OSDN > ソフトウェアを探す > システム > オペレーティングシステムカーネル > Linux > TOMOYO > SCM > SVN > コミット

TOMOYO
Fork

R/O
SSH
HTTPS

tomoyo: コミット

コミットメタ情報

リビジョン	6354 (tree)
日時	2014-10-20 21:17:01
作者	kumaneko

ログメッセージ

(メッセージはありません)

変更サマリ

modified: trunk/1.8.x/ccs-patch/patches/ccs-patch-3.10.diff (diff)
modified: trunk/1.8.x/ccs-patch/patches/ccs-patch-3.12.diff (diff)
modified: trunk/1.8.x/ccs-patch/patches/ccs-patch-3.14.diff (diff)
modified: trunk/1.8.x/ccs-patch/patches/ccs-patch-3.16.diff (diff)
added: trunk/1.8.x/ccs-patch/patches/ccs-patch-3.18.diff (diff)
modified: trunk/1.8.x/ccs-patch/patches/ccs-patch-3.17.diff (diff)
added: branches/editpolicy.diff (diff)

差分

--- trunk/1.8.x/ccs-patch/patches/ccs-patch-3.10.diff (revision 6353)

+++ trunk/1.8.x/ccs-patch/patches/ccs-patch-3.10.diff (revision 6354)

		@@ -1,6 +1,6 @@
1		-This is TOMOYO Linux patch for kernel 3.10.56.
	1	+This is TOMOYO Linux patch for kernel 3.10.58.
2	2
3		-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.10.56.tar.xz
	3	+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.10.58.tar.xz
4	4	---
5	5	fs/exec.c \| 2
6	6	fs/open.c \| 2

		@@ -28,8 +28,8 @@
28	28	security/security.c \| 107 ++++++++++++++++++++++++++++++++++++++++------
29	29	24 files changed, 235 insertions(+), 37 deletions(-)
30	30
31		---- linux-3.10.56.orig/fs/exec.c
32		-+++ linux-3.10.56/fs/exec.c
	31	+--- linux-3.10.58.orig/fs/exec.c
	32	++++ linux-3.10.58/fs/exec.c
33	33	@@ -1540,7 +1540,7 @@ static int do_execve_common(const char *
34	34	if (retval < 0)
35	35	goto out;

		@@ -39,8 +39,8 @@
39	39	if (retval < 0)
40	40	goto out;
41	41
42		---- linux-3.10.56.orig/fs/open.c
43		-+++ linux-3.10.56/fs/open.c
	42	+--- linux-3.10.58.orig/fs/open.c
	43	++++ linux-3.10.58/fs/open.c
44	44	@@ -1023,6 +1023,8 @@ EXPORT_SYMBOL(sys_close);
45	45	*/
46	46	SYSCALL_DEFINE0(vhangup)

		@@ -50,8 +50,8 @@
50	50	if (capable(CAP_SYS_TTY_CONFIG)) {
51	51	tty_vhangup_self();
52	52	return 0;
53		---- linux-3.10.56.orig/fs/proc/version.c
54		-+++ linux-3.10.56/fs/proc/version.c
	53	+--- linux-3.10.58.orig/fs/proc/version.c
	54	++++ linux-3.10.58/fs/proc/version.c
55	55	@@ -32,3 +32,10 @@ static int __init proc_version_init(void
56	56	return 0;
57	57	}

		@@ -59,12 +59,12 @@
59	59	+
60	60	+static int __init ccs_show_version(void)
61	61	+{
62		-+ printk(KERN_INFO "Hook version: 3.10.56 2014/10/06\n");
	62	++ printk(KERN_INFO "Hook version: 3.10.58 2014/10/20\n");
63	63	+ return 0;
64	64	+}
65	65	+module_init(ccs_show_version);
66		---- linux-3.10.56.orig/include/linux/init_task.h
67		-+++ linux-3.10.56/include/linux/init_task.h
	66	+--- linux-3.10.58.orig/include/linux/init_task.h
	67	++++ linux-3.10.58/include/linux/init_task.h
68	68	@@ -155,6 +155,14 @@ extern struct task_group root_task_group
69	69
70	70	#define INIT_TASK_COMM "swapper"

		@@ -88,8 +88,8 @@
88	88	}
89	89
90	90
91		---- linux-3.10.56.orig/include/linux/sched.h
92		-+++ linux-3.10.56/include/linux/sched.h
	91	+--- linux-3.10.58.orig/include/linux/sched.h
	92	++++ linux-3.10.58/include/linux/sched.h
93	93	@@ -4,6 +4,8 @@
94	94	#include <uapi/linux/sched.h>
95	95

		@@ -110,8 +110,8 @@
110	110	};
111	111
112	112	/* Future-safe accessor for struct task_struct's cpus_allowed. */
113		---- linux-3.10.56.orig/include/linux/security.h
114		-+++ linux-3.10.56/include/linux/security.h
	113	+--- linux-3.10.58.orig/include/linux/security.h
	114	++++ linux-3.10.58/include/linux/security.h
115	115	@@ -52,6 +52,7 @@ struct msg_queue;
116	116	struct xattr;
117	117	struct xfrm_sec_ctx;

		@@ -313,8 +313,8 @@
313	313	}
314	314	#endif /* CONFIG_SECURITY_PATH */
315	315
316		---- linux-3.10.56.orig/include/net/ip.h
317		-+++ linux-3.10.56/include/net/ip.h
	316	+--- linux-3.10.58.orig/include/net/ip.h
	317	++++ linux-3.10.58/include/net/ip.h
318	318	@@ -205,6 +205,8 @@ extern void inet_get_local_port_range(in
319	319	extern unsigned long *sysctl_local_reserved_ports;
320	320	static inline int inet_is_reserved_local_port(int port)

		@@ -324,8 +324,8 @@
324	324	return test_bit(port, sysctl_local_reserved_ports);
325	325	}
326	326
327		---- linux-3.10.56.orig/kernel/fork.c
328		-+++ linux-3.10.56/kernel/fork.c
	327	+--- linux-3.10.58.orig/kernel/fork.c
	328	++++ linux-3.10.58/kernel/fork.c
329	329	@@ -242,6 +242,7 @@ void __put_task_struct(struct task_struc
330	330	delayacct_tsk_free(tsk);
331	331	put_signal_struct(tsk->signal);

		@@ -337,7 +337,7 @@
337	337	@@ -1325,6 +1326,9 @@ static struct task_struct *copy_process(
338	338	retval = audit_alloc(p);
339	339	if (retval)
340		- goto bad_fork_cleanup_policy;
	340	+ goto bad_fork_cleanup_perf;
341	341	+ retval = ccs_alloc_task_security(p);
342	342	+ if (retval)
343	343	+ goto bad_fork_cleanup_audit;

		@@ -349,11 +349,11 @@
349	349	bad_fork_cleanup_audit:
350	350	audit_free(p);
351	351	+ ccs_free_task_security(p);
	352	+ bad_fork_cleanup_perf:
	353	+ perf_event_free_task(p);
352	354	bad_fork_cleanup_policy:
353		- perf_event_free_task(p);
354		- #ifdef CONFIG_NUMA
355		---- linux-3.10.56.orig/kernel/kexec.c
356		-+++ linux-3.10.56/kernel/kexec.c
	355	+--- linux-3.10.58.orig/kernel/kexec.c
	356	++++ linux-3.10.58/kernel/kexec.c
357	357	@@ -37,6 +37,7 @@
358	358	#include <asm/uaccess.h>
359	359	#include <asm/io.h>

		@@ -371,8 +371,8 @@
371	371
372	372	/*
373	373	* Verify we have a legal set of flags
374		---- linux-3.10.56.orig/kernel/module.c
375		-+++ linux-3.10.56/kernel/module.c
	374	+--- linux-3.10.58.orig/kernel/module.c
	375	++++ linux-3.10.58/kernel/module.c
376	376	@@ -63,6 +63,7 @@
377	377	#include <linux/fips.h>
378	378	#include <uapi/linux/module.h>

		@@ -399,8 +399,8 @@
399	399
400	400	return 0;
401	401	}
402		---- linux-3.10.56.orig/kernel/ptrace.c
403		-+++ linux-3.10.56/kernel/ptrace.c
	402	+--- linux-3.10.58.orig/kernel/ptrace.c
	403	++++ linux-3.10.58/kernel/ptrace.c
404	404	@@ -998,6 +998,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
405	405	{
406	406	struct task_struct *child;

		@@ -425,8 +425,8 @@
425	425
426	426	if (request == PTRACE_TRACEME) {
427	427	ret = ptrace_traceme();
428		---- linux-3.10.56.orig/kernel/sched/core.c
429		-+++ linux-3.10.56/kernel/sched/core.c
	428	+--- linux-3.10.58.orig/kernel/sched/core.c
	429	++++ linux-3.10.58/kernel/sched/core.c
430	430	@@ -3732,6 +3732,8 @@ int can_nice(const struct task_struct *p
431	431	SYSCALL_DEFINE1(nice, int, increment)
432	432	{

		@@ -436,8 +436,8 @@
436	436
437	437	/*
438	438	* Setpriority might change our priority at the same moment.
439		---- linux-3.10.56.orig/kernel/signal.c
440		-+++ linux-3.10.56/kernel/signal.c
	439	+--- linux-3.10.58.orig/kernel/signal.c
	440	++++ linux-3.10.58/kernel/signal.c
441	441	@@ -2909,6 +2909,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
442	442	SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
443	443	{

		@@ -483,8 +483,8 @@
483	483
484	484	return do_send_specific(tgid, pid, sig, info);
485	485	}
486		---- linux-3.10.56.orig/kernel/sys.c
487		-+++ linux-3.10.56/kernel/sys.c
	486	+--- linux-3.10.58.orig/kernel/sys.c
	487	++++ linux-3.10.58/kernel/sys.c
488	488	@@ -186,6 +186,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
489	489
490	490	if (which > PRIO_USER \|\| which < PRIO_PROCESS)

		@@ -523,8 +523,8 @@
523	523
524	524	down_write(&uts_sem);
525	525	errno = -EFAULT;
526		---- linux-3.10.56.orig/kernel/time/ntp.c
527		-+++ linux-3.10.56/kernel/time/ntp.c
	526	+--- linux-3.10.58.orig/kernel/time/ntp.c
	527	++++ linux-3.10.58/kernel/time/ntp.c
528	528	@@ -16,6 +16,7 @@
529	529	#include <linux/mm.h>
530	530	#include <linux/module.h>

		@@ -558,8 +558,8 @@
558	558
559	559	return 0;
560	560	}
561		---- linux-3.10.56.orig/net/ipv4/raw.c
562		-+++ linux-3.10.56/net/ipv4/raw.c
	561	+--- linux-3.10.58.orig/net/ipv4/raw.c
	562	++++ linux-3.10.58/net/ipv4/raw.c
563	563	@@ -700,6 +700,10 @@ static int raw_recvmsg(struct kiocb *ioc
564	564	skb = skb_recv_datagram(sk, flags, noblock, &err);
565	565	if (!skb)

		@@ -571,8 +571,8 @@
571	571
572	572	copied = skb->len;
573	573	if (len < copied) {
574		---- linux-3.10.56.orig/net/ipv4/udp.c
575		-+++ linux-3.10.56/net/ipv4/udp.c
	574	+--- linux-3.10.58.orig/net/ipv4/udp.c
	575	++++ linux-3.10.58/net/ipv4/udp.c
576	576	@@ -1218,6 +1218,10 @@ try_again:
577	577	&peeked, &off, &err);
578	578	if (!skb)

		@@ -584,8 +584,8 @@
584	584
585	585	ulen = skb->len - sizeof(struct udphdr);
586	586	copied = len;
587		---- linux-3.10.56.orig/net/ipv6/raw.c
588		-+++ linux-3.10.56/net/ipv6/raw.c
	587	+--- linux-3.10.58.orig/net/ipv6/raw.c
	588	++++ linux-3.10.58/net/ipv6/raw.c
589	589	@@ -468,6 +468,10 @@ static int rawv6_recvmsg(struct kiocb *i
590	590	skb = skb_recv_datagram(sk, flags, noblock, &err);
591	591	if (!skb)

		@@ -597,8 +597,8 @@
597	597
598	598	copied = skb->len;
599	599	if (copied > len) {
600		---- linux-3.10.56.orig/net/ipv6/udp.c
601		-+++ linux-3.10.56/net/ipv6/udp.c
	600	+--- linux-3.10.58.orig/net/ipv6/udp.c
	601	++++ linux-3.10.58/net/ipv6/udp.c
602	602	@@ -384,6 +384,10 @@ try_again:
603	603	&peeked, &off, &err);
604	604	if (!skb)

		@@ -610,8 +610,8 @@
610	610
611	611	ulen = skb->len - sizeof(struct udphdr);
612	612	copied = len;
613		---- linux-3.10.56.orig/net/socket.c
614		-+++ linux-3.10.56/net/socket.c
	613	+--- linux-3.10.58.orig/net/socket.c
	614	++++ linux-3.10.58/net/socket.c
615	615	@@ -1611,6 +1611,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
616	616	if (err < 0)
617	617	goto out_fd;

		@@ -623,8 +623,8 @@
623	623	if (upeer_sockaddr) {
624	624	if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
625	625	&len, 2) < 0) {
626		---- linux-3.10.56.orig/net/unix/af_unix.c
627		-+++ linux-3.10.56/net/unix/af_unix.c
	626	+--- linux-3.10.58.orig/net/unix/af_unix.c
	627	++++ linux-3.10.58/net/unix/af_unix.c
628	628	@@ -1816,6 +1816,10 @@ static int unix_dgram_recvmsg(struct kio
629	629	wake_up_interruptible_sync_poll(&u->peer_wait,
630	630	POLLOUT \| POLLWRNORM \| POLLWRBAND);

