Creation of Cybook 2416 (actually Gen4) repository

security/selinux/include/av_inherit.h

@@ -0,0 +1,33 @@
+/* This file is automatically generated.  Do not edit. */
+   S_(SECCLASS_DIR, file, 0x00020000UL)
+   S_(SECCLASS_FILE, file, 0x00020000UL)
+   S_(SECCLASS_LNK_FILE, file, 0x00020000UL)
+   S_(SECCLASS_CHR_FILE, file, 0x00020000UL)
+   S_(SECCLASS_BLK_FILE, file, 0x00020000UL)
+   S_(SECCLASS_SOCK_FILE, file, 0x00020000UL)
+   S_(SECCLASS_FIFO_FILE, file, 0x00020000UL)
+   S_(SECCLASS_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_IPC, ipc, 0x00000200UL)
+   S_(SECCLASS_SEM, ipc, 0x00000200UL)
+   S_(SECCLASS_MSGQ, ipc, 0x00000200UL)
+   S_(SECCLASS_SHM, ipc, 0x00000200UL)
+   S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_DCCP_SOCKET, socket, 0x00400000UL)

security/selinux/include/av_perm_to_string.h

@@ -0,0 +1,262 @@
+/* This file is automatically generated.  Do not edit. */
+   S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount")
+   S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount")
+   S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount")
+   S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr")
+   S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom")
+   S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto")
+   S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition")
+   S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate")
+   S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod")
+   S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget")
+   S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name")
+   S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name")
+   S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
+   S_(SECCLASS_DIR, DIR__SEARCH, "search")
+   S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
+   S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
+   S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
+   S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
+   S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
+   S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
+   S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
+   S_(SECCLASS_FD, FD__USE, "use")
+   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
+   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
+   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom")
+   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind")
+   S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect")
+   S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind")
+   S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind")
+   S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv")
+   S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send")
+   S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv")
+   S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send")
+   S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv")
+   S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send")
+   S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
+   S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
+   S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
+   S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
+   S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
+   S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
+   S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send")
+   S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv")
+   S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
+   S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
+   S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
+   S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
+   S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
+   S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
+   S_(SECCLASS_PROCESS, PROCESS__FORK, "fork")
+   S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition")
+   S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld")
+   S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill")
+   S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop")
+   S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull")
+   S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal")
+   S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace")
+   S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched")
+   S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched")
+   S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession")
+   S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid")
+   S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid")
+   S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap")
+   S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap")
+   S_(SECCLASS_PROCESS, PROCESS__SHARE, "share")
+   S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr")
+   S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec")
+   S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate")
+   S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure")
+   S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
+   S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
+   S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
+   S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
+   S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
+   S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
+   S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
+   S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
+   S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
+   S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
+   S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
+   S_(SECCLASS_MSG, MSG__SEND, "send")
+   S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
+   S_(SECCLASS_SHM, SHM__LOCK, "lock")
+   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
+   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
+   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
+   S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
+   S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
+   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
+   S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
+   S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
+   S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
+   S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
+   S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot")
+   S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info")
+   S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
+   S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
+   S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
+   S_(SECCLASS_PASSWD, PASSWD__PASSWD, "passwd")
+   S_(SECCLASS_PASSWD, PASSWD__CHFN, "chfn")
+   S_(SECCLASS_PASSWD, PASSWD__CHSH, "chsh")
