 +2889,8 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
        ctxt = sidtab_search(&sidtab, sid);
        if (!ctxt) {
                audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
-                         "selinux_audit_rule_match: unrecognized SID %d\n",
-                         sid);
+                         "selinux_audit_rule_match: unrecognized SID %d\n",
+                         sid);
                match = -ENOENT;
                goto out;
        }
@@ -2443,10 +2901,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
        case AUDIT_SUBJ_USER:
        case AUDIT_OBJ_USER:
                switch (op) {
-               case AUDIT_EQUAL:
+               case Audit_equal:
                        match = (ctxt->user == rule->au_ctxt.user);
                        break;
-               case AUDIT_NOT_EQUAL:
+               case Audit_not_equal:
                        match = (ctxt->user != rule->au_ctxt.user);
                        break;
                }
@@ -2454,10 +2912,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
        case AUDIT_SUBJ_ROLE:
        case AUDIT_OBJ_ROLE:
                switch (op) {
-               case AUDIT_EQUAL:
+               case Audit_equal:
                        match = (ctxt->role == rule->au_ctxt.role);
                        break;
-               case AUDIT_NOT_EQUAL:
+               case Audit_not_equal:
                        match = (ctxt->role != rule->au_ctxt.role);
                        break;
                }
@@ -2465,10 +2923,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
        case AUDIT_SUBJ_TYPE:
        case AUDIT_OBJ_TYPE:
                switch (op) {
-               case AUDIT_EQUAL:
+               case Audit_equal:
                        match = (ctxt->type == rule->au_ctxt.type);
                        break;
-               case AUDIT_NOT_EQUAL:
+               case Audit_not_equal:
                        match = (ctxt->type != rule->au_ctxt.type);
                        break;
                }
@@ -2478,49 +2936,49 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
        case AUDIT_OBJ_LEV_LOW:
        case AUDIT_OBJ_LEV_HIGH:
                level = ((field == AUDIT_SUBJ_SEN ||
-                         field == AUDIT_OBJ_LEV_LOW) ?
-                        &ctxt->range.level[0] : &ctxt->range.level[1]);
+                         field == AUDIT_OBJ_LEV_LOW) ?
+                        &ctxt->range.level[0] : &ctxt->range.level[1]);
                switch (op) {
-               case AUDIT_EQUAL:
+               case Audit_equal:
                        match = mls_level_eq(&rule->au_ctxt.range.level[0],
-                                            level);
+                                            level);
                        break;
-               case AUDIT_NOT_EQUAL:
+               case Audit_not_equal:
                        match = !mls_level_eq(&rule->au_ctxt.range.level[0],
-                                             level);
+                                             level);
                        break;
-               case AUDIT_LESS_THAN:
+               case Audit_lt:
                        match = (mls_level_dom(&rule->au_ctxt.range.level[0],
-                                              level) &&
-                                !mls_level_eq(&rule->au_ctxt.range.level[0],
-                                              level));
+                                              level) &&
+                                !mls_level_eq(&rule->au_ctxt.range.level[0],
+                                              level));
                        break;
-               case AUDIT_LESS_THAN_OR_EQUAL:
+               case Audit_le:
                        match = mls_level_dom(&rule->au_ctxt.range.level[0],
-                                             level);
+                                             level);
                        break;
-               case AUDIT_GREATER_THAN:
+               case Audit_gt:
                        match = (mls_level_dom(level,
-                                             &rule->au_ctxt.range.level[0]) &&
-                                !mls_level_eq(level,
-                                              &rule->au_ctxt.range.level[0]));
+                                             &rule->au_ctxt.range.level[0]) &&
+                                !mls_level_eq(level,
+                                              &rule->au_ctxt.range.level[0]));
                        break;
-               case AUDIT_GREATER_THAN_OR_EQUAL:
+               case Audit_ge:
                        match = mls_level_dom(level,
-                                             &rule->au_ctxt.range.level[0]);
+                                             &rule->au_ctxt.range.level[0]);
                        break;
                }
        }
 
 out:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return match;
 }
 
-static int (*aurule_callback)(void) = NULL;
+static int (*aurule_callback)(void) = audit_update_lsm_rules;
 
 static int aurule_avc_callback(u32 event, u32 ssid, u32 tsid,
-                               u16 class, u32 perms, u32 *retained)
+                              u16 class, u32 perms, u32 *retained)
 {
        int err = 0;
 