		@@ -636,8 +636,8 @@
636	636	if (msg->msg_name)
637	637	unix_copy_addr(msg, skb->sk);
638	638
639		---- linux-3.10.56.orig/security/Kconfig
640		-+++ linux-3.10.56/security/Kconfig
	639	+--- linux-3.10.58.orig/security/Kconfig
	640	++++ linux-3.10.58/security/Kconfig
641	641	@@ -167,5 +167,7 @@ config DEFAULT_SECURITY
642	642	default "yama" if DEFAULT_SECURITY_YAMA
643	643	default "" if DEFAULT_SECURITY_DAC

		@@ -646,8 +646,8 @@
646	646	+
647	647	endmenu
648	648
649		---- linux-3.10.56.orig/security/Makefile
650		-+++ linux-3.10.56/security/Makefile
	649	+--- linux-3.10.58.orig/security/Makefile
	650	++++ linux-3.10.58/security/Makefile
651	651	@@ -28,3 +28,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
652	652	# Object integrity file lists
653	653	subdir-$(CONFIG_INTEGRITY) += integrity

		@@ -655,8 +655,8 @@
655	655	+
656	656	+subdir-$(CONFIG_CCSECURITY) += ccsecurity
657	657	+obj-$(CONFIG_CCSECURITY) += ccsecurity/built-in.o
658		---- linux-3.10.56.orig/security/security.c
659		-+++ linux-3.10.56/security/security.c
	658	+--- linux-3.10.58.orig/security/security.c
	659	++++ linux-3.10.58/security/security.c
660	660	@@ -202,7 +202,10 @@ int security_syslog(int type)
661	661
662	662	int security_settime(const struct timespec ts, const struct timezone tz)

--- trunk/1.8.x/ccs-patch/patches/ccs-patch-3.12.diff (revision 6353)

+++ trunk/1.8.x/ccs-patch/patches/ccs-patch-3.12.diff (revision 6354)

		@@ -1,6 +1,6 @@
1		-This is TOMOYO Linux patch for kernel 3.12.29.
	1	+This is TOMOYO Linux patch for kernel 3.12.30.
2	2
3		-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.29.tar.xz
	3	+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.30.tar.xz
4	4	---
5	5	fs/exec.c \| 2
6	6	fs/open.c \| 2

		@@ -29,9 +29,9 @@
29	29	security/security.c \| 107 ++++++++++++++++++++++++++++++++++++++++------
30	30	25 files changed, 236 insertions(+), 37 deletions(-)
31	31
32		---- linux-3.12.29.orig/fs/exec.c
33		-+++ linux-3.12.29/fs/exec.c
34		-@@ -1434,7 +1434,7 @@ static int exec_binprm(struct linux_binp
	32	+--- linux-3.12.30.orig/fs/exec.c
	33	++++ linux-3.12.30/fs/exec.c
	34	+@@ -1437,7 +1437,7 @@ static int exec_binprm(struct linux_binp
35	35	old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
36	36	rcu_read_unlock();
37	37

		@@ -40,8 +40,8 @@
40	40	if (ret >= 0) {
41	41	trace_sched_process_exec(current, old_pid, bprm);
42	42	ptrace_event(PTRACE_EVENT_EXEC, old_vpid);
43		---- linux-3.12.29.orig/fs/open.c
44		-+++ linux-3.12.29/fs/open.c
	43	+--- linux-3.12.30.orig/fs/open.c
	44	++++ linux-3.12.30/fs/open.c
45	45	@@ -1050,6 +1050,8 @@ EXPORT_SYMBOL(sys_close);
46	46	*/
47	47	SYSCALL_DEFINE0(vhangup)

		@@ -51,8 +51,8 @@
51	51	if (capable(CAP_SYS_TTY_CONFIG)) {
52	52	tty_vhangup_self();
53	53	return 0;
54		---- linux-3.12.29.orig/fs/proc/version.c
55		-+++ linux-3.12.29/fs/proc/version.c
	54	+--- linux-3.12.30.orig/fs/proc/version.c
	55	++++ linux-3.12.30/fs/proc/version.c
56	56	@@ -32,3 +32,10 @@ static int __init proc_version_init(void
57	57	return 0;
58	58	}

		@@ -60,12 +60,12 @@
60	60	+
61	61	+static int __init ccs_show_version(void)
62	62	+{
63		-+ printk(KERN_INFO "Hook version: 3.12.29 2014/10/06\n");
	63	++ printk(KERN_INFO "Hook version: 3.12.30 2014/10/20\n");
64	64	+ return 0;
65	65	+}
66	66	+module_init(ccs_show_version);
67		---- linux-3.12.29.orig/include/linux/init_task.h
68		-+++ linux-3.12.29/include/linux/init_task.h
	67	+--- linux-3.12.30.orig/include/linux/init_task.h
	68	++++ linux-3.12.30/include/linux/init_task.h
69	69	@@ -155,6 +155,14 @@ extern struct task_group root_task_group
70	70
71	71	#define INIT_TASK_COMM "swapper"

		@@ -89,8 +89,8 @@
89	89	}
90	90
91	91
92		---- linux-3.12.29.orig/include/linux/sched.h
93		-+++ linux-3.12.29/include/linux/sched.h
	92	+--- linux-3.12.30.orig/include/linux/sched.h
	93	++++ linux-3.12.30/include/linux/sched.h
94	94	@@ -4,6 +4,8 @@
95	95	#include <uapi/linux/sched.h>
96	96

		@@ -100,7 +100,7 @@
100	100	struct sched_param {
101	101	int sched_priority;
102	102	};
103		-@@ -1413,6 +1415,10 @@ struct task_struct {
	103	+@@ -1420,6 +1422,10 @@ struct task_struct {
104	104	unsigned int sequential_io;
105	105	unsigned int sequential_io_avg;
106	106	#endif

		@@ -111,8 +111,8 @@
111	111	};
112	112
113	113	/* Future-safe accessor for struct task_struct's cpus_allowed. */
114		---- linux-3.12.29.orig/include/linux/security.h
115		-+++ linux-3.12.29/include/linux/security.h
	114	+--- linux-3.12.30.orig/include/linux/security.h
	115	++++ linux-3.12.30/include/linux/security.h
116	116	@@ -53,6 +53,7 @@ struct msg_queue;
117	117	struct xattr;
118	118	struct xfrm_sec_ctx;

		@@ -314,8 +314,8 @@
314	314	}
315	315	#endif /* CONFIG_SECURITY_PATH */
316	316
317		---- linux-3.12.29.orig/include/net/ip.h
318		-+++ linux-3.12.29/include/net/ip.h
	317	+--- linux-3.12.30.orig/include/net/ip.h
	318	++++ linux-3.12.30/include/net/ip.h
319	319	@@ -215,6 +215,8 @@ extern void inet_get_local_port_range(in
320	320	extern unsigned long *sysctl_local_reserved_ports;
321	321	static inline int inet_is_reserved_local_port(int port)

		@@ -325,9 +325,9 @@
325	325	return test_bit(port, sysctl_local_reserved_ports);
326	326	}
327	327
328		---- linux-3.12.29.orig/kernel/fork.c
329		-+++ linux-3.12.29/kernel/fork.c
330		-@@ -242,6 +242,7 @@ void __put_task_struct(struct task_struc
	328	+--- linux-3.12.30.orig/kernel/fork.c
	329	++++ linux-3.12.30/kernel/fork.c
	330	+@@ -244,6 +244,7 @@ void __put_task_struct(struct task_struc
331	331	delayacct_tsk_free(tsk);
332	332	put_signal_struct(tsk->signal);
333	333

		@@ -335,7 +335,7 @@
335	335	if (!profile_handoff_task(tsk))
336	336	free_task(tsk);
337	337	}
338		-@@ -1327,6 +1328,9 @@ static struct task_struct *copy_process(
	338	+@@ -1332,6 +1333,9 @@ static struct task_struct *copy_process(
339	339	retval = audit_alloc(p);
340	340	if (retval)
341	341	goto bad_fork_cleanup_policy;

		@@ -345,7 +345,7 @@
345	345	/* copy all the process information */
346	346	retval = copy_semundo(clone_flags, p);
347	347	if (retval)
348		-@@ -1527,6 +1531,7 @@ bad_fork_cleanup_semundo:
	348	+@@ -1532,6 +1536,7 @@ bad_fork_cleanup_semundo:
349	349	exit_sem(p);
350	350	bad_fork_cleanup_audit:
351	351	audit_free(p);

		@@ -353,8 +353,8 @@
353	353	bad_fork_cleanup_policy:
354	354	perf_event_free_task(p);
355	355	#ifdef CONFIG_NUMA
356		---- linux-3.12.29.orig/kernel/kexec.c
357		-+++ linux-3.12.29/kernel/kexec.c
	356	+--- linux-3.12.30.orig/kernel/kexec.c
	357	++++ linux-3.12.30/kernel/kexec.c
358	358	@@ -37,6 +37,7 @@
359	359	#include <asm/uaccess.h>
360	360	#include <asm/io.h>

		@@ -372,8 +372,8 @@
372	372
373	373	/*
374	374	* Verify we have a legal set of flags
375		---- linux-3.12.29.orig/kernel/module.c
376		-+++ linux-3.12.29/kernel/module.c
	375	+--- linux-3.12.30.orig/kernel/module.c
	376	++++ linux-3.12.30/kernel/module.c
377	377	@@ -63,6 +63,7 @@
378	378	#include <linux/fips.h>
379	379	#include <uapi/linux/module.h>

		@@ -400,8 +400,8 @@
400	400
401	401	return 0;
402	402	}
403		---- linux-3.12.29.orig/kernel/ptrace.c
404		-+++ linux-3.12.29/kernel/ptrace.c
	403	+--- linux-3.12.30.orig/kernel/ptrace.c
	404	++++ linux-3.12.30/kernel/ptrace.c
405	405	@@ -1038,6 +1038,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
406	406	{
407	407	struct task_struct *child;

		@@ -426,8 +426,8 @@
426	426
427	427	if (request == PTRACE_TRACEME) {
428	428	ret = ptrace_traceme();
429		---- linux-3.12.29.orig/kernel/reboot.c
430		-+++ linux-3.12.29/kernel/reboot.c
	429	+--- linux-3.12.30.orig/kernel/reboot.c
	430	++++ linux-3.12.30/kernel/reboot.c
431	431	@@ -16,6 +16,7 @@
432	432	#include <linux/syscalls.h>
433	433	#include <linux/syscore_ops.h>

		@@ -445,8 +445,8 @@
445	445
446	446	/*
447	447	* If pid namespaces are enabled and the current task is in a child
448		---- linux-3.12.29.orig/kernel/sched/core.c
449		-+++ linux-3.12.29/kernel/sched/core.c
	448	+--- linux-3.12.30.orig/kernel/sched/core.c
	449	++++ linux-3.12.30/kernel/sched/core.c
450	450	@@ -3148,6 +3148,8 @@ int can_nice(const struct task_struct *p
451	451	SYSCALL_DEFINE1(nice, int, increment)
452	452	{

		@@ -456,8 +456,8 @@
456	456
457	457	/*
458	458	* Setpriority might change our priority at the same moment.
459		---- linux-3.12.29.orig/kernel/signal.c
460		-+++ linux-3.12.29/kernel/signal.c
	459	+--- linux-3.12.30.orig/kernel/signal.c
	460	++++ linux-3.12.30/kernel/signal.c
461	461	@@ -2909,6 +2909,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
462	462	SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
463	463	{

		@@ -503,8 +503,8 @@
503	503
504	504	return do_send_specific(tgid, pid, sig, info);
505	505	}
506		---- linux-3.12.29.orig/kernel/sys.c
507		-+++ linux-3.12.29/kernel/sys.c
	506	+--- linux-3.12.30.orig/kernel/sys.c
	507	++++ linux-3.12.30/kernel/sys.c
508	508	@@ -172,6 +172,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
509	509
510	510	if (which > PRIO_USER \|\| which < PRIO_PROCESS)

		@@ -534,8 +534,8 @@
534	534
535	535	down_write(&uts_sem);
536	536	errno = -EFAULT;
537		---- linux-3.12.29.orig/kernel/time/ntp.c
538		-+++ linux-3.12.29/kernel/time/ntp.c
	537	+--- linux-3.12.30.orig/kernel/time/ntp.c
	538	++++ linux-3.12.30/kernel/time/ntp.c
539	539	@@ -16,6 +16,7 @@
540	540	#include <linux/mm.h>
541	541	#include <linux/module.h>

		@@ -569,8 +569,8 @@
569	569
570	570	return 0;
571	571	}
572		---- linux-3.12.29.orig/net/ipv4/raw.c
573		-+++ linux-3.12.29/net/ipv4/raw.c
	572	+--- linux-3.12.30.orig/net/ipv4/raw.c
	573	++++ linux-3.12.30/net/ipv4/raw.c
574	574	@@ -702,6 +702,10 @@ static int raw_recvmsg(struct kiocb *ioc
575	575	skb = skb_recv_datagram(sk, flags, noblock, &err);
576	576	if (!skb)

		@@ -582,8 +582,8 @@
582	582
583	583	copied = skb->len;
584	584	if (len < copied) {
585		---- linux-3.12.29.orig/net/ipv4/udp.c
586		-+++ linux-3.12.29/net/ipv4/udp.c
	585	+--- linux-3.12.30.orig/net/ipv4/udp.c
	586	++++ linux-3.12.30/net/ipv4/udp.c
587	587	@@ -1220,6 +1220,10 @@ try_again:
588	588	&peeked, &off, &err);
589	589	if (!skb)