+   S_(SECCLASS_PASSWD, PASSWD__ROOTOK, "rootok")
+   S_(SECCLASS_PASSWD, PASSWD__CRONTAB, "crontab")
+   S_(SECCLASS_DRAWABLE, DRAWABLE__CREATE, "create")
+   S_(SECCLASS_DRAWABLE, DRAWABLE__DESTROY, "destroy")
+   S_(SECCLASS_DRAWABLE, DRAWABLE__DRAW, "draw")
+   S_(SECCLASS_DRAWABLE, DRAWABLE__COPY, "copy")
+   S_(SECCLASS_DRAWABLE, DRAWABLE__GETATTR, "getattr")
+   S_(SECCLASS_GC, GC__CREATE, "create")
+   S_(SECCLASS_GC, GC__FREE, "free")
+   S_(SECCLASS_GC, GC__GETATTR, "getattr")
+   S_(SECCLASS_GC, GC__SETATTR, "setattr")
+   S_(SECCLASS_WINDOW, WINDOW__ADDCHILD, "addchild")
+   S_(SECCLASS_WINDOW, WINDOW__CREATE, "create")
+   S_(SECCLASS_WINDOW, WINDOW__DESTROY, "destroy")
+   S_(SECCLASS_WINDOW, WINDOW__MAP, "map")
+   S_(SECCLASS_WINDOW, WINDOW__UNMAP, "unmap")
+   S_(SECCLASS_WINDOW, WINDOW__CHSTACK, "chstack")
+   S_(SECCLASS_WINDOW, WINDOW__CHPROPLIST, "chproplist")
+   S_(SECCLASS_WINDOW, WINDOW__CHPROP, "chprop")
+   S_(SECCLASS_WINDOW, WINDOW__LISTPROP, "listprop")
+   S_(SECCLASS_WINDOW, WINDOW__GETATTR, "getattr")
+   S_(SECCLASS_WINDOW, WINDOW__SETATTR, "setattr")
+   S_(SECCLASS_WINDOW, WINDOW__SETFOCUS, "setfocus")
+   S_(SECCLASS_WINDOW, WINDOW__MOVE, "move")
+   S_(SECCLASS_WINDOW, WINDOW__CHSELECTION, "chselection")
+   S_(SECCLASS_WINDOW, WINDOW__CHPARENT, "chparent")
+   S_(SECCLASS_WINDOW, WINDOW__CTRLLIFE, "ctrllife")
+   S_(SECCLASS_WINDOW, WINDOW__ENUMERATE, "enumerate")
+   S_(SECCLASS_WINDOW, WINDOW__TRANSPARENT, "transparent")
+   S_(SECCLASS_WINDOW, WINDOW__MOUSEMOTION, "mousemotion")
+   S_(SECCLASS_WINDOW, WINDOW__CLIENTCOMEVENT, "clientcomevent")
+   S_(SECCLASS_WINDOW, WINDOW__INPUTEVENT, "inputevent")
+   S_(SECCLASS_WINDOW, WINDOW__DRAWEVENT, "drawevent")
+   S_(SECCLASS_WINDOW, WINDOW__WINDOWCHANGEEVENT, "windowchangeevent")
+   S_(SECCLASS_WINDOW, WINDOW__WINDOWCHANGEREQUEST, "windowchangerequest")
+   S_(SECCLASS_WINDOW, WINDOW__SERVERCHANGEEVENT, "serverchangeevent")
+   S_(SECCLASS_WINDOW, WINDOW__EXTENSIONEVENT, "extensionevent")
+   S_(SECCLASS_FONT, FONT__LOAD, "load")
+   S_(SECCLASS_FONT, FONT__FREE, "free")
+   S_(SECCLASS_FONT, FONT__GETATTR, "getattr")
+   S_(SECCLASS_FONT, FONT__USE, "use")
+   S_(SECCLASS_COLORMAP, COLORMAP__CREATE, "create")
+   S_(SECCLASS_COLORMAP, COLORMAP__FREE, "free")
+   S_(SECCLASS_COLORMAP, COLORMAP__INSTALL, "install")
+   S_(SECCLASS_COLORMAP, COLORMAP__UNINSTALL, "uninstall")
+   S_(SECCLASS_COLORMAP, COLORMAP__LIST, "list")
+   S_(SECCLASS_COLORMAP, COLORMAP__READ, "read")
+   S_(SECCLASS_COLORMAP, COLORMAP__STORE, "store")
+   S_(SECCLASS_COLORMAP, COLORMAP__GETATTR, "getattr")
+   S_(SECCLASS_COLORMAP, COLORMAP__SETATTR, "setattr")
+   S_(SECCLASS_PROPERTY, PROPERTY__CREATE, "create")
+   S_(SECCLASS_PROPERTY, PROPERTY__FREE, "free")
+   S_(SECCLASS_PROPERTY, PROPERTY__READ, "read")
+   S_(SECCLASS_PROPERTY, PROPERTY__WRITE, "write")
+   S_(SECCLASS_CURSOR, CURSOR__CREATE, "create")
+   S_(SECCLASS_CURSOR, CURSOR__CREATEGLYPH, "createglyph")
+   S_(SECCLASS_CURSOR, CURSOR__FREE, "free")
+   S_(SECCLASS_CURSOR, CURSOR__ASSIGN, "assign")
+   S_(SECCLASS_CURSOR, CURSOR__SETATTR, "setattr")
+   S_(SECCLASS_XCLIENT, XCLIENT__KILL, "kill")
+   S_(SECCLASS_XINPUT, XINPUT__LOOKUP, "lookup")
+   S_(SECCLASS_XINPUT, XINPUT__GETATTR, "getattr")
+   S_(SECCLASS_XINPUT, XINPUT__SETATTR, "setattr")
+   S_(SECCLASS_XINPUT, XINPUT__SETFOCUS, "setfocus")
+   S_(SECCLASS_XINPUT, XINPUT__WARPPOINTER, "warppointer")
+   S_(SECCLASS_XINPUT, XINPUT__ACTIVEGRAB, "activegrab")
+   S_(SECCLASS_XINPUT, XINPUT__PASSIVEGRAB, "passivegrab")
+   S_(SECCLASS_XINPUT, XINPUT__UNGRAB, "ungrab")
+   S_(SECCLASS_XINPUT, XINPUT__BELL, "bell")
+   S_(SECCLASS_XINPUT, XINPUT__MOUSEMOTION, "mousemotion")
+   S_(SECCLASS_XINPUT, XINPUT__RELABELINPUT, "relabelinput")
+   S_(SECCLASS_XSERVER, XSERVER__SCREENSAVER, "screensaver")
+   S_(SECCLASS_XSERVER, XSERVER__GETHOSTLIST, "gethostlist")
+   S_(SECCLASS_XSERVER, XSERVER__SETHOSTLIST, "sethostlist")
+   S_(SECCLASS_XSERVER, XSERVER__GETFONTPATH, "getfontpath")
+   S_(SECCLASS_XSERVER, XSERVER__SETFONTPATH, "setfontpath")
+   S_(SECCLASS_XSERVER, XSERVER__GETATTR, "getattr")
+   S_(SECCLASS_XSERVER, XSERVER__GRAB, "grab")
+   S_(SECCLASS_XSERVER, XSERVER__UNGRAB, "ungrab")
+   S_(SECCLASS_XEXTENSION, XEXTENSION__QUERY, "query")
+   S_(SECCLASS_XEXTENSION, XEXTENSION__USE, "use")
+   S_(SECCLASS_PAX, PAX__PAGEEXEC, "pageexec")
+   S_(SECCLASS_PAX, PAX__EMUTRAMP, "emutramp")
+   S_(SECCLASS_PAX, PAX__MPROTECT, "mprotect")
+   S_(SECCLASS_PAX, PAX__RANDMMAP, "randmmap")
+   S_(SECCLASS_PAX, PAX__RANDEXEC, "randexec")
+   S_(SECCLASS_PAX, PAX__SEGMEXEC, "segmexec")
+   S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
+   S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
+   S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
+   S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write")
+   S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read")
+   S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write")
+   S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read")
+   S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write")
+   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read")
+   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write")
+   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay")
+   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
+   S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read")
+   S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write")
+   S_(SECCLASS_DBUS, DBUS__ACQUIRE_SVC, "acquire_svc")
+   S_(SECCLASS_DBUS, DBUS__SEND_MSG, "send_msg")
+   S_(SECCLASS_NSCD, NSCD__GETPWD, "getpwd")
+   S_(SECCLASS_NSCD, NSCD__GETGRP, "getgrp")
+   S_(SECCLASS_NSCD, NSCD__GETHOST, "gethost")
+   S_(SECCLASS_NSCD, NSCD__GETSTAT, "getstat")
+   S_(SECCLASS_NSCD, NSCD__ADMIN, "admin")
+   S_(SECCLASS_NSCD, NSCD__SHMEMPWD, "shmempwd")
+   S_(SECCLASS_NSCD, NSCD__SHMEMGRP, "shmemgrp")
+   S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
+   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
+   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
+   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
+   S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch")
+   S_(SECCLASS_PACKET, PACKET__SEND, "send")
+   S_(SECCLASS_PACKET, PACKET__RECV, "recv")
+   S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
+   S_(SECCLASS_KEY, KEY__VIEW, "view")
+   S_(SECCLASS_KEY, KEY__READ, "read")
+   S_(SECCLASS_KEY, KEY__WRITE, "write")
+   S_(SECCLASS_KEY, KEY__SEARCH, "search")
+   S_(SECCLASS_KEY, KEY__LINK, "link")
+   S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
+   S_(SECCLASS_KEY, KEY__CREATE, "create")
+   S_(SECCLASS_CONTEXT, CONTEXT__TRANSLATE, "translate")
+   S_(SECCLASS_CONTEXT, CONTEXT__CONTAINS, "contains")
+   S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
+   S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")