@@ -2534,7 +2992,7 @@ static int __init aurule_init(void)
        int err;
 
        err = avc_add_callback(aurule_avc_callback, AVC_CALLBACK_RESET,
-                              SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
+                              SECSID_NULL, SECSID_NULL, SECCLASS_NULL, 0);
        if (err)
                panic("avc_add_callback() failed, error %d\n", err);
 
@@ -2542,11 +3000,6 @@ static int __init aurule_init(void)
 }
 __initcall(aurule_init);
 
-void selinux_audit_set_callback(int (*callback)(void))
-{
-       aurule_callback = callback;
-}
-
 #ifdef CONFIG_NETLABEL
 /**
  * security_netlbl_cache_add - Add an entry to the NetLabel cache
@@ -2606,7 +3059,7 @@ int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
                return 0;
        }
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
 
        if (secattr->flags & NETLBL_SECATTR_CACHE) {
                *sid = *(u32 *)secattr->cache->data;
@@ -2619,6 +3072,7 @@ int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
                if (ctx == NULL)
                        goto netlbl_secattr_to_sid_return;
 
+               context_init(&ctx_new);
                ctx_new.user = ctx->user;
                ctx_new.role = ctx->role;
                ctx_new.type = ctx->type;
@@ -2627,13 +3081,9 @@ int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
                        if (ebitmap_netlbl_import(&ctx_new.range.level[0].cat,
                                                  secattr->attr.mls.cat) != 0)
                                goto netlbl_secattr_to_sid_return;
-                       ctx_new.range.level[1].cat.highbit =
-                               ctx_new.range.level[0].cat.highbit;
-                       ctx_new.range.level[1].cat.node =
-                               ctx_new.range.level[0].cat.node;
-               } else {
-                       ebitmap_init(&ctx_new.range.level[0].cat);
-                       ebitmap_init(&ctx_new.range.level[1].cat);
+                       memcpy(&ctx_new.range.level[1].cat,
+                              &ctx_new.range.level[0].cat,
+                              sizeof(ctx_new.range.level[0].cat));
                }
                if (mls_context_isvalid(&policydb, &ctx_new) != 1)
                        goto netlbl_secattr_to_sid_return_cleanup;
@@ -2651,7 +3101,7 @@ int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
        }
 
 netlbl_secattr_to_sid_return:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 netlbl_secattr_to_sid_return_cleanup:
        ebitmap_destroy(&ctx_new.range.level[0].cat);
@@ -2670,29 +3120,71 @@ netlbl_secattr_to_sid_return_cleanup:
  */
 int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
 {
-       int rc = -ENOENT;
+       int rc;
        struct context *ctx;
 
        if (!ss_initialized)
                return 0;
 
-       POLICY_RDLOCK;
+       read_lock(&policy_rwlock);
        ctx = sidtab_search(&sidtab, sid);
-       if (ctx == NULL)
+       if (ctx == NULL) {
+               rc = -ENOENT;
                goto netlbl_sid_to_secattr_failure;
+       }
        secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
                                  GFP_ATOMIC);
-       secattr->flags |= NETLBL_SECATTR_DOMAIN;
+       if (secattr->domain == NULL) {
+               rc = -ENOMEM;
+               goto netlbl_sid_to_secattr_failure;
+       }
+       secattr->attr.secid = sid;
+       secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID;
        mls_export_netlbl_lvl(ctx, secattr);
        rc = mls_export_netlbl_cat(ctx, secattr);
        if (rc != 0)
                goto netlbl_sid_to_secattr_failure;
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
 
        return 0;
 
 netlbl_sid_to_secattr_failure:
-       POLICY_RDUNLOCK;
+       read_unlock(&policy_rwlock);
        return rc;
 }
 #endif /* CONFIG_NETLABEL */
+
+/**
+ * security_read_policy - read the policy.
+ * @data: binary policy data
+ * @len: length of data in bytes
+ *
+ */
+int security_read_policy(void **data, ssize_t *len)
+{
+       int rc;
+       struct policy_file fp;
+
+       if (!ss_initialized)
+               return -EINVAL;
+
+       *len = security_policydb_len();
+
+       *data = vmalloc_user(*len);
+       if (!*data)
+               return -ENOMEM;
+
+       fp.data = *data;
+       fp.len = *len;
+
+       read_lock(&policy_rwlock);
+       rc = policydb_write(&policydb, &fp);
+       read_unlock(&policy_rwlock);
+
+       if (rc)
+               return rc;
+
+       *len = (unsigned long)fp.data - (unsigned long)*data;
+       return 0;
+
+}