		@@ -595,8 +595,8 @@
595	595
596	596	ulen = skb->len - sizeof(struct udphdr);
597	597	copied = len;
598		---- linux-3.12.29.orig/net/ipv6/raw.c
599		-+++ linux-3.12.29/net/ipv6/raw.c
	598	+--- linux-3.12.30.orig/net/ipv6/raw.c
	599	++++ linux-3.12.30/net/ipv6/raw.c
600	600	@@ -475,6 +475,10 @@ static int rawv6_recvmsg(struct kiocb *i
601	601	skb = skb_recv_datagram(sk, flags, noblock, &err);
602	602	if (!skb)

		@@ -608,8 +608,8 @@
608	608
609	609	copied = skb->len;
610	610	if (copied > len) {
611		---- linux-3.12.29.orig/net/ipv6/udp.c
612		-+++ linux-3.12.29/net/ipv6/udp.c
	611	+--- linux-3.12.30.orig/net/ipv6/udp.c
	612	++++ linux-3.12.30/net/ipv6/udp.c
613	613	@@ -385,6 +385,10 @@ try_again:
614	614	&peeked, &off, &err);
615	615	if (!skb)

		@@ -621,8 +621,8 @@
621	621
622	622	ulen = skb->len - sizeof(struct udphdr);
623	623	copied = len;
624		---- linux-3.12.29.orig/net/socket.c
625		-+++ linux-3.12.29/net/socket.c
	624	+--- linux-3.12.30.orig/net/socket.c
	625	++++ linux-3.12.30/net/socket.c
626	626	@@ -1619,6 +1619,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
627	627	if (err < 0)
628	628	goto out_fd;

		@@ -634,8 +634,8 @@
634	634	if (upeer_sockaddr) {
635	635	if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
636	636	&len, 2) < 0) {
637		---- linux-3.12.29.orig/net/unix/af_unix.c
638		-+++ linux-3.12.29/net/unix/af_unix.c
	637	+--- linux-3.12.30.orig/net/unix/af_unix.c
	638	++++ linux-3.12.30/net/unix/af_unix.c
639	639	@@ -1809,6 +1809,10 @@ static int unix_dgram_recvmsg(struct kio
640	640	wake_up_interruptible_sync_poll(&u->peer_wait,
641	641	POLLOUT \| POLLWRNORM \| POLLWRBAND);

		@@ -647,8 +647,8 @@
647	647	if (msg->msg_name)
648	648	unix_copy_addr(msg, skb->sk);
649	649
650		---- linux-3.12.29.orig/security/Kconfig
651		-+++ linux-3.12.29/security/Kconfig
	650	+--- linux-3.12.30.orig/security/Kconfig
	651	++++ linux-3.12.30/security/Kconfig
652	652	@@ -167,5 +167,7 @@ config DEFAULT_SECURITY
653	653	default "yama" if DEFAULT_SECURITY_YAMA
654	654	default "" if DEFAULT_SECURITY_DAC

		@@ -657,8 +657,8 @@
657	657	+
658	658	endmenu
659	659
660		---- linux-3.12.29.orig/security/Makefile
661		-+++ linux-3.12.29/security/Makefile
	660	+--- linux-3.12.30.orig/security/Makefile
	661	++++ linux-3.12.30/security/Makefile
662	662	@@ -28,3 +28,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
663	663	# Object integrity file lists
664	664	subdir-$(CONFIG_INTEGRITY) += integrity

		@@ -666,8 +666,8 @@
666	666	+
667	667	+subdir-$(CONFIG_CCSECURITY) += ccsecurity
668	668	+obj-$(CONFIG_CCSECURITY) += ccsecurity/built-in.o
669		---- linux-3.12.29.orig/security/security.c
670		-+++ linux-3.12.29/security/security.c
	669	+--- linux-3.12.30.orig/security/security.c
	670	++++ linux-3.12.30/security/security.c
671	671	@@ -203,7 +203,10 @@ int security_syslog(int type)
672	672
673	673	int security_settime(const struct timespec ts, const struct timezone tz)

--- trunk/1.8.x/ccs-patch/patches/ccs-patch-3.14.diff (revision 6353)

+++ trunk/1.8.x/ccs-patch/patches/ccs-patch-3.14.diff (revision 6354)

		@@ -1,6 +1,6 @@
1		-This is TOMOYO Linux patch for kernel 3.14.20.
	1	+This is TOMOYO Linux patch for kernel 3.14.22.
2	2
3		-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.14.20.tar.xz
	3	+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.14.22.tar.xz
4	4	---
5	5	fs/exec.c \| 2
6	6	fs/open.c \| 2

		@@ -29,9 +29,9 @@
29	29	security/security.c \| 107 ++++++++++++++++++++++++++++++++++++++++------
30	30	25 files changed, 236 insertions(+), 37 deletions(-)
31	31
32		---- linux-3.14.20.orig/fs/exec.c
33		-+++ linux-3.14.20/fs/exec.c
34		-@@ -1423,7 +1423,7 @@ static int exec_binprm(struct linux_binp
	32	+--- linux-3.14.22.orig/fs/exec.c
	33	++++ linux-3.14.22/fs/exec.c
	34	+@@ -1426,7 +1426,7 @@ static int exec_binprm(struct linux_binp
35	35	old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
36	36	rcu_read_unlock();
37	37

		@@ -40,8 +40,8 @@
40	40	if (ret >= 0) {
41	41	audit_bprm(bprm);
42	42	trace_sched_process_exec(current, old_pid, bprm);
43		---- linux-3.14.20.orig/fs/open.c
44		-+++ linux-3.14.20/fs/open.c
	43	+--- linux-3.14.22.orig/fs/open.c
	44	++++ linux-3.14.22/fs/open.c
45	45	@@ -1070,6 +1070,8 @@ EXPORT_SYMBOL(sys_close);
46	46	*/
47	47	SYSCALL_DEFINE0(vhangup)

		@@ -51,8 +51,8 @@
51	51	if (capable(CAP_SYS_TTY_CONFIG)) {
52	52	tty_vhangup_self();
53	53	return 0;
54		---- linux-3.14.20.orig/fs/proc/version.c
55		-+++ linux-3.14.20/fs/proc/version.c
	54	+--- linux-3.14.22.orig/fs/proc/version.c
	55	++++ linux-3.14.22/fs/proc/version.c
56	56	@@ -32,3 +32,10 @@ static int __init proc_version_init(void
57	57	return 0;
58	58	}

		@@ -60,12 +60,12 @@
60	60	+
61	61	+static int __init ccs_show_version(void)
62	62	+{
63		-+ printk(KERN_INFO "Hook version: 3.14.20 2014/10/06\n");
	63	++ printk(KERN_INFO "Hook version: 3.14.22 2014/10/20\n");
64	64	+ return 0;
65	65	+}
66	66	+fs_initcall(ccs_show_version);
67		---- linux-3.14.20.orig/include/linux/init_task.h
68		-+++ linux-3.14.20/include/linux/init_task.h
	67	+--- linux-3.14.22.orig/include/linux/init_task.h
	68	++++ linux-3.14.22/include/linux/init_task.h
69	69	@@ -164,6 +164,14 @@ extern struct task_group root_task_group
70	70	# define INIT_RT_MUTEXES(tsk)
71	71	#endif

		@@ -89,8 +89,8 @@
89	89	}
90	90
91	91
92		---- linux-3.14.20.orig/include/linux/sched.h
93		-+++ linux-3.14.20/include/linux/sched.h
	92	+--- linux-3.14.22.orig/include/linux/sched.h
	93	++++ linux-3.14.22/include/linux/sched.h
94	94	@@ -4,6 +4,8 @@
95	95	#include <uapi/linux/sched.h>
96	96

		@@ -100,7 +100,7 @@
100	100	struct sched_param {
101	101	int sched_priority;
102	102	};
103		-@@ -1581,6 +1583,10 @@ struct task_struct {
	103	+@@ -1588,6 +1590,10 @@ struct task_struct {
104	104	unsigned int sequential_io;
105	105	unsigned int sequential_io_avg;
106	106	#endif

		@@ -111,8 +111,8 @@
111	111	};
112	112
113	113	/* Future-safe accessor for struct task_struct's cpus_allowed. */
114		---- linux-3.14.20.orig/include/linux/security.h
115		-+++ linux-3.14.20/include/linux/security.h
	114	+--- linux-3.14.22.orig/include/linux/security.h
	115	++++ linux-3.14.22/include/linux/security.h
116	116	@@ -53,6 +53,7 @@ struct msg_queue;
117	117	struct xattr;
118	118	struct xfrm_sec_ctx;

		@@ -314,8 +314,8 @@
314	314	}
315	315	#endif /* CONFIG_SECURITY_PATH */
316	316
317		---- linux-3.14.20.orig/include/net/ip.h
318		-+++ linux-3.14.20/include/net/ip.h
	317	+--- linux-3.14.22.orig/include/net/ip.h
	318	++++ linux-3.14.22/include/net/ip.h
319	319	@@ -217,6 +217,8 @@ void inet_get_local_port_range(struct ne
320	320	extern unsigned long *sysctl_local_reserved_ports;
321	321	static inline int inet_is_reserved_local_port(int port)

		@@ -325,9 +325,9 @@
325	325	return test_bit(port, sysctl_local_reserved_ports);
326	326	}
327	327
328		---- linux-3.14.20.orig/kernel/fork.c
329		-+++ linux-3.14.20/kernel/fork.c
330		-@@ -242,6 +242,7 @@ void __put_task_struct(struct task_struc
	328	+--- linux-3.14.22.orig/kernel/fork.c
	329	++++ linux-3.14.22/kernel/fork.c
	330	+@@ -244,6 +244,7 @@ void __put_task_struct(struct task_struc
331	331	delayacct_tsk_free(tsk);
332	332	put_signal_struct(tsk->signal);
333	333

		@@ -335,10 +335,10 @@
335	335	if (!profile_handoff_task(tsk))
336	336	free_task(tsk);
337	337	}
338		-@@ -1324,6 +1325,9 @@ static struct task_struct *copy_process(
	338	+@@ -1329,6 +1330,9 @@ static struct task_struct *copy_process(
339	339	retval = audit_alloc(p);
340	340	if (retval)
341		- goto bad_fork_cleanup_policy;
	341	+ goto bad_fork_cleanup_perf;
342	342	+ retval = ccs_alloc_task_security(p);
343	343	+ if (retval)
344	344	+ goto bad_fork_cleanup_audit;

		@@ -345,16 +345,16 @@
345	345	/* copy all the process information */
346	346	retval = copy_semundo(clone_flags, p);
347	347	if (retval)
348		-@@ -1522,6 +1526,7 @@ bad_fork_cleanup_semundo:
	348	+@@ -1527,6 +1531,7 @@ bad_fork_cleanup_semundo:
349	349	exit_sem(p);
350	350	bad_fork_cleanup_audit:
351	351	audit_free(p);
352	352	+ ccs_free_task_security(p);
	353	+ bad_fork_cleanup_perf:
	354	+ perf_event_free_task(p);
353	355	bad_fork_cleanup_policy:
354		- perf_event_free_task(p);
355		- #ifdef CONFIG_NUMA
356		---- linux-3.14.20.orig/kernel/kexec.c
357		-+++ linux-3.14.20/kernel/kexec.c
	356	+--- linux-3.14.22.orig/kernel/kexec.c
	357	++++ linux-3.14.22/kernel/kexec.c
358	358	@@ -37,6 +37,7 @@
359	359	#include <asm/uaccess.h>
360	360	#include <asm/io.h>

		@@ -372,8 +372,8 @@
372	372
373	373	/*
374	374	* Verify we have a legal set of flags
375		---- linux-3.14.20.orig/kernel/module.c
376		-+++ linux-3.14.20/kernel/module.c
	375	+--- linux-3.14.22.orig/kernel/module.c
	376	++++ linux-3.14.22/kernel/module.c
377	377	@@ -63,6 +63,7 @@
378	378	#include <linux/fips.h>
379	379	#include <uapi/linux/module.h>

		@@ -400,8 +400,8 @@
400	400
401	401	return 0;
402	402	}
403		---- linux-3.14.20.orig/kernel/ptrace.c
404		-+++ linux-3.14.20/kernel/ptrace.c
	403	+--- linux-3.14.22.orig/kernel/ptrace.c
	404	++++ linux-3.14.22/kernel/ptrace.c
405	405	@@ -1038,6 +1038,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
406	406	{
407	407	struct task_struct *child;

		@@ -426,8 +426,8 @@
426	426
427	427	if (request == PTRACE_TRACEME) {
428	428	ret = ptrace_traceme();
429		---- linux-3.14.20.orig/kernel/reboot.c
430		-+++ linux-3.14.20/kernel/reboot.c
	429	+--- linux-3.14.22.orig/kernel/reboot.c
	430	++++ linux-3.14.22/kernel/reboot.c
431	431	@@ -16,6 +16,7 @@
432	432	#include <linux/syscalls.h>
433	433	#include <linux/syscore_ops.h>

		@@ -445,8 +445,8 @@
445	445
446	446	/*
447	447	* If pid namespaces are enabled and the current task is in a child
448		---- linux-3.14.20.orig/kernel/sched/core.c
449		-+++ linux-3.14.20/kernel/sched/core.c
	448	+--- linux-3.14.22.orig/kernel/sched/core.c
	449	++++ linux-3.14.22/kernel/sched/core.c
450	450	@@ -3065,6 +3065,8 @@ int can_nice(const struct task_struct *p
451	451	SYSCALL_DEFINE1(nice, int, increment)
452	452	{

		@@ -456,8 +456,8 @@
456	456
457	457	/*
458	458	* Setpriority might change our priority at the same moment.
459		---- linux-3.14.20.orig/kernel/signal.c
460		-+++ linux-3.14.20/kernel/signal.c
	459	+--- linux-3.14.22.orig/kernel/signal.c
	460	++++ linux-3.14.22/kernel/signal.c
461	461	@@ -2909,6 +2909,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
462	462	SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
463	463	{