security/selinux/include/avc.h

@@ -0,0 +1,139 @@
+/*
+ * Access vector cache interface for object managers.
+ *
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+#ifndef _SELINUX_AVC_H_
+#define _SELINUX_AVC_H_
+
+#include <linux/stddef.h>
+#include <linux/errno.h>
+#include <linux/kernel.h>
+#include <linux/kdev_t.h>
+#include <linux/spinlock.h>
+#include <linux/init.h>
+#include <linux/in6.h>
+#include <asm/system.h>
+#include "flask.h"
+#include "av_permissions.h"
+#include "security.h"
+
+#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
+extern int selinux_enforcing;
+#else
+#define selinux_enforcing 1
+#endif
+
+/*
+ * An entry in the AVC.
+ */
+struct avc_entry;
+
+struct task_struct;
+struct vfsmount;
+struct dentry;
+struct inode;
+struct sock;
+struct sk_buff;
+
+/* Auxiliary data to use in generating the audit record. */
+struct avc_audit_data {
+	char    type;
+#define AVC_AUDIT_DATA_FS   1
+#define AVC_AUDIT_DATA_NET  2
+#define AVC_AUDIT_DATA_CAP  3
+#define AVC_AUDIT_DATA_IPC  4
+	struct task_struct *tsk;
+	union 	{
+		struct {
+			struct vfsmount *mnt;
+			struct dentry *dentry;
+			struct inode *inode;
+		} fs;
+		struct {
+			char *netif;
+			struct sock *sk;
+			u16 family;
+			__be16 dport;
+			__be16 sport;
+			union {
+				struct {
+					__be32 daddr;
+					__be32 saddr;
+				} v4;
+				struct {
+					struct in6_addr daddr;
+					struct in6_addr saddr;
+				} v6;
+			} fam;
+		} net;
+		int cap;
+		int ipc_id;
+	} u;
+};
+
+#define v4info fam.v4
+#define v6info fam.v6
+
+/* Initialize an AVC audit data structure. */
+#define AVC_AUDIT_DATA_INIT(_d,_t) \
+        { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; }
+
+/*
+ * AVC statistics
+ */
+struct avc_cache_stats
+{
+	unsigned int lookups;
+	unsigned int hits;
+	unsigned int misses;
+	unsigned int allocations;
+	unsigned int reclaims;
+	unsigned int frees;
+};
+
+/*
+ * AVC operations
+ */
+
+void __init avc_init(void);
+
+void avc_audit(u32 ssid, u32 tsid,
+               u16 tclass, u32 requested,
+               struct av_decision *avd, int result, struct avc_audit_data *auditdata);
+
+#define AVC_STRICT 1 /* Ignore permissive mode. */
+int avc_has_perm_noaudit(u32 ssid, u32 tsid,
+			 u16 tclass, u32 requested,
+			 unsigned flags,
+			 struct av_decision *avd);
+
+int avc_has_perm(u32 ssid, u32 tsid,
+                 u16 tclass, u32 requested,
+                 struct avc_audit_data *auditdata);
+
+#define AVC_CALLBACK_GRANT		1
+#define AVC_CALLBACK_TRY_REVOKE		2
+#define AVC_CALLBACK_REVOKE		4
+#define AVC_CALLBACK_RESET		8
+#define AVC_CALLBACK_AUDITALLOW_ENABLE	16
+#define AVC_CALLBACK_AUDITALLOW_DISABLE	32
+#define AVC_CALLBACK_AUDITDENY_ENABLE	64
+#define AVC_CALLBACK_AUDITDENY_DISABLE	128
+
+int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
+                                     u16 tclass, u32 perms,
+				     u32 *out_retained),
+		     u32 events, u32 ssid, u32 tsid,
+		     u16 tclass, u32 perms);
+
+/* Exported to selinuxfs */
+int avc_get_hash_stats(char *page);
+extern unsigned int avc_cache_threshold;
+
+#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
+DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
+#endif
+
+#endif /* _SELINUX_AVC_H_ */
+