		@@ -503,8 +503,8 @@
503	503
504	504	return do_send_specific(tgid, pid, sig, info);
505	505	}
506		---- linux-3.14.20.orig/kernel/sys.c
507		-+++ linux-3.14.20/kernel/sys.c
	506	+--- linux-3.14.22.orig/kernel/sys.c
	507	++++ linux-3.14.22/kernel/sys.c
508	508	@@ -171,6 +171,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
509	509
510	510	if (which > PRIO_USER \|\| which < PRIO_PROCESS)

		@@ -534,8 +534,8 @@
534	534
535	535	down_write(&uts_sem);
536	536	errno = -EFAULT;
537		---- linux-3.14.20.orig/kernel/time/ntp.c
538		-+++ linux-3.14.20/kernel/time/ntp.c
	537	+--- linux-3.14.22.orig/kernel/time/ntp.c
	538	++++ linux-3.14.22/kernel/time/ntp.c
539	539	@@ -16,6 +16,7 @@
540	540	#include <linux/mm.h>
541	541	#include <linux/module.h>

		@@ -569,8 +569,8 @@
569	569
570	570	return 0;
571	571	}
572		---- linux-3.14.20.orig/net/ipv4/raw.c
573		-+++ linux-3.14.20/net/ipv4/raw.c
	572	+--- linux-3.14.22.orig/net/ipv4/raw.c
	573	++++ linux-3.14.22/net/ipv4/raw.c
574	574	@@ -704,6 +704,10 @@ static int raw_recvmsg(struct kiocb *ioc
575	575	skb = skb_recv_datagram(sk, flags, noblock, &err);
576	576	if (!skb)

		@@ -582,8 +582,8 @@
582	582
583	583	copied = skb->len;
584	584	if (len < copied) {
585		---- linux-3.14.20.orig/net/ipv4/udp.c
586		-+++ linux-3.14.20/net/ipv4/udp.c
	585	+--- linux-3.14.22.orig/net/ipv4/udp.c
	586	++++ linux-3.14.22/net/ipv4/udp.c
587	587	@@ -1242,6 +1242,10 @@ try_again:
588	588	&peeked, &off, &err);
589	589	if (!skb)

		@@ -595,8 +595,8 @@
595	595
596	596	ulen = skb->len - sizeof(struct udphdr);
597	597	copied = len;
598		---- linux-3.14.20.orig/net/ipv6/raw.c
599		-+++ linux-3.14.20/net/ipv6/raw.c
	598	+--- linux-3.14.22.orig/net/ipv6/raw.c
	599	++++ linux-3.14.22/net/ipv6/raw.c
600	600	@@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct kiocb *i
601	601	skb = skb_recv_datagram(sk, flags, noblock, &err);
602	602	if (!skb)

		@@ -608,8 +608,8 @@
608	608
609	609	copied = skb->len;
610	610	if (copied > len) {
611		---- linux-3.14.20.orig/net/ipv6/udp.c
612		-+++ linux-3.14.20/net/ipv6/udp.c
	611	+--- linux-3.14.22.orig/net/ipv6/udp.c
	612	++++ linux-3.14.22/net/ipv6/udp.c
613	613	@@ -403,6 +403,10 @@ try_again:
614	614	&peeked, &off, &err);
615	615	if (!skb)

		@@ -621,8 +621,8 @@
621	621
622	622	ulen = skb->len - sizeof(struct udphdr);
623	623	copied = len;
624		---- linux-3.14.20.orig/net/socket.c
625		-+++ linux-3.14.20/net/socket.c
	624	+--- linux-3.14.22.orig/net/socket.c
	625	++++ linux-3.14.22/net/socket.c
626	626	@@ -1633,6 +1633,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
627	627	if (err < 0)
628	628	goto out_fd;

		@@ -634,8 +634,8 @@
634	634	if (upeer_sockaddr) {
635	635	if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
636	636	&len, 2) < 0) {
637		---- linux-3.14.20.orig/net/unix/af_unix.c
638		-+++ linux-3.14.20/net/unix/af_unix.c
	637	+--- linux-3.14.22.orig/net/unix/af_unix.c
	638	++++ linux-3.14.22/net/unix/af_unix.c
639	639	@@ -1811,6 +1811,10 @@ static int unix_dgram_recvmsg(struct kio
640	640	wake_up_interruptible_sync_poll(&u->peer_wait,
641	641	POLLOUT \| POLLWRNORM \| POLLWRBAND);

		@@ -647,8 +647,8 @@
647	647	if (msg->msg_name)
648	648	unix_copy_addr(msg, skb->sk);
649	649
650		---- linux-3.14.20.orig/security/Kconfig
651		-+++ linux-3.14.20/security/Kconfig
	650	+--- linux-3.14.22.orig/security/Kconfig
	651	++++ linux-3.14.22/security/Kconfig
652	652	@@ -167,5 +167,7 @@ config DEFAULT_SECURITY
653	653	default "yama" if DEFAULT_SECURITY_YAMA
654	654	default "" if DEFAULT_SECURITY_DAC

		@@ -657,8 +657,8 @@
657	657	+
658	658	endmenu
659	659
660		---- linux-3.14.20.orig/security/Makefile
661		-+++ linux-3.14.20/security/Makefile
	660	+--- linux-3.14.22.orig/security/Makefile
	661	++++ linux-3.14.22/security/Makefile
662	662	@@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
663	663	# Object integrity file lists
664	664	subdir-$(CONFIG_INTEGRITY) += integrity

		@@ -666,8 +666,8 @@
666	666	+
667	667	+subdir-$(CONFIG_CCSECURITY) += ccsecurity
668	668	+obj-$(CONFIG_CCSECURITY) += ccsecurity/built-in.o
669		---- linux-3.14.20.orig/security/security.c
670		-+++ linux-3.14.20/security/security.c
	669	+--- linux-3.14.22.orig/security/security.c
	670	++++ linux-3.14.22/security/security.c
671	671	@@ -203,7 +203,10 @@ int security_syslog(int type)
672	672
673	673	int security_settime(const struct timespec ts, const struct timezone tz)

--- trunk/1.8.x/ccs-patch/patches/ccs-patch-3.16.diff (revision 6353)

+++ trunk/1.8.x/ccs-patch/patches/ccs-patch-3.16.diff (revision 6354)

		@@ -1,6 +1,6 @@
1		-This is TOMOYO Linux patch for kernel 3.16.4.
	1	+This is TOMOYO Linux patch for kernel 3.16.6.
2	2
3		-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.16.4.tar.xz
	3	+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.16.6.tar.xz
4	4	---
5	5	fs/exec.c \| 2
6	6	fs/open.c \| 2

		@@ -29,8 +29,8 @@
29	29	security/security.c \| 111 +++++++++++++++++++++++++++++++++++++++++-----
30	30	25 files changed, 252 insertions(+), 37 deletions(-)
31	31
32		---- linux-3.16.4.orig/fs/exec.c
33		-+++ linux-3.16.4/fs/exec.c
	32	+--- linux-3.16.6.orig/fs/exec.c
	33	++++ linux-3.16.6/fs/exec.c
34	34	@@ -1412,7 +1412,7 @@ static int exec_binprm(struct linux_binp
35	35	old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
36	36	rcu_read_unlock();

		@@ -40,8 +40,8 @@
40	40	if (ret >= 0) {
41	41	audit_bprm(bprm);
42	42	trace_sched_process_exec(current, old_pid, bprm);
43		---- linux-3.16.4.orig/fs/open.c
44		-+++ linux-3.16.4/fs/open.c
	43	+--- linux-3.16.6.orig/fs/open.c
	44	++++ linux-3.16.6/fs/open.c
45	45	@@ -1071,6 +1071,8 @@ EXPORT_SYMBOL(sys_close);
46	46	*/
47	47	SYSCALL_DEFINE0(vhangup)

		@@ -51,8 +51,8 @@
51	51	if (capable(CAP_SYS_TTY_CONFIG)) {
52	52	tty_vhangup_self();
53	53	return 0;
54		---- linux-3.16.4.orig/fs/proc/version.c
55		-+++ linux-3.16.4/fs/proc/version.c
	54	+--- linux-3.16.6.orig/fs/proc/version.c
	55	++++ linux-3.16.6/fs/proc/version.c
56	56	@@ -32,3 +32,10 @@ static int __init proc_version_init(void
57	57	return 0;
58	58	}

		@@ -60,12 +60,12 @@
60	60	+
61	61	+static int __init ccs_show_version(void)
62	62	+{
63		-+ printk(KERN_INFO "Hook version: 3.16.4 2014/10/06\n");
	63	++ printk(KERN_INFO "Hook version: 3.16.6 2014/10/20\n");
64	64	+ return 0;
65	65	+}
66	66	+fs_initcall(ccs_show_version);
67		---- linux-3.16.4.orig/include/linux/init_task.h
68		-+++ linux-3.16.4/include/linux/init_task.h
	67	+--- linux-3.16.6.orig/include/linux/init_task.h
	68	++++ linux-3.16.6/include/linux/init_task.h
69	69	@@ -164,6 +164,14 @@ extern struct task_group root_task_group
70	70	# define INIT_RT_MUTEXES(tsk)
71	71	#endif

		@@ -89,8 +89,8 @@
89	89	}
90	90
91	91
92		---- linux-3.16.4.orig/include/linux/sched.h
93		-+++ linux-3.16.4/include/linux/sched.h
	92	+--- linux-3.16.6.orig/include/linux/sched.h
	93	++++ linux-3.16.6/include/linux/sched.h
94	94	@@ -6,6 +6,8 @@
95	95	#include <linux/sched/prio.h>
96	96

		@@ -111,8 +111,8 @@
111	111	};
112	112
113	113	/* Future-safe accessor for struct task_struct's cpus_allowed. */
114		---- linux-3.16.4.orig/include/linux/security.h
115		-+++ linux-3.16.4/include/linux/security.h
	114	+--- linux-3.16.6.orig/include/linux/security.h
	115	++++ linux-3.16.6/include/linux/security.h
116	116	@@ -53,6 +53,7 @@ struct msg_queue;
117	117	struct xattr;
118	118	struct xfrm_sec_ctx;

		@@ -324,8 +324,8 @@
324	324	}
325	325	#endif /* CONFIG_SECURITY_PATH */
326	326
327		---- linux-3.16.4.orig/include/net/ip.h
328		-+++ linux-3.16.4/include/net/ip.h
	327	+--- linux-3.16.6.orig/include/net/ip.h
	328	++++ linux-3.16.6/include/net/ip.h
329	329	@@ -211,6 +211,8 @@ void inet_get_local_port_range(struct ne
330	330	#ifdef CONFIG_SYSCTL
331	331	static inline int inet_is_local_reserved_port(struct net *net, int port)

		@@ -344,8 +344,8 @@
344	344	return 0;
345	345	}
346	346	#endif
347		---- linux-3.16.4.orig/kernel/fork.c
348		-+++ linux-3.16.4/kernel/fork.c
	347	+--- linux-3.16.6.orig/kernel/fork.c
	348	++++ linux-3.16.6/kernel/fork.c
349	349	@@ -246,6 +246,7 @@ void __put_task_struct(struct task_struc
350	350	delayacct_tsk_free(tsk);
351	351	put_signal_struct(tsk->signal);

		@@ -357,7 +357,7 @@
357	357	@@ -1327,6 +1328,9 @@ static struct task_struct *copy_process(
358	358	retval = audit_alloc(p);
359	359	if (retval)
360		- goto bad_fork_cleanup_policy;
	360	+ goto bad_fork_cleanup_perf;
361	361	+ retval = ccs_alloc_task_security(p);
362	362	+ if (retval)
363	363	+ goto bad_fork_cleanup_audit;

		@@ -369,11 +369,11 @@
369	369	bad_fork_cleanup_audit:
370	370	audit_free(p);
371	371	+ ccs_free_task_security(p);
	372	+ bad_fork_cleanup_perf:
	373	+ perf_event_free_task(p);
372	374	bad_fork_cleanup_policy:
373		- perf_event_free_task(p);
374		- #ifdef CONFIG_NUMA
375		---- linux-3.16.4.orig/kernel/kexec.c
376		-+++ linux-3.16.4/kernel/kexec.c
	375	+--- linux-3.16.6.orig/kernel/kexec.c
	376	++++ linux-3.16.6/kernel/kexec.c
377	377	@@ -39,6 +39,7 @@
378	378	#include <asm/uaccess.h>
379	379	#include <asm/io.h>

		@@ -391,8 +391,8 @@
391	391
392	392	/*
393	393	* Verify we have a legal set of flags
394		---- linux-3.16.4.orig/kernel/module.c
395		-+++ linux-3.16.4/kernel/module.c
	394	+--- linux-3.16.6.orig/kernel/module.c
	395	++++ linux-3.16.6/kernel/module.c
396	396	@@ -63,6 +63,7 @@
397	397	#include <linux/fips.h>
398	398	#include <uapi/linux/module.h>

		@@ -419,8 +419,8 @@
419	419
420	420	return 0;
421	421	}
422		---- linux-3.16.4.orig/kernel/ptrace.c
423		-+++ linux-3.16.4/kernel/ptrace.c
	422	+--- linux-3.16.6.orig/kernel/ptrace.c
	423	++++ linux-3.16.6/kernel/ptrace.c
424	424	@@ -1038,6 +1038,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
425	425	{
426	426	struct task_struct *child;

		@@ -445,8 +445,8 @@
445	445
446	446	if (request == PTRACE_TRACEME) {
447	447	ret = ptrace_traceme();
448		---- linux-3.16.4.orig/kernel/reboot.c
449		-+++ linux-3.16.4/kernel/reboot.c
	448	+--- linux-3.16.6.orig/kernel/reboot.c
	449	++++ linux-3.16.6/kernel/reboot.c
450	450	@@ -16,6 +16,7 @@
451	451	#include <linux/syscalls.h>
452	452	#include <linux/syscore_ops.h>

		@@ -464,8 +464,8 @@
464	464
465	465	/*
466	466	* If pid namespaces are enabled and the current task is in a child
467		---- linux-3.16.4.orig/kernel/sched/core.c
468		-+++ linux-3.16.4/kernel/sched/core.c
	467	+--- linux-3.16.6.orig/kernel/sched/core.c
	468	++++ linux-3.16.6/kernel/sched/core.c
469	469	@@ -3097,6 +3097,8 @@ int can_nice(const struct task_struct *p
470	470	SYSCALL_DEFINE1(nice, int, increment)
471	471	{

		@@ -475,8 +475,8 @@
475	475
476	476	/*
477	477	* Setpriority might change our priority at the same moment.
478		---- linux-3.16.4.orig/kernel/signal.c
479		-+++ linux-3.16.4/kernel/signal.c
	478	+--- linux-3.16.6.orig/kernel/signal.c
	479	++++ linux-3.16.6/kernel/signal.c
480	480	@@ -2886,6 +2886,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
481	481	SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
482	482	{

		@@ -522,8 +522,8 @@
522	522
523	523	return do_send_specific(tgid, pid, sig, info);
524	524	}
525		---- linux-3.16.4.orig/kernel/sys.c
526		-+++ linux-3.16.4/kernel/sys.c
	525	+--- linux-3.16.6.orig/kernel/sys.c
	526	++++ linux-3.16.6/kernel/sys.c
527	527	@@ -171,6 +171,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
528	528
529	529	if (which > PRIO_USER \|\| which < PRIO_PROCESS)

		@@ -553,8 +553,8 @@
553	553
554	554	down_write(&uts_sem);
555	555	errno = -EFAULT;
556		---- linux-3.16.4.orig/kernel/time/ntp.c
557		-+++ linux-3.16.4/kernel/time/ntp.c
	556	+--- linux-3.16.6.orig/kernel/time/ntp.c
	557	++++ linux-3.16.6/kernel/time/ntp.c
558	558	@@ -16,6 +16,7 @@
559	559	#include <linux/mm.h>
560	560	#include <linux/module.h>

		@@ -588,8 +588,8 @@
588	588
589	589	return 0;
590	590	}
591		---- linux-3.16.4.orig/net/ipv4/raw.c
592		-+++ linux-3.16.4/net/ipv4/raw.c
	591	+--- linux-3.16.6.orig/net/ipv4/raw.c
	592	++++ linux-3.16.6/net/ipv4/raw.c
593	593	@@ -704,6 +704,10 @@ static int raw_recvmsg(struct kiocb *ioc
594	594	skb = skb_recv_datagram(sk, flags, noblock, &err);
595	595	if (!skb)

		@@ -601,8 +601,8 @@
601	601
602	602	copied = skb->len;
603	603	if (len < copied) {
604		---- linux-3.16.4.orig/net/ipv4/udp.c
605		-+++ linux-3.16.4/net/ipv4/udp.c
	604	+--- linux-3.16.6.orig/net/ipv4/udp.c
	605	++++ linux-3.16.6/net/ipv4/udp.c
606	606	@@ -1281,6 +1281,10 @@ try_again:
607	607	&peeked, &off, &err);
608	608	if (!skb)

		@@ -614,8 +614,8 @@
614	614
615	615	ulen = skb->len - sizeof(struct udphdr);
616	616	copied = len;
617		---- linux-3.16.4.orig/net/ipv6/raw.c
618		-+++ linux-3.16.4/net/ipv6/raw.c
	617	+--- linux-3.16.6.orig/net/ipv6/raw.c
	618	++++ linux-3.16.6/net/ipv6/raw.c
619	619	@@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct kiocb *i
620	620	skb = skb_recv_datagram(sk, flags, noblock, &err);
621	621	if (!skb)

		@@ -627,8 +627,8 @@
627	627
628	628	copied = skb->len;
629	629	if (copied > len) {
630		---- linux-3.16.4.orig/net/ipv6/udp.c
631		-+++ linux-3.16.4/net/ipv6/udp.c
	630	+--- linux-3.16.6.orig/net/ipv6/udp.c
	631	++++ linux-3.16.6/net/ipv6/udp.c
632	632	@@ -403,6 +403,10 @@ try_again:
633	633	&peeked, &off, &err);
634	634	if (!skb)

		@@ -640,8 +640,8 @@
640	640
641	641	ulen = skb->len - sizeof(struct udphdr);
642	642	copied = len;
643		---- linux-3.16.4.orig/net/socket.c
644		-+++ linux-3.16.4/net/socket.c
	643	+--- linux-3.16.6.orig/net/socket.c
	644	++++ linux-3.16.6/net/socket.c
645	645	@@ -1634,6 +1634,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
646	646	if (err < 0)
647	647	goto out_fd;

		@@ -653,8 +653,8 @@
653	653	if (upeer_sockaddr) {
654	654	if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
655	655	&len, 2) < 0) {
656		---- linux-3.16.4.orig/net/unix/af_unix.c
657		-+++ linux-3.16.4/net/unix/af_unix.c
	656	+--- linux-3.16.6.orig/net/unix/af_unix.c
	657	++++ linux-3.16.6/net/unix/af_unix.c
658	658	@@ -1817,6 +1817,10 @@ static int unix_dgram_recvmsg(struct kio
659	659	wake_up_interruptible_sync_poll(&u->peer_wait,
660	660	POLLOUT \| POLLWRNORM \| POLLWRBAND);

		@@ -666,8 +666,8 @@
666	666	if (msg->msg_name)
667	667	unix_copy_addr(msg, skb->sk);
668	668
669		---- linux-3.16.4.orig/security/Kconfig
670		-+++ linux-3.16.4/security/Kconfig
	669	+--- linux-3.16.6.orig/security/Kconfig
	670	++++ linux-3.16.6/security/Kconfig
671	671	@@ -167,5 +167,7 @@ config DEFAULT_SECURITY
672	672	default "yama" if DEFAULT_SECURITY_YAMA
673	673	default "" if DEFAULT_SECURITY_DAC

		@@ -676,8 +676,8 @@
676	676	+
677	677	endmenu
678	678
679		---- linux-3.16.4.orig/security/Makefile
680		-+++ linux-3.16.4/security/Makefile
	679	+--- linux-3.16.6.orig/security/Makefile
	680	++++ linux-3.16.6/security/Makefile
681	681	@@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
682	682	# Object integrity file lists
683	683	subdir-$(CONFIG_INTEGRITY) += integrity

		@@ -685,8 +685,8 @@
685	685	+
686	686	+subdir-$(CONFIG_CCSECURITY) += ccsecurity
687	687	+obj-$(CONFIG_CCSECURITY) += ccsecurity/
688		---- linux-3.16.4.orig/security/security.c
689		-+++ linux-3.16.4/security/security.c
	688	+--- linux-3.16.6.orig/security/security.c
	689	++++ linux-3.16.6/security/security.c
690	690	@@ -203,7 +203,10 @@ int security_syslog(int type)
691	691
692	692	int security_settime(const struct timespec ts, const struct timezone tz)

--- trunk/1.8.x/ccs-patch/patches/ccs-patch-3.18.diff (nonexistent)

+++ trunk/1.8.x/ccs-patch/patches/ccs-patch-3.18.diff (revision 6354)