security/selinux/include/avc_ss.h

@@ -0,0 +1,38 @@
+/*
+ * Access vector cache interface for the security server.
+ *
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ */
+#ifndef _SELINUX_AVC_SS_H_
+#define _SELINUX_AVC_SS_H_
+
+#include "flask.h"
+
+int avc_ss_reset(u32 seqno);
+
+struct av_perm_to_string
+{
+	u16 tclass;
+	u32 value;
+	const char *name;
+};
+
+struct av_inherit
+{
+	u16 tclass;
+	const char **common_pts;
+	u32 common_base;
+};
+
+struct selinux_class_perm
+{
+	const struct av_perm_to_string *av_perm_to_string;
+	u32 av_pts_len;
+	const char **class_to_string;
+	u32 cts_len;
+	const struct av_inherit *av_inherit;
+	u32 av_inherit_len;
+};
+
+#endif /* _SELINUX_AVC_SS_H_ */
+

security/selinux/include/class_to_string.h

@@ -0,0 +1,65 @@
+/* This file is automatically generated.  Do not edit. */
+/*
+ * Security object class definitions
+ */
+    S_("null")
+    S_("security")
+    S_("process")
+    S_("system")
+    S_("capability")
+    S_("filesystem")
+    S_("file")
+    S_("dir")
+    S_("fd")
+    S_("lnk_file")
+    S_("chr_file")
+    S_("blk_file")
+    S_("sock_file")
+    S_("fifo_file")
+    S_("socket")
+    S_("tcp_socket")
+    S_("udp_socket")
+    S_("rawip_socket")
+    S_("node")
+    S_("netif")
+    S_("netlink_socket")
+    S_("packet_socket")
+    S_("key_socket")
+    S_("unix_stream_socket")
+    S_("unix_dgram_socket")
+    S_("sem")
+    S_("msg")
+    S_("msgq")
+    S_("shm")
+    S_("ipc")
+    S_("passwd")
+    S_("drawable")
+    S_("window")
+    S_("gc")
+    S_("font")
+    S_("colormap")
+    S_("property")
+    S_("cursor")
+    S_("xclient")
+    S_("xinput")
+    S_("xserver")
+    S_("xextension")
+    S_("pax")
+    S_("netlink_route_socket")
+    S_("netlink_firewall_socket")
+    S_("netlink_tcpdiag_socket")
+    S_("netlink_nflog_socket")
+    S_("netlink_xfrm_socket")
+    S_("netlink_selinux_socket")
+    S_("netlink_audit_socket")
+    S_("netlink_ip6fw_socket")
+    S_("netlink_dnrt_socket")
+    S_("dbus")
+    S_("nscd")
+    S_("association")
+    S_("netlink_kobject_uevent_socket")
+    S_("appletalk_socket")
+    S_("packet")
+    S_("key")
+    S_("context")
+    S_("dccp_socket")

security/selinux/include/common_perm_to_string.h

@@ -0,0 +1,58 @@
+/* This file is automatically generated.  Do not edit. */
+TB_(common_file_perm_to_string)
+    S_("ioctl")
+    S_("read")
+    S_("write")
+    S_("create")
+    S_("getattr")
+    S_("setattr")
+    S_("lock")
+    S_("relabelfrom")
+    S_("relabelto")
+    S_("append")
+    S_("unlink")
+    S_("link")
+    S_("rename")
+    S_("execute")
+    S_("swapon")
+    S_("quotaon")
+    S_("mounton")
+TE_(common_file_perm_to_string)
+
+TB_(common_socket_perm_to_string)
+    S_("ioctl")
+    S_("read")
+    S_("write")
+    S_("create")
+    S_("getattr")
+    S_("setattr")
+    S_("lock")
+    S_("relabelfrom")
+    S_("relabelto")
+    S_("append")
+    S_("bind")
+    S_("connect")
+    S_("listen")
+    S_("accept")
+    S_("getopt")
+    S_("setopt")
+    S_("shutdown")
+    S_("recvfrom")
+    S_("sendto")
+    S_("recv_msg")
+    S_("send_msg")
+    S_("name_bind")
+TE_(common_socket_perm_to_string)
+
+TB_(common_ipc_perm_to_string)
+    S_("create")
+    S_("destroy")
+    S_("getattr")
+    S_("setattr")
+    S_("read")
+    S_("write")
+    S_("associate")
+    S_("unix_read")
+    S_("unix_write")
+TE_(common_ipc_perm_to_string)
+