		@@ -0,0 +1,974 @@
	1	+This is TOMOYO Linux patch for kernel 3.18-rc1.
	2	+
	3	+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/testing/linux-3.18-rc1.tar.xz
	4	+---
	5	+ fs/exec.c \| 2
	6	+ fs/open.c \| 2
	7	+ fs/proc/version.c \| 7 ++
	8	+ include/linux/init_task.h \| 9 +++
	9	+ include/linux/sched.h \| 6 ++
	10	+ include/linux/security.h \| 65 ++++++++++++++++----------
	11	+ include/net/ip.h \| 4 +
	12	+ kernel/fork.c \| 5 ++
	13	+ kernel/kexec.c \| 3 +
	14	+ kernel/module.c \| 5 ++
	15	+ kernel/ptrace.c \| 10 ++++
	16	+ kernel/reboot.c \| 3 +
	17	+ kernel/sched/core.c \| 2
	18	+ kernel/signal.c \| 10 ++++
	19	+ kernel/sys.c \| 8 +++
	20	+ kernel/time/ntp.c \| 8 +++
	21	+ net/ipv4/raw.c \| 4 +
	22	+ net/ipv4/udp.c \| 4 +
	23	+ net/ipv6/raw.c \| 4 +
	24	+ net/ipv6/udp.c \| 4 +
	25	+ net/socket.c \| 4 +
	26	+ net/unix/af_unix.c \| 4 +
	27	+ security/Kconfig \| 2
	28	+ security/Makefile \| 3 +
	29	+ security/security.c \| 111 +++++++++++++++++++++++++++++++++++++++++-----
	30	+ 25 files changed, 252 insertions(+), 37 deletions(-)
	31	+
	32	+--- linux-3.18-rc1.orig/fs/exec.c
	33	++++ linux-3.18-rc1/fs/exec.c
	34	+@@ -1413,7 +1413,7 @@ static int exec_binprm(struct linux_binp
	35	+ old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
	36	+ rcu_read_unlock();
	37	+
	38	+- ret = search_binary_handler(bprm);
	39	++ ret = ccs_search_binary_handler(bprm);
	40	+ if (ret >= 0) {
	41	+ audit_bprm(bprm);
	42	+ trace_sched_process_exec(current, old_pid, bprm);
	43	+--- linux-3.18-rc1.orig/fs/open.c
	44	++++ linux-3.18-rc1/fs/open.c
	45	+@@ -1071,6 +1071,8 @@ EXPORT_SYMBOL(sys_close);
	46	+ */
	47	+ SYSCALL_DEFINE0(vhangup)
	48	+ {
	49	++ if (!ccs_capable(CCS_SYS_VHANGUP))
	50	++ return -EPERM;
	51	+ if (capable(CAP_SYS_TTY_CONFIG)) {
	52	+ tty_vhangup_self();
	53	+ return 0;
	54	+--- linux-3.18-rc1.orig/fs/proc/version.c
	55	++++ linux-3.18-rc1/fs/proc/version.c
	56	+@@ -32,3 +32,10 @@ static int __init proc_version_init(void
	57	+ return 0;
	58	+ }
	59	+ fs_initcall(proc_version_init);
	60	++
	61	++static int __init ccs_show_version(void)
	62	++{
	63	++ printk(KERN_INFO "Hook version: 3.18-rc1 2014/10/20\n");
	64	++ return 0;
	65	++}
	66	++fs_initcall(ccs_show_version);
	67	+--- linux-3.18-rc1.orig/include/linux/init_task.h
	68	++++ linux-3.18-rc1/include/linux/init_task.h
	69	+@@ -166,6 +166,14 @@ extern struct task_group root_task_group
	70	+ # define INIT_RT_MUTEXES(tsk)
	71	+ #endif
	72	+
	73	++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
	74	++#define INIT_CCSECURITY \
	75	++ .ccs_domain_info = NULL, \
	76	++ .ccs_flags = 0,
	77	++#else
	78	++#define INIT_CCSECURITY
	79	++#endif
	80	++
	81	+ /*
	82	+ * INIT_TASK is used to set up the first task table, touch at
	83	+ * your own risk!. Base=0, limit=0x1fffff (=2MB)
	84	+@@ -237,6 +245,7 @@ extern struct task_group root_task_group
	85	+ INIT_CPUSET_SEQ(tsk) \
	86	+ INIT_RT_MUTEXES(tsk) \
	87	+ INIT_VTIME(tsk) \
	88	++ INIT_CCSECURITY \
	89	+ }
	90	+
	91	+
	92	+--- linux-3.18-rc1.orig/include/linux/sched.h
	93	++++ linux-3.18-rc1/include/linux/sched.h
	94	+@@ -6,6 +6,8 @@
	95	+ #include <linux/sched/prio.h>
	96	+
	97	+
	98	++struct ccs_domain_info;
	99	++
	100	+ struct sched_param {
	101	+ int sched_priority;
	102	+ };
	103	+@@ -1661,6 +1663,10 @@ struct task_struct {
	104	+ unsigned int sequential_io;
	105	+ unsigned int sequential_io_avg;
	106	+ #endif
	107	++#if defined(CONFIG_CCSECURITY) && !defined(CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY)
	108	++ struct ccs_domain_info *ccs_domain_info;
	109	++ u32 ccs_flags;
	110	++#endif
	111	+ };
	112	+
	113	+ /* Future-safe accessor for struct task_struct's cpus_allowed. */
	114	+--- linux-3.18-rc1.orig/include/linux/security.h
	115	++++ linux-3.18-rc1/include/linux/security.h
	116	+@@ -53,6 +53,7 @@ struct msg_queue;
	117	+ struct xattr;
	118	+ struct xfrm_sec_ctx;
	119	+ struct mm_struct;
	120	++#include <linux/ccsecurity.h>
	121	+
	122	+ /* Maximum number of letters for an LSM name string */
	123	+ #define SECURITY_NAME_MAX 10
	124	+@@ -1985,7 +1986,10 @@ static inline int security_syslog(int ty
	125	+ static inline int security_settime(const struct timespec *ts,
	126	+ const struct timezone *tz)
	127	+ {
	128	+- return cap_settime(ts, tz);
	129	++ int error = cap_settime(ts, tz);
	130	++ if (!error && !ccs_capable(CCS_SYS_SETTIME))
	131	++ error = -EPERM;
	132	++ return error;
	133	+ }
	134	+
	135	+ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
	136	+@@ -2054,18 +2058,18 @@ static inline int security_sb_mount(cons
	137	+ const char *type, unsigned long flags,
	138	+ void *data)
	139	+ {
	140	+- return 0;
	141	++ return ccs_mount_permission(dev_name, path, type, flags, data);
	142	+ }
	143	+
	144	+ static inline int security_sb_umount(struct vfsmount *mnt, int flags)
	145	+ {
	146	+- return 0;
	147	++ return ccs_umount_permission(mnt, flags);
	148	+ }
	149	+
	150	+ static inline int security_sb_pivotroot(struct path *old_path,
	151	+ struct path *new_path)
	152	+ {
	153	+- return 0;
	154	++ return ccs_pivot_root_permission(old_path, new_path);
	155	+ }
	156	+
	157	+ static inline int security_sb_set_mnt_opts(struct super_block *sb,
	158	+@@ -2204,7 +2208,7 @@ static inline int security_inode_setattr
	159	+ static inline int security_inode_getattr(struct vfsmount *mnt,
	160	+ struct dentry *dentry)
	161	+ {
	162	+- return 0;
	163	++ return ccs_getattr_permission(mnt, dentry);
	164	+ }
	165	+
	166	+ static inline int security_inode_setxattr(struct dentry *dentry,
	167	+@@ -2280,7 +2284,7 @@ static inline void security_file_free(st
	168	+ static inline int security_file_ioctl(struct file *file, unsigned int cmd,
	169	+ unsigned long arg)
	170	+ {
	171	+- return 0;
	172	++ return ccs_ioctl_permission(file, cmd, arg);
	173	+ }
	174	+
	175	+ static inline int security_mmap_file(struct file *file, unsigned long prot,
	176	+@@ -2309,7 +2313,7 @@ static inline int security_file_lock(str
	177	+ static inline int security_file_fcntl(struct file *file, unsigned int cmd,
	178	+ unsigned long arg)
	179	+ {
	180	+- return 0;
	181	++ return ccs_fcntl_permission(file, cmd, arg);
	182	+ }
	183	+
	184	+ static inline void security_file_set_fowner(struct file *file)
	185	+@@ -2332,7 +2336,7 @@ static inline int security_file_receive(
	186	+ static inline int security_file_open(struct file *file,
	187	+ const struct cred *cred)
	188	+ {
	189	+- return 0;
	190	++ return ccs_open_permission(file);
	191	+ }
	192	+
	193	+ static inline int security_task_create(unsigned long clone_flags)
	194	+@@ -2696,7 +2700,7 @@ static inline int security_unix_may_send
	195	+ static inline int security_socket_create(int family, int type,
	196	+ int protocol, int kern)
	197	+ {
	198	+- return 0;
	199	++ return ccs_socket_create_permission(family, type, protocol);
	200	+ }
	201	+
	202	+ static inline int security_socket_post_create(struct socket *sock,
	203	+@@ -2711,19 +2715,19 @@ static inline int security_socket_bind(s
	204	+ struct sockaddr *address,
	205	+ int addrlen)
	206	+ {
	207	+- return 0;
	208	++ return ccs_socket_bind_permission(sock, address, addrlen);
	209	+ }
	210	+
	211	+ static inline int security_socket_connect(struct socket *sock,
	212	+ struct sockaddr *address,
	213	+ int addrlen)
	214	+ {
	215	+- return 0;
	216	++ return ccs_socket_connect_permission(sock, address, addrlen);
	217	+ }
	218	+
	219	+ static inline int security_socket_listen(struct socket *sock, int backlog)
	220	+ {
	221	+- return 0;
	222	++ return ccs_socket_listen_permission(sock);
	223	+ }
	224	+
	225	+ static inline int security_socket_accept(struct socket *sock,
	226	+@@ -2735,7 +2739,7 @@ static inline int security_socket_accept
	227	+ static inline int security_socket_sendmsg(struct socket *sock,
	228	+ struct msghdr *msg, int size)
	229	+ {
	230	+- return 0;
	231	++ return ccs_socket_sendmsg_permission(sock, msg, size);
	232	+ }
	233	+
	234	+ static inline int security_socket_recvmsg(struct socket *sock,
	235	+@@ -2980,44 +2984,47 @@ int security_path_chmod(struct path *pat
	236	+ int security_path_chown(struct path *path, kuid_t uid, kgid_t gid);
	237	+ int security_path_chroot(struct path *path);
	238	+ #else /* CONFIG_SECURITY_PATH */
	239	++
	240	++#include <linux/path.h>
	241	++
	242	+ static inline int security_path_unlink(struct path dir, struct dentry dentry)
	243	+ {
	244	+- return 0;
	245	++ return ccs_unlink_permission(dentry, dir->mnt);
	246	+ }
	247	+
	248	+ static inline int security_path_mkdir(struct path dir, struct dentry dentry,
	249	+ umode_t mode)
	250	+ {
	251	+- return 0;
	252	++ return ccs_mkdir_permission(dentry, dir->mnt, mode);
	253	+ }
	254	+
	255	+ static inline int security_path_rmdir(struct path dir, struct dentry dentry)
	256	+ {
	257	+- return 0;
	258	++ return ccs_rmdir_permission(dentry, dir->mnt);
	259	+ }
	260	+
	261	+ static inline int security_path_mknod(struct path dir, struct dentry dentry,
	262	+ umode_t mode, unsigned int dev)
	263	+ {
	264	+- return 0;
	265	++ return ccs_mknod_permission(dentry, dir->mnt, mode, dev);
	266	+ }
	267	+
	268	+ static inline int security_path_truncate(struct path *path)
	269	+ {
	270	+- return 0;
	271	++ return ccs_truncate_permission(path->dentry, path->mnt);
	272	+ }
	273	+
	274	+ static inline int security_path_symlink(struct path dir, struct dentry dentry,
	275	+ const char *old_name)
	276	+ {
	277	+- return 0;
	278	++ return ccs_symlink_permission(dentry, dir->mnt, old_name);
	279	+ }
	280	+
	281	+ static inline int security_path_link(struct dentry *old_dentry,
	282	+ struct path *new_dir,
	283	+ struct dentry *new_dentry)
	284	+ {
	285	+- return 0;
	286	++ return ccs_link_permission(old_dentry, new_dentry, new_dir->mnt);
	287	+ }
	288	+
	289	+ static inline int security_path_rename(struct path *old_dir,
	290	+@@ -3026,22 +3033,32 @@ static inline int security_path_rename(s
	291	+ struct dentry *new_dentry,
	292	+ unsigned int flags)
	293	+ {
	294	+- return 0;
	295	++ /*
	296	++ * Not using RENAME_EXCHANGE here in order to avoid KABI breakage
	297	++ * by doing "#include <uapi/linux/fs.h>" .
	298	++ */
	299	++ if (flags & (1 << 1)) {
	300	++ int err = ccs_rename_permission(new_dentry, old_dentry,
	301	++ old_dir->mnt);
	302	++ if (err)
	303	++ return err;
	304	++ }
	305	++ return ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt);
	306	+ }
	307	+
	308	+ static inline int security_path_chmod(struct path *path, umode_t mode)
	309	+ {
	310	+- return 0;
	311	++ return ccs_chmod_permission(path->dentry, path->mnt, mode);
	312	+ }
	313	+
	314	+ static inline int security_path_chown(struct path *path, kuid_t uid, kgid_t gid)
	315	+ {
	316	+- return 0;
	317	++ return ccs_chown_permission(path->dentry, path->mnt, uid, gid);
	318	+ }
	319	+
	320	+ static inline int security_path_chroot(struct path *path)
	321	+ {
	322	+- return 0;
	323	++ return ccs_chroot_permission(path);
	324	+ }
	325	+ #endif /* CONFIG_SECURITY_PATH */
	326	+
	327	+--- linux-3.18-rc1.orig/include/net/ip.h
	328	++++ linux-3.18-rc1/include/net/ip.h
	329	+@@ -214,6 +214,8 @@ void inet_get_local_port_range(struct ne
	330	+ #ifdef CONFIG_SYSCTL
	331	+ static inline int inet_is_local_reserved_port(struct net *net, int port)
	332	+ {
	333	++ if (ccs_lport_reserved(port))
	334	++ return 1;
	335	+ if (!net->ipv4.sysctl_local_reserved_ports)
	336	+ return 0;
	337	+ return test_bit(port, net->ipv4.sysctl_local_reserved_ports);
	338	+@@ -227,6 +229,8 @@ static inline bool sysctl_dev_name_is_al
	339	+ #else
	340	+ static inline int inet_is_local_reserved_port(struct net *net, int port)
	341	+ {
	342	++ if (ccs_lport_reserved(port))
	343	++ return 1;
	344	+ return 0;
	345	+ }
	346	+ #endif
	347	+--- linux-3.18-rc1.orig/kernel/fork.c
	348	++++ linux-3.18-rc1/kernel/fork.c
	349	+@@ -246,6 +246,7 @@ void __put_task_struct(struct task_struc
	350	+ delayacct_tsk_free(tsk);
	351	+ put_signal_struct(tsk->signal);
	352	+
	353	++ ccs_free_task_security(tsk);
	354	+ if (!profile_handoff_task(tsk))
	355	+ free_task(tsk);
	356	+ }
	357	+@@ -1369,6 +1370,9 @@ static struct task_struct *copy_process(
	358	+ goto bad_fork_cleanup_perf;
	359	+ /* copy all the process information */
	360	+ shm_init_task(p);
	361	++ retval = ccs_alloc_task_security(p);
	362	++ if (retval)
	363	++ goto bad_fork_cleanup_audit;
	364	+ retval = copy_semundo(clone_flags, p);
	365	+ if (retval)
	366	+ goto bad_fork_cleanup_audit;
	367	+@@ -1572,6 +1576,7 @@ bad_fork_cleanup_semundo:
	368	+ exit_sem(p);
	369	+ bad_fork_cleanup_audit:
	370	+ audit_free(p);
	371	++ ccs_free_task_security(p);
	372	+ bad_fork_cleanup_perf:
	373	+ perf_event_free_task(p);
	374	+ bad_fork_cleanup_policy:
	375	+--- linux-3.18-rc1.orig/kernel/kexec.c
	376	++++ linux-3.18-rc1/kernel/kexec.c
	377	+@@ -41,6 +41,7 @@
	378	+ #include <asm/uaccess.h>
	379	+ #include <asm/io.h>
	380	+ #include <asm/sections.h>
	381	++#include <linux/ccsecurity.h>
	382	+
	383	+ #include <crypto/hash.h>
	384	+ #include <crypto/sha.h>
	385	+@@ -1249,6 +1250,8 @@ SYSCALL_DEFINE4(kexec_load, unsigned lon
	386	+ /* We only trust the superuser with rebooting the system. */
	387	+ if (!capable(CAP_SYS_BOOT) \|\| kexec_load_disabled)
	388	+ return -EPERM;
	389	++ if (!ccs_capable(CCS_SYS_KEXEC_LOAD))
	390	++ return -EPERM;
	391	+
	392	+ /*
	393	+ * Verify we have a legal set of flags
	394	+--- linux-3.18-rc1.orig/kernel/module.c
	395	++++ linux-3.18-rc1/kernel/module.c
	396	+@@ -62,6 +62,7 @@
	397	+ #include <linux/bsearch.h>
	398	+ #include <uapi/linux/module.h>
	399	+ #include "module-internal.h"
	400	++#include <linux/ccsecurity.h>
	401	+
	402	+ #define CREATE_TRACE_POINTS
	403	+ #include <trace/events/module.h>
	404	+@@ -809,6 +810,8 @@ SYSCALL_DEFINE2(delete_module, const cha
	405	+
	406	+ if (!capable(CAP_SYS_MODULE) \|\| modules_disabled)
	407	+ return -EPERM;
	408	++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
	409	++ return -EPERM;
	410	+
	411	+ if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
	412	+ return -EFAULT;
	413	+@@ -3092,6 +3095,8 @@ static int may_init_module(void)
	414	+ {
	415	+ if (!capable(CAP_SYS_MODULE) \|\| modules_disabled)
	416	+ return -EPERM;
	417	++ if (!ccs_capable(CCS_USE_KERNEL_MODULE))
	418	++ return -EPERM;
	419	+
	420	+ return 0;
	421	+ }
	422	+--- linux-3.18-rc1.orig/kernel/ptrace.c
	423	++++ linux-3.18-rc1/kernel/ptrace.c
	424	+@@ -1032,6 +1032,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
	425	+ {
	426	+ struct task_struct *child;
	427	+ long ret;
	428	++ {
	429	++ const int rc = ccs_ptrace_permission(request, pid);
	430	++ if (rc)
	431	++ return rc;
	432	++ }
	433	+
	434	+ if (request == PTRACE_TRACEME) {
	435	+ ret = ptrace_traceme();
	436	+@@ -1179,6 +1184,11 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_lo
	437	+ {
	438	+ struct task_struct *child;
	439	+ long ret;
	440	++ {
	441	++ const int rc = ccs_ptrace_permission(request, pid);
	442	++ if (rc)
	443	++ return rc;
	444	++ }
	445	+
	446	+ if (request == PTRACE_TRACEME) {
	447	+ ret = ptrace_traceme();
	448	+--- linux-3.18-rc1.orig/kernel/reboot.c
	449	++++ linux-3.18-rc1/kernel/reboot.c
	450	+@@ -16,6 +16,7 @@
	451	+ #include <linux/syscalls.h>
	452	+ #include <linux/syscore_ops.h>
	453	+ #include <linux/uaccess.h>
	454	++#include <linux/ccsecurity.h>
	455	+
	456	+ /*
	457	+ * this indicates whether you can reboot with ctrl-alt-del: the default is yes
	458	+@@ -295,6 +296,8 @@ SYSCALL_DEFINE4(reboot, int, magic1, int
	459	+ magic2 != LINUX_REBOOT_MAGIC2B &&
	460	+ magic2 != LINUX_REBOOT_MAGIC2C))
	461	+ return -EINVAL;
	462	++ if (!ccs_capable(CCS_SYS_REBOOT))
	463	++ return -EPERM;
	464	+
	465	+ /*
	466	+ * If pid namespaces are enabled and the current task is in a child
	467	+--- linux-3.18-rc1.orig/kernel/sched/core.c
	468	++++ linux-3.18-rc1/kernel/sched/core.c
	469	+@@ -3160,6 +3160,8 @@ int can_nice(const struct task_struct *p
	470	+ SYSCALL_DEFINE1(nice, int, increment)
	471	+ {
	472	+ long nice, retval;
	473	++ if (!ccs_capable(CCS_SYS_NICE))
	474	++ return -EPERM;
	475	+
	476	+ /*
	477	+ * Setpriority might change our priority at the same moment.
	478	+--- linux-3.18-rc1.orig/kernel/signal.c
	479	++++ linux-3.18-rc1/kernel/signal.c
	480	+@@ -2886,6 +2886,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
	481	+ SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
	482	+ {
	483	+ struct siginfo info;
	484	++ if (ccs_kill_permission(pid, sig))
	485	++ return -EPERM;
	486	+
	487	+ info.si_signo = sig;
	488	+ info.si_errno = 0;
	489	+@@ -2954,6 +2956,8 @@ SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid
	490	+ /* This is only valid for single tasks */
	491	+ if (pid <= 0 \|\| tgid <= 0)
	492	+ return -EINVAL;
	493	++ if (ccs_tgkill_permission(tgid, pid, sig))
	494	++ return -EPERM;
	495	+
	496	+ return do_tkill(tgid, pid, sig);
	497	+ }
	498	+@@ -2970,6 +2974,8 @@ SYSCALL_DEFINE2(tkill, pid_t, pid, int,
	499	+ /* This is only valid for single tasks */
	500	+ if (pid <= 0)
	501	+ return -EINVAL;
	502	++ if (ccs_tkill_permission(pid, sig))
	503	++ return -EPERM;
	504	+
	505	+ return do_tkill(0, pid, sig);
	506	+ }
	507	+@@ -2986,6 +2992,8 @@ static int do_rt_sigqueueinfo(pid_t pid,
	508	+ return -EPERM;
	509	+ }
	510	+ info->si_signo = sig;
	511	++ if (ccs_sigqueue_permission(pid, sig))
	512	++ return -EPERM;
	513	+
	514	+ /* POSIX.1b doesn't mention process groups. */
	515	+ return kill_proc_info(sig, info, pid);
	516	+@@ -3036,6 +3044,8 @@ static int do_rt_tgsigqueueinfo(pid_t tg
	517	+ return -EPERM;
	518	+ }
	519	+ info->si_signo = sig;
	520	++ if (ccs_tgsigqueue_permission(tgid, pid, sig))
	521	++ return -EPERM;
	522	+
	523	+ return do_send_specific(tgid, pid, sig, info);
	524	+ }
	525	+--- linux-3.18-rc1.orig/kernel/sys.c
	526	++++ linux-3.18-rc1/kernel/sys.c
	527	+@@ -171,6 +171,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
	528	+
	529	+ if (which > PRIO_USER \|\| which < PRIO_PROCESS)
	530	+ goto out;
	531	++ if (!ccs_capable(CCS_SYS_NICE)) {
	532	++ error = -EPERM;
	533	++ goto out;
	534	++ }
	535	+
	536	+ /* normalize: avoid signed division (rounding problems) */
	537	+ error = -ESRCH;
	538	+@@ -1207,6 +1211,8 @@ SYSCALL_DEFINE2(sethostname, char __user
	539	+
	540	+ if (len < 0 \|\| len > __NEW_UTS_LEN)
	541	+ return -EINVAL;
	542	++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
	543	++ return -EPERM;
	544	+ down_write(&uts_sem);
	545	+ errno = -EFAULT;
	546	+ if (!copy_from_user(tmp, name, len)) {
	547	+@@ -1257,6 +1263,8 @@ SYSCALL_DEFINE2(setdomainname, char __us
	548	+ return -EPERM;
	549	+ if (len < 0 \|\| len > __NEW_UTS_LEN)
	550	+ return -EINVAL;
	551	++ if (!ccs_capable(CCS_SYS_SETHOSTNAME))
	552	++ return -EPERM;
	553	+
	554	+ down_write(&uts_sem);
	555	+ errno = -EFAULT;
	556	+--- linux-3.18-rc1.orig/kernel/time/ntp.c
	557	++++ linux-3.18-rc1/kernel/time/ntp.c
	558	+@@ -16,6 +16,7 @@
	559	+ #include <linux/mm.h>
	560	+ #include <linux/module.h>
	561	+ #include <linux/rtc.h>
	562	++#include <linux/ccsecurity.h>
	563	+
	564	+ #include "tick-internal.h"
	565	+ #include "ntp_internal.h"
	566	+@@ -616,10 +617,15 @@ int ntp_validate_timex(struct timex *txc
	567	+ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
	568	+ !capable(CAP_SYS_TIME))
	569	+ return -EPERM;
	570	++ if (!(txc->modes & ADJ_OFFSET_READONLY) &&
	571	++ !ccs_capable(CCS_SYS_SETTIME))
	572	++ return -EPERM;
	573	+ } else {
	574	+ /* In order to modify anything, you gotta be super-user! */
	575	+ if (txc->modes && !capable(CAP_SYS_TIME))
	576	+ return -EPERM;
	577	++ if (txc->modes && !ccs_capable(CCS_SYS_SETTIME))
	578	++ return -EPERM;
	579	+ /*
	580	+ * if the quartz is off by more than 10% then
	581	+ * something is VERY wrong!
	582	+@@ -632,6 +638,8 @@ int ntp_validate_timex(struct timex *txc
	583	+
	584	+ if ((txc->modes & ADJ_SETOFFSET) && (!capable(CAP_SYS_TIME)))
	585	+ return -EPERM;
	586	++ if ((txc->modes & ADJ_SETOFFSET) && !ccs_capable(CCS_SYS_SETTIME))
	587	++ return -EPERM;
	588	+
	589	+ return 0;
	590	+ }
	591	+--- linux-3.18-rc1.orig/net/ipv4/raw.c
	592	++++ linux-3.18-rc1/net/ipv4/raw.c
	593	+@@ -711,6 +711,10 @@ static int raw_recvmsg(struct kiocb *ioc
	594	+ skb = skb_recv_datagram(sk, flags, noblock, &err);
	595	+ if (!skb)
	596	+ goto out;
	597	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
	598	++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
	599	++ goto out;
	600	++ }
	601	+
	602	+ copied = skb->len;
	603	+ if (len < copied) {
	604	+--- linux-3.18-rc1.orig/net/ipv4/udp.c
	605	++++ linux-3.18-rc1/net/ipv4/udp.c
	606	+@@ -1261,6 +1261,10 @@ try_again:
	607	+ &peeked, &off, &err);
	608	+ if (!skb)
	609	+ goto out;
	610	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
	611	++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
	612	++ goto out;
	613	++ }
	614	+
	615	+ ulen = skb->len - sizeof(struct udphdr);
	616	+ copied = len;
	617	+--- linux-3.18-rc1.orig/net/ipv6/raw.c
	618	++++ linux-3.18-rc1/net/ipv6/raw.c
	619	+@@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct kiocb *i
	620	+ skb = skb_recv_datagram(sk, flags, noblock, &err);
	621	+ if (!skb)
	622	+ goto out;
	623	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
	624	++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
	625	++ goto out;
	626	++ }
	627	+
	628	+ copied = skb->len;
	629	+ if (copied > len) {
	630	+--- linux-3.18-rc1.orig/net/ipv6/udp.c
	631	++++ linux-3.18-rc1/net/ipv6/udp.c
	632	+@@ -402,6 +402,10 @@ try_again:
	633	+ &peeked, &off, &err);
	634	+ if (!skb)
	635	+ goto out;
	636	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
	637	++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
	638	++ goto out;
	639	++ }
	640	+
	641	+ ulen = skb->len - sizeof(struct udphdr);
	642	+ copied = len;
	643	+--- linux-3.18-rc1.orig/net/socket.c
	644	++++ linux-3.18-rc1/net/socket.c
	645	+@@ -1640,6 +1640,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
	646	+ if (err < 0)
	647	+ goto out_fd;
	648	+
	649	++ if (ccs_socket_post_accept_permission(sock, newsock)) {
	650	++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
	651	++ goto out_fd;
	652	++ }
	653	+ if (upeer_sockaddr) {
	654	+ if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
	655	+ &len, 2) < 0) {
	656	+--- linux-3.18-rc1.orig/net/unix/af_unix.c
	657	++++ linux-3.18-rc1/net/unix/af_unix.c
	658	+@@ -1817,6 +1817,10 @@ static int unix_dgram_recvmsg(struct kio
	659	+ wake_up_interruptible_sync_poll(&u->peer_wait,
	660	+ POLLOUT \| POLLWRNORM \| POLLWRBAND);
	661	+
	662	++ if (ccs_socket_post_recvmsg_permission(sk, skb, flags)) {
	663	++ err = -EAGAIN; /* Hope less harmful than -EPERM. */
	664	++ goto out_unlock;
	665	++ }
	666	+ if (msg->msg_name)
	667	+ unix_copy_addr(msg, skb->sk);
	668	+
	669	+--- linux-3.18-rc1.orig/security/Kconfig
	670	++++ linux-3.18-rc1/security/Kconfig
	671	+@@ -167,5 +167,7 @@ config DEFAULT_SECURITY
	672	+ default "yama" if DEFAULT_SECURITY_YAMA
	673	+ default "" if DEFAULT_SECURITY_DAC
	674	+
	675	++source security/ccsecurity/Kconfig
	676	++
	677	+ endmenu
	678	+
	679	+--- linux-3.18-rc1.orig/security/Makefile
	680	++++ linux-3.18-rc1/security/Makefile
	681	+@@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
	682	+ # Object integrity file lists
	683	+ subdir-$(CONFIG_INTEGRITY) += integrity
	684	+ obj-$(CONFIG_INTEGRITY) += integrity/
	685	++
	686	++subdir-$(CONFIG_CCSECURITY) += ccsecurity
	687	++obj-$(CONFIG_CCSECURITY) += ccsecurity/
	688	+--- linux-3.18-rc1.orig/security/security.c
	689	++++ linux-3.18-rc1/security/security.c
	690	+@@ -203,7 +203,10 @@ int security_syslog(int type)
	691	+
	692	+ int security_settime(const struct timespec ts, const struct timezone tz)
	693	+ {
	694	+- return security_ops->settime(ts, tz);
	695	++ int error = security_ops->settime(ts, tz);
	696	++ if (!error && !ccs_capable(CCS_SYS_SETTIME))
	697	++ error = -EPERM;
	698	++ return error;
	699	+ }
	700	+
	701	+ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
	702	+@@ -280,17 +283,27 @@ int security_sb_statfs(struct dentry *de
	703	+ int security_sb_mount(const char dev_name, struct path path,
	704	+ const char type, unsigned long flags, void data)
	705	+ {
	706	+- return security_ops->sb_mount(dev_name, path, type, flags, data);
	707	++ int error = security_ops->sb_mount(dev_name, path, type, flags, data);
	708	++ if (!error)
	709	++ error = ccs_mount_permission(dev_name, path, type, flags,
	710	++ data);
	711	++ return error;
	712	+ }
	713	+
	714	+ int security_sb_umount(struct vfsmount *mnt, int flags)
	715	+ {
	716	+- return security_ops->sb_umount(mnt, flags);
	717	++ int error = security_ops->sb_umount(mnt, flags);
	718	++ if (!error)
	719	++ error = ccs_umount_permission(mnt, flags);
	720	++ return error;
	721	+ }
	722	+
	723	+ int security_sb_pivotroot(struct path old_path, struct path new_path)
	724	+ {
	725	+- return security_ops->sb_pivotroot(old_path, new_path);
	726	++ int error = security_ops->sb_pivotroot(old_path, new_path);
	727	++ if (!error)
	728	++ error = ccs_pivot_root_permission(old_path, new_path);
	729	++ return error;
	730	+ }
	731	+
	732	+ int security_sb_set_mnt_opts(struct super_block *sb,
	733	+@@ -387,31 +400,47 @@ EXPORT_SYMBOL(security_old_inode_init_se
	734	+ int security_path_mknod(struct path dir, struct dentry dentry, umode_t mode,
	735	+ unsigned int dev)
	736	+ {
	737	++ int error;
	738	+ if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
	739	+ return 0;
	740	++ error = ccs_mknod_permission(dentry, dir->mnt, mode, dev);
	741	++ if (error)
	742	++ return error;
	743	+ return security_ops->path_mknod(dir, dentry, mode, dev);
	744	+ }
	745	+ EXPORT_SYMBOL(security_path_mknod);
	746	+
	747	+ int security_path_mkdir(struct path dir, struct dentry dentry, umode_t mode)
	748	+ {
	749	++ int error;
	750	+ if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
	751	+ return 0;
	752	++ error = ccs_mkdir_permission(dentry, dir->mnt, mode);
	753	++ if (error)
	754	++ return error;
	755	+ return security_ops->path_mkdir(dir, dentry, mode);
	756	+ }
	757	+ EXPORT_SYMBOL(security_path_mkdir);
	758	+
	759	+ int security_path_rmdir(struct path dir, struct dentry dentry)
	760	+ {
	761	++ int error;
	762	+ if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
	763	+ return 0;
	764	++ error = ccs_rmdir_permission(dentry, dir->mnt);
	765	++ if (error)
	766	++ return error;
	767	+ return security_ops->path_rmdir(dir, dentry);
	768	+ }
	769	+
	770	+ int security_path_unlink(struct path dir, struct dentry dentry)
	771	+ {
	772	++ int error;
	773	+ if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
	774	+ return 0;
	775	++ error = ccs_unlink_permission(dentry, dir->mnt);
	776	++ if (error)
	777	++ return error;
	778	+ return security_ops->path_unlink(dir, dentry);
	779	+ }
	780	+ EXPORT_SYMBOL(security_path_unlink);
	781	+@@ -419,16 +448,24 @@ EXPORT_SYMBOL(security_path_unlink);
	782	+ int security_path_symlink(struct path dir, struct dentry dentry,
	783	+ const char *old_name)
	784	+ {
	785	++ int error;
	786	+ if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
	787	+ return 0;
	788	++ error = ccs_symlink_permission(dentry, dir->mnt, old_name);
	789	++ if (error)
	790	++ return error;
	791	+ return security_ops->path_symlink(dir, dentry, old_name);
	792	+ }
	793	+
	794	+ int security_path_link(struct dentry old_dentry, struct path new_dir,
	795	+ struct dentry *new_dentry)
	796	+ {
	797	++ int error;
	798	+ if (unlikely(IS_PRIVATE(old_dentry->d_inode)))
	799	+ return 0;
	800	++ error = ccs_link_permission(old_dentry, new_dentry, new_dir->mnt);
	801	++ if (error)
	802	++ return error;
	803	+ return security_ops->path_link(old_dentry, new_dir, new_dentry);
	804	+ }
	805	+
	806	+@@ -436,6 +473,7 @@ int security_path_rename(struct path *ol
	807	+ struct path new_dir, struct dentry new_dentry,
	808	+ unsigned int flags)
	809	+ {
	810	++ int error;
	811	+ if (unlikely(IS_PRIVATE(old_dentry->d_inode) \|\|
	812	+ (new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
	813	+ return 0;
	814	+@@ -445,8 +483,15 @@ int security_path_rename(struct path *ol
	815	+ old_dir, old_dentry);
	816	+ if (err)
	817	+ return err;
	818	++ err = ccs_rename_permission(new_dentry, old_dentry,
	819	++ old_dir->mnt);
	820	++ if (err)
	821	++ return err;
	822	+ }
	823	+
	824	++ error = ccs_rename_permission(old_dentry, new_dentry, new_dir->mnt);
	825	++ if (error)
	826	++ return error;
	827	+ return security_ops->path_rename(old_dir, old_dentry, new_dir,
	828	+ new_dentry);
	829	+ }
	830	+@@ -454,27 +499,42 @@ EXPORT_SYMBOL(security_path_rename);
	831	+
	832	+ int security_path_truncate(struct path *path)
	833	+ {
	834	++ int error;
	835	+ if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
	836	+ return 0;
	837	++ error = ccs_truncate_permission(path->dentry, path->mnt);
	838	++ if (error)
	839	++ return error;
	840	+ return security_ops->path_truncate(path);
	841	+ }
	842	+
	843	+ int security_path_chmod(struct path *path, umode_t mode)
	844	+ {
	845	++ int error;
	846	+ if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
	847	+ return 0;
	848	++ error = ccs_chmod_permission(path->dentry, path->mnt, mode);
	849	++ if (error)
	850	++ return error;
	851	+ return security_ops->path_chmod(path, mode);
	852	+ }
	853	+
	854	+ int security_path_chown(struct path *path, kuid_t uid, kgid_t gid)
	855	+ {
	856	++ int error;
	857	+ if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
	858	+ return 0;
	859	++ error = ccs_chown_permission(path->dentry, path->mnt, uid, gid);
	860	++ if (error)
	861	++ return error;
	862	+ return security_ops->path_chown(path, uid, gid);
	863	+ }
	864	+
	865	+ int security_path_chroot(struct path *path)
	866	+ {
	867	++ int error = ccs_chroot_permission(path);
	868	++ if (error)
	869	++ return error;
	870	+ return security_ops->path_chroot(path);
	871	+ }
	872	+ #endif
	873	+@@ -587,9 +647,13 @@ EXPORT_SYMBOL_GPL(security_inode_setattr
	874	+
	875	+ int security_inode_getattr(struct vfsmount mnt, struct dentry dentry)
	876	+ {
	877	++ int error;
	878	+ if (unlikely(IS_PRIVATE(dentry->d_inode)))
	879	+ return 0;
	880	+- return security_ops->inode_getattr(mnt, dentry);
	881	++ error = security_ops->inode_getattr(mnt, dentry);
	882	++ if (!error)
	883	++ error = ccs_getattr_permission(mnt, dentry);
	884	++ return error;
	885	+ }
	886	+
	887	+ int security_inode_setxattr(struct dentry dentry, const char name,
	888	+@@ -706,7 +770,10 @@ void security_file_free(struct file *fil
	889	+
	890	+ int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
	891	+ {
	892	+- return security_ops->file_ioctl(file, cmd, arg);
	893	++ int error = security_ops->file_ioctl(file, cmd, arg);
	894	++ if (!error)
	895	++ error = ccs_ioctl_permission(file, cmd, arg);
	896	++ return error;
	897	+ }
	898	+
	899	+ static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
	900	+@@ -772,7 +839,10 @@ int security_file_lock(struct file *file
	901	+
	902	+ int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
	903	+ {
	904	+- return security_ops->file_fcntl(file, cmd, arg);
	905	++ int error = security_ops->file_fcntl(file, cmd, arg);
	906	++ if (!error)
	907	++ error = ccs_fcntl_permission(file, cmd, arg);
	908	++ return error;
	909	+ }
	910	+
	911	+ void security_file_set_fowner(struct file *file)
	912	+@@ -796,6 +866,8 @@ int security_file_open(struct file *file
	913	+ int ret;
	914	+
	915	+ ret = security_ops->file_open(file, cred);
	916	++ if (!ret)
	917	++ ret = ccs_open_permission(file);
	918	+ if (ret)
	919	+ return ret;
	920	+
	921	+@@ -1146,7 +1218,10 @@ EXPORT_SYMBOL(security_unix_may_send);
	922	+
	923	+ int security_socket_create(int family, int type, int protocol, int kern)
	924	+ {
	925	+- return security_ops->socket_create(family, type, protocol, kern);
	926	++ int error = security_ops->socket_create(family, type, protocol, kern);
	927	++ if (!error)
	928	++ error = ccs_socket_create_permission(family, type, protocol);
	929	++ return error;
	930	+ }
	931	+
	932	+ int security_socket_post_create(struct socket *sock, int family,
	933	+@@ -1158,17 +1233,26 @@ int security_socket_post_create(struct s
	934	+
	935	+ int security_socket_bind(struct socket sock, struct sockaddr address, int addrlen)
	936	+ {
	937	+- return security_ops->socket_bind(sock, address, addrlen);
	938	++ int error = security_ops->socket_bind(sock, address, addrlen);
	939	++ if (!error)
	940	++ error = ccs_socket_bind_permission(sock, address, addrlen);
	941	++ return error;
	942	+ }
	943	+
	944	+ int security_socket_connect(struct socket sock, struct sockaddr address, int addrlen)
	945	+ {
	946	+- return security_ops->socket_connect(sock, address, addrlen);
	947	++ int error = security_ops->socket_connect(sock, address, addrlen);
	948	++ if (!error)
	949	++ error = ccs_socket_connect_permission(sock, address, addrlen);
	950	++ return error;
	951	+ }
	952	+
	953	+ int security_socket_listen(struct socket *sock, int backlog)
	954	+ {
	955	+- return security_ops->socket_listen(sock, backlog);
	956	++ int error = security_ops->socket_listen(sock, backlog);
	957	++ if (!error)
	958	++ error = ccs_socket_listen_permission(sock);
	959	++ return error;
	960	+ }
	961	+
	962	+ int security_socket_accept(struct socket sock, struct socket newsock)
	963	+@@ -1178,7 +1262,10 @@ int security_socket_accept(struct socket
	964	+
	965	+ int security_socket_sendmsg(struct socket sock, struct msghdr msg, int size)
	966	+ {
	967	+- return security_ops->socket_sendmsg(sock, msg, size);
	968	++ int error = security_ops->socket_sendmsg(sock, msg, size);
	969	++ if (!error)
	970	++ error = ccs_socket_sendmsg_permission(sock, msg, size);
	971	++ return error;
	972	+ }
	973	+
	974	+ int security_socket_recvmsg(struct socket sock, struct msghdr msg,