security/selinux/include/conditional.h

@@ -0,0 +1,22 @@
+/*
+ * Interface to booleans in the security server. This is exported
+ * for the selinuxfs.
+ *
+ * Author: Karl MacMillan <kmacmillan@tresys.com>
+ *
+ * Copyright (C) 2003 - 2004 Tresys Technology, LLC
+ *	This program is free software; you can redistribute it and/or modify
+ *  	it under the terms of the GNU General Public License as published by
+ *	the Free Software Foundation, version 2.
+ */
+
+#ifndef _SELINUX_CONDITIONAL_H_
+#define _SELINUX_CONDITIONAL_H_
+
+int security_get_bools(int *len, char ***names, int **values);
+
+int security_set_bools(int len, int *values);
+
+int security_get_bool_value(int bool);
+
+#endif

security/selinux/include/flask.h

@@ -0,0 +1,102 @@
+/* This file is automatically generated.  Do not edit. */
+#ifndef _SELINUX_FLASK_H_
+#define _SELINUX_FLASK_H_
+
+/*
+ * Security object class definitions
+ */
+#define SECCLASS_SECURITY                                1
+#define SECCLASS_PROCESS                                 2
+#define SECCLASS_SYSTEM                                  3
+#define SECCLASS_CAPABILITY                              4
+#define SECCLASS_FILESYSTEM                              5
+#define SECCLASS_FILE                                    6
+#define SECCLASS_DIR                                     7
+#define SECCLASS_FD                                      8
+#define SECCLASS_LNK_FILE                                9
+#define SECCLASS_CHR_FILE                                10
+#define SECCLASS_BLK_FILE                                11
+#define SECCLASS_SOCK_FILE                               12
+#define SECCLASS_FIFO_FILE                               13
+#define SECCLASS_SOCKET                                  14
+#define SECCLASS_TCP_SOCKET                              15
+#define SECCLASS_UDP_SOCKET                              16
+#define SECCLASS_RAWIP_SOCKET                            17
+#define SECCLASS_NODE                                    18
+#define SECCLASS_NETIF                                   19
+#define SECCLASS_NETLINK_SOCKET                          20
+#define SECCLASS_PACKET_SOCKET                           21
+#define SECCLASS_KEY_SOCKET                              22
+#define SECCLASS_UNIX_STREAM_SOCKET                      23
+#define SECCLASS_UNIX_DGRAM_SOCKET                       24
+#define SECCLASS_SEM                                     25
+#define SECCLASS_MSG                                     26
+#define SECCLASS_MSGQ                                    27
+#define SECCLASS_SHM                                     28
+#define SECCLASS_IPC                                     29
+#define SECCLASS_PASSWD                                  30
+#define SECCLASS_DRAWABLE                                31
+#define SECCLASS_WINDOW                                  32
+#define SECCLASS_GC                                      33
+#define SECCLASS_FONT                                    34
+#define SECCLASS_COLORMAP                                35
+#define SECCLASS_PROPERTY                                36
+#define SECCLASS_CURSOR                                  37
+#define SECCLASS_XCLIENT                                 38
+#define SECCLASS_XINPUT                                  39
+#define SECCLASS_XSERVER                                 40
+#define SECCLASS_XEXTENSION                              41
+#define SECCLASS_PAX                                     42
+#define SECCLASS_NETLINK_ROUTE_SOCKET                    43
+#define SECCLASS_NETLINK_FIREWALL_SOCKET                 44
+#define SECCLASS_NETLINK_TCPDIAG_SOCKET                  45
+#define SECCLASS_NETLINK_NFLOG_SOCKET                    46
+#define SECCLASS_NETLINK_XFRM_SOCKET                     47
+#define SECCLASS_NETLINK_SELINUX_SOCKET                  48
+#define SECCLASS_NETLINK_AUDIT_SOCKET                    49
+#define SECCLASS_NETLINK_IP6FW_SOCKET                    50
+#define SECCLASS_NETLINK_DNRT_SOCKET                     51
+#define SECCLASS_DBUS                                    52
+#define SECCLASS_NSCD                                    53
+#define SECCLASS_ASSOCIATION                             54
+#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET           55
+#define SECCLASS_APPLETALK_SOCKET                        56
+#define SECCLASS_PACKET                                  57
+#define SECCLASS_KEY                                     58
+#define SECCLASS_CONTEXT                                 59
+#define SECCLASS_DCCP_SOCKET                             60
+
+/*
+ * Security identifier indices for initial entities
+ */
+#define SECINITSID_KERNEL                               1
+#define SECINITSID_SECURITY                             2
+#define SECINITSID_UNLABELED                            3
+#define SECINITSID_FS                                   4
+#define SECINITSID_FILE                                 5
+#define SECINITSID_FILE_LABELS                          6
+#define SECINITSID_INIT                                 7
+#define SECINITSID_ANY_SOCKET                           8
+#define SECINITSID_PORT                                 9
+#define SECINITSID_NETIF                                10
+#define SECINITSID_NETMSG                               11
+#define SECINITSID_NODE                                 12
+#define SECINITSID_IGMP_PACKET                          13
+#define SECINITSID_ICMP_SOCKET                          14
+#define SECINITSID_TCP_SOCKET                           15
+#define SECINITSID_SYSCTL_MODPROBE                      16
+#define SECINITSID_SYSCTL                               17
+#define SECINITSID_SYSCTL_FS                            18
+#define SECINITSID_SYSCTL_KERNEL                        19
+#define SECINITSID_SYSCTL_NET                           20
+#define SECINITSID_SYSCTL_NET_UNIX                      21
+#define SECINITSID_SYSCTL_VM                            22
+#define SECINITSID_SYSCTL_DEV                           23
+#define SECINITSID_KMOD                                 24
+#define SECINITSID_POLICY                               25
+#define SECINITSID_SCMP_PACKET                          26
+#define SECINITSID_DEVNULL                              27
+
+#define SECINITSID_NUM                                  27
+
+#endif

security/selinux/include/initial_sid_to_string.h

@@ -0,0 +1,33 @@
+/* This file is automatically generated.  Do not edit. */
+static char *initial_sid_to_string[] =
+{
+    "null",
+    "kernel",
+    "security",
+    "unlabeled",
+    "fs",
+    "file",
+    "file_labels",
+    "init",
+    "any_socket",
+    "port",
+    "netif",
+    "netmsg",
+    "node",
+    "igmp_packet",
+    "icmp_socket",
+    "tcp_socket",
+    "sysctl_modprobe",
+    "sysctl",
+    "sysctl_fs",
+    "sysctl_kernel",
+    "sysctl_net",
+    "sysctl_net_unix",
+    "sysctl_vm",
+    "sysctl_dev",
+    "kmod",
+    "policy",
+    "scmp_packet",
+    "devnull",
+};
+

security/selinux/include/netif.h

@@ -0,0 +1,21 @@
+/*
+ * Network interface table.
+ *
+ * Network interfaces (devices) do not have a security field, so we
+ * maintain a table associating each interface with a SID.
+ *
+ * Author: James Morris <jmorris@redhat.com>
+ *
+ * Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+#ifndef _SELINUX_NETIF_H_
+#define _SELINUX_NETIF_H_
+
+int sel_netif_sids(struct net_device *dev, u32 *if_sid, u32 *msg_sid);
+
+#endif	/* _SELINUX_NETIF_H_ */
+

security/selinux/include/objsec.h

@@ -0,0 +1,123 @@
+/*
+ *  NSA Security-Enhanced Linux (SELinux) security module
+ *
+ *  This file contains the SELinux security data structures for kernel objects.
+ *
+ *  Author(s):  Stephen Smalley, <sds@epoch.ncsc.mil>
+ *              Chris Vance, <cvance@nai.com>
+ *              Wayne Salamon, <wsalamon@nai.com>
+ *              James Morris <jmorris@redhat.com>
+ *
+ *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
+ *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ *
+ *	This program is free software; you can redistribute it and/or modify
+ *	it under the terms of the GNU General Public License version 2,
+ *      as published by the Free Software Foundation.
+ */
+#ifndef _SELINUX_OBJSEC_H_
+#define _SELINUX_OBJSEC_H_
+
+#include <linux/list.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
+#include <linux/binfmts.h>
+#include <linux/in.h>
+#include <linux/spinlock.h>
+#include "flask.h"
+#include "avc.h"
+
+struct task_security_struct {
+	struct task_struct *task;      /* back pointer to task object */
+	u32 osid;            /* SID prior to last execve */
+	u32 sid;             /* current SID */
+	u32 exec_sid;        /* exec SID */
+	u32 create_sid;      /* fscreate SID */
+	u32 keycreate_sid;   /* keycreate SID */
+	u32 sockcreate_sid;  /* fscreate SID */
+	u32 ptrace_sid;      /* SID of ptrace parent */
+};
+
+struct inode_security_struct {
+        struct inode *inode;           /* back pointer to inode object */
+	struct list_head list;         /* list of inode_security_struct */
+	u32 task_sid;        /* SID of creating task */
+	u32 sid;             /* SID of this object */
+	u16 sclass;       /* security class of this object */
+	unsigned char initialized;     /* initialization flag */
+	struct mutex lock;
+	unsigned char inherit;         /* inherit SID from parent entry */
+};
+
+struct file_security_struct {
+	struct file *file;              /* back pointer to file object */
+	u32 sid;              /* SID of open file description */
+	u32 fown_sid;         /* SID of file owner (for SIGIO) */
+};
+
+struct superblock_security_struct {
+	struct super_block *sb;         /* back pointer to sb object */
+	struct list_head list;          /* list of superblock_security_struct */
+	u32 sid;			/* SID of file system superblock */
+	u32 def_sid;			/* default SID for labeling */
+	u32 mntpoint_sid;		/* SECURITY_FS_USE_MNTPOINT context for files */
+	unsigned int behavior;          /* labeling behavior */
+	unsigned char initialized;      /* initialization flag */
+	unsigned char proc;             /* proc fs */
+	struct mutex lock;
+	struct list_head isec_head;
+	spinlock_t isec_lock;
+};
+
+struct msg_security_struct {
+	struct msg_msg *msg;		/* back pointer */
+	u32 sid;              /* SID of message */
+};
+
+struct ipc_security_struct {
+	struct kern_ipc_perm *ipc_perm; /* back pointer */
+	u16 sclass;	/* security class of this object */
+	u32 sid;              /* SID of IPC resource */
+};
+
+struct bprm_security_struct {
+	struct linux_binprm *bprm;     /* back pointer to bprm object */
+	u32 sid;                       /* SID for transformed process */
+	unsigned char set;
+
+	/*
+	 * unsafe is used to share failure information from bprm_apply_creds()
+	 * to bprm_post_apply_creds().
+	 */
+	char unsafe;
+};
+
+struct netif_security_struct {
+	struct net_device *dev;		/* back pointer */
+	u32 if_sid;			/* SID for this interface */
+	u32 msg_sid;			/* default SID for messages received on this interface */
+};
+
+struct sk_security_struct {
+	struct sock *sk;		/* back pointer to sk object */
+	u32 sid;			/* SID of this object */
+	u32 peer_sid;			/* SID of peer */
+#ifdef CONFIG_NETLABEL
+	u16 sclass;			/* sock security class */
+	enum {				/* NetLabel state */
+		NLBL_UNSET = 0,
+		NLBL_REQUIRE,
+		NLBL_LABELED,
+	} nlbl_state;
+	spinlock_t nlbl_lock;		/* protects nlbl_state */
+#endif
+};
+
+struct key_security_struct {
+	struct key *obj; /* back pointer */
+	u32 sid;         /* SID of key */
+};
+
+extern unsigned int selinux_checkreqprot;
+
+#endif /* _SELINUX_OBJSEC_H_ */

security/selinux/include/security.h

@@ -0,0 +1,106 @@
+/*
+ * Security server interface.
+ *
+ * Author : Stephen Smalley, <sds@epoch.ncsc.mil>
+ *
+ */
+
+#ifndef _SELINUX_SECURITY_H_
+#define _SELINUX_SECURITY_H_
+
+#include "flask.h"
+
+#define SECSID_NULL			0x00000000 /* unspecified SID */
+#define SECSID_WILD			0xffffffff /* wildcard SID */
+#define SECCLASS_NULL			0x0000 /* no class */
+
+#define SELINUX_MAGIC 0xf97cff8c
+
+/* Identify specific policy version changes */
+#define POLICYDB_VERSION_BASE		15
+#define POLICYDB_VERSION_BOOL		16
+#define POLICYDB_VERSION_IPV6		17
+#define POLICYDB_VERSION_NLCLASS	18
+#define POLICYDB_VERSION_VALIDATETRANS	19
+#define POLICYDB_VERSION_MLS		19
+#define POLICYDB_VERSION_AVTAB		20
+#define POLICYDB_VERSION_RANGETRANS	21
+
+/* Range of policy versions we understand*/
+#define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
+#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
+#define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
+#else
+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_RANGETRANS
+#endif
+
+struct sk_buff;
+
+extern int selinux_enabled;
+extern int selinux_mls_enabled;
+
+int security_load_policy(void * data, size_t len);
+
+struct av_decision {
+	u32 allowed;
+	u32 decided;
+	u32 auditallow;
+	u32 auditdeny;
+	u32 seqno;
+};
+
+int security_compute_av(u32 ssid, u32 tsid,
+	u16 tclass, u32 requested,
+	struct av_decision *avd);
+
+int security_transition_sid(u32 ssid, u32 tsid,
+	u16 tclass, u32 *out_sid);
+
+int security_member_sid(u32 ssid, u32 tsid,
+	u16 tclass, u32 *out_sid);
+
+int security_change_sid(u32 ssid, u32 tsid,
+	u16 tclass, u32 *out_sid);
+
+int security_sid_to_context(u32 sid, char **scontext,
+	u32 *scontext_len);
+
+int security_context_to_sid(char *scontext, u32 scontext_len,
+	u32 *out_sid);
+
+int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *out_sid, u32 def_sid);
+
+int security_get_user_sids(u32 callsid, char *username,
+			   u32 **sids, u32 *nel);
+
+int security_port_sid(u16 domain, u16 type, u8 protocol, u16 port,
+	u32 *out_sid);
+
+int security_netif_sid(char *name, u32 *if_sid,
+	u32 *msg_sid);
+
+int security_node_sid(u16 domain, void *addr, u32 addrlen,
+	u32 *out_sid);
+
+void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid);
+
+int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
+                                 u16 tclass);
+
+int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);
+
+#define SECURITY_FS_USE_XATTR		1 /* use xattr */
+#define SECURITY_FS_USE_TRANS		2 /* use transition SIDs, e.g. devpts/tmpfs */
+#define SECURITY_FS_USE_TASK		3 /* use task SIDs, e.g. pipefs/sockfs */
+#define SECURITY_FS_USE_GENFS		4 /* use the genfs support */
+#define SECURITY_FS_USE_NONE		5 /* no labeling support */
+#define SECURITY_FS_USE_MNTPOINT	6 /* use mountpoint labeling */
+
+int security_fs_use(const char *fstype, unsigned int *behavior,
+	u32 *sid);
+
+int security_genfs_sid(const char *fstype, char *name, u16 sclass,
+	u32 *sid);
+
+#endif /* _SELINUX_SECURITY_H_ */
+

security/selinux/include/selinux_netlabel.h

@@ -0,0 +1,124 @@
+/*
+ * SELinux interface to the NetLabel subsystem
+ *
+ * Author : Paul Moore <paul.moore@hp.com>
+ *
+ */
+
+/*
+ * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
+ *
+ * This program is free software;  you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY;  without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+ * the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program;  if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ */
+
+#ifndef _SELINUX_NETLABEL_H_
+#define _SELINUX_NETLABEL_H_
+
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/net.h>
+#include <linux/skbuff.h>
+#include <net/sock.h>
+
+#include "avc.h"
+#include "objsec.h"
+
+#ifdef CONFIG_NETLABEL
+void selinux_netlbl_cache_invalidate(void);
+int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid);
+int selinux_netlbl_socket_post_create(struct socket *sock);
+void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
+int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+				struct sk_buff *skb,
+				struct avc_audit_data *ad);
+void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
+				      int family);
+void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
+				     int family);
+void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
+				      struct sk_security_struct *newssec);
+int selinux_netlbl_inode_permission(struct inode *inode, int mask);
+int selinux_netlbl_socket_setsockopt(struct socket *sock,
+				     int level,
+				     int optname);
+#else
+static inline void selinux_netlbl_cache_invalidate(void)
+{
+	return;
+}
+
+static inline int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
+					       u32 base_sid,
+					       u32 *sid)
+{
+	*sid = SECSID_NULL;
+	return 0;
+}
+
+static inline int selinux_netlbl_socket_post_create(struct socket *sock)
+{
+	return 0;
+}
+
+static inline void selinux_netlbl_sock_graft(struct sock *sk,
+					     struct socket *sock)
+{
+	return;
+}
+
+static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
+					      struct sk_buff *skb,
+					      struct avc_audit_data *ad)
+{
+	return 0;
+}
+
+static inline void selinux_netlbl_sk_security_reset(
+					       struct sk_security_struct *ssec,
+					       int family)
+{
+	return;
+}
+
+static inline void selinux_netlbl_sk_security_init(
+	                                       struct sk_security_struct *ssec,
+					       int family)
+{
+	return;
+}
+
+static inline void selinux_netlbl_sk_security_clone(
+	                                   struct sk_security_struct *ssec,
+					   struct sk_security_struct *newssec)
+{
+	return;
+}
+
+static inline int selinux_netlbl_inode_permission(struct inode *inode,
+						  int mask)
+{
+	return 0;
+}
+
+static inline int selinux_netlbl_socket_setsockopt(struct socket *sock,
+						   int level,
+						   int optname)
+{
+	return 0;
+}
+#endif /* CONFIG_NETLABEL */
+
+#endif

security/selinux/include/xfrm.h

@@ -0,0 +1,75 @@
+/*
+ * SELinux support for the XFRM LSM hooks
+ *
+ * Author : Trent Jaeger, <jaegert@us.ibm.com>
+ * Updated : Venkat Yekkirala, <vyekkirala@TrustedCS.com>
+ */
+#ifndef _SELINUX_XFRM_H_
+#define _SELINUX_XFRM_H_
+
+int selinux_xfrm_policy_alloc(struct xfrm_policy *xp,
+		struct xfrm_user_sec_ctx *sec_ctx);
+int selinux_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new);
+void selinux_xfrm_policy_free(struct xfrm_policy *xp);
+int selinux_xfrm_policy_delete(struct xfrm_policy *xp);
+int selinux_xfrm_state_alloc(struct xfrm_state *x,
+	struct xfrm_user_sec_ctx *sec_ctx, u32 secid);
+void selinux_xfrm_state_free(struct xfrm_state *x);
+int selinux_xfrm_state_delete(struct xfrm_state *x);
+int selinux_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
+int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
+			struct xfrm_policy *xp, struct flowi *fl);
+
+/*
+ * Extract the security blob from the sock (it's actually on the socket)
+ */
+static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
+{
+	if (!sk->sk_socket)
+		return NULL;
+
+	return SOCK_INODE(sk->sk_socket)->i_security;
+}
+
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
+			struct avc_audit_data *ad);
+int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
+			struct avc_audit_data *ad, u8 proto);
+int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
+
+static inline void selinux_xfrm_notify_policyload(void)
+{
+	atomic_inc(&flow_cache_genid);
+}
+#else
+static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
+			struct avc_audit_data *ad)
+{
+	return 0;
+}
+
+static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
+			struct avc_audit_data *ad, u8 proto)
+{
+	return 0;
+}
+
+static inline int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
+{
+	*sid = SECSID_NULL;
+	return 0;
+}
+
+static inline void selinux_xfrm_notify_policyload(void)
+{
+}
+#endif
+
+static inline void selinux_skb_xfrm_sid(struct sk_buff *skb, u32 *sid)
+{
+	int err = selinux_xfrm_decode_session(skb, sid, 0);
+	BUG_ON(err);
+}
+
+#endif /* _SELINUX_XFRM_H_ */