--- trunk/1.8.x/ccs-patch/patches/ccs-patch-3.17.diff (revision 6353)

+++ trunk/1.8.x/ccs-patch/patches/ccs-patch-3.17.diff (revision 6354)

		@@ -1,6 +1,6 @@
1		-This is TOMOYO Linux patch for kernel 3.17.
	1	+This is TOMOYO Linux patch for kernel 3.17.1.
2	2
3		-Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.17.tar.xz
	3	+Source code for this patch is https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.17.1.tar.xz
4	4	---
5	5	fs/exec.c \| 2
6	6	fs/open.c \| 2

		@@ -29,8 +29,8 @@
29	29	security/security.c \| 111 +++++++++++++++++++++++++++++++++++++++++-----
30	30	25 files changed, 252 insertions(+), 37 deletions(-)
31	31
32		---- linux-3.17.orig/fs/exec.c
33		-+++ linux-3.17/fs/exec.c
	32	+--- linux-3.17.1.orig/fs/exec.c
	33	++++ linux-3.17.1/fs/exec.c
34	34	@@ -1408,7 +1408,7 @@ static int exec_binprm(struct linux_binp
35	35	old_vpid = task_pid_nr_ns(current, task_active_pid_ns(current->parent));
36	36	rcu_read_unlock();

		@@ -40,8 +40,8 @@
40	40	if (ret >= 0) {
41	41	audit_bprm(bprm);
42	42	trace_sched_process_exec(current, old_pid, bprm);
43		---- linux-3.17.orig/fs/open.c
44		-+++ linux-3.17/fs/open.c
	43	+--- linux-3.17.1.orig/fs/open.c
	44	++++ linux-3.17.1/fs/open.c
45	45	@@ -1071,6 +1071,8 @@ EXPORT_SYMBOL(sys_close);
46	46	*/
47	47	SYSCALL_DEFINE0(vhangup)

		@@ -51,8 +51,8 @@
51	51	if (capable(CAP_SYS_TTY_CONFIG)) {
52	52	tty_vhangup_self();
53	53	return 0;
54		---- linux-3.17.orig/fs/proc/version.c
55		-+++ linux-3.17/fs/proc/version.c
	54	+--- linux-3.17.1.orig/fs/proc/version.c
	55	++++ linux-3.17.1/fs/proc/version.c
56	56	@@ -32,3 +32,10 @@ static int __init proc_version_init(void
57	57	return 0;
58	58	}

		@@ -60,12 +60,12 @@
60	60	+
61	61	+static int __init ccs_show_version(void)
62	62	+{
63		-+ printk(KERN_INFO "Hook version: 3.17 2014/10/06\n");
	63	++ printk(KERN_INFO "Hook version: 3.17.1 2014/10/20\n");
64	64	+ return 0;
65	65	+}
66	66	+fs_initcall(ccs_show_version);
67		---- linux-3.17.orig/include/linux/init_task.h
68		-+++ linux-3.17/include/linux/init_task.h
	67	+--- linux-3.17.1.orig/include/linux/init_task.h
	68	++++ linux-3.17.1/include/linux/init_task.h
69	69	@@ -157,6 +157,14 @@ extern struct task_group root_task_group
70	70	# define INIT_RT_MUTEXES(tsk)
71	71	#endif

		@@ -89,8 +89,8 @@
89	89	}
90	90
91	91
92		---- linux-3.17.orig/include/linux/sched.h
93		-+++ linux-3.17/include/linux/sched.h
	92	+--- linux-3.17.1.orig/include/linux/sched.h
	93	++++ linux-3.17.1/include/linux/sched.h
94	94	@@ -6,6 +6,8 @@
95	95	#include <linux/sched/prio.h>
96	96

		@@ -111,8 +111,8 @@
111	111	};
112	112
113	113	/* Future-safe accessor for struct task_struct's cpus_allowed. */
114		---- linux-3.17.orig/include/linux/security.h
115		-+++ linux-3.17/include/linux/security.h
	114	+--- linux-3.17.1.orig/include/linux/security.h
	115	++++ linux-3.17.1/include/linux/security.h
116	116	@@ -53,6 +53,7 @@ struct msg_queue;
117	117	struct xattr;
118	118	struct xfrm_sec_ctx;

		@@ -324,8 +324,8 @@
324	324	}
325	325	#endif /* CONFIG_SECURITY_PATH */
326	326
327		---- linux-3.17.orig/include/net/ip.h
328		-+++ linux-3.17/include/net/ip.h
	327	+--- linux-3.17.1.orig/include/net/ip.h
	328	++++ linux-3.17.1/include/net/ip.h
329	329	@@ -212,6 +212,8 @@ void inet_get_local_port_range(struct ne
330	330	#ifdef CONFIG_SYSCTL
331	331	static inline int inet_is_local_reserved_port(struct net *net, int port)

		@@ -344,8 +344,8 @@
344	344	return 0;
345	345	}
346	346	#endif
347		---- linux-3.17.orig/kernel/fork.c
348		-+++ linux-3.17/kernel/fork.c
	347	+--- linux-3.17.1.orig/kernel/fork.c
	348	++++ linux-3.17.1/kernel/fork.c
349	349	@@ -246,6 +246,7 @@ void __put_task_struct(struct task_struc
350	350	delayacct_tsk_free(tsk);
351	351	put_signal_struct(tsk->signal);

		@@ -372,8 +372,8 @@
372	372	bad_fork_cleanup_perf:
373	373	perf_event_free_task(p);
374	374	bad_fork_cleanup_policy:
375		---- linux-3.17.orig/kernel/kexec.c
376		-+++ linux-3.17/kernel/kexec.c
	375	+--- linux-3.17.1.orig/kernel/kexec.c
	376	++++ linux-3.17.1/kernel/kexec.c
377	377	@@ -41,6 +41,7 @@
378	378	#include <asm/uaccess.h>
379	379	#include <asm/io.h>

		@@ -391,8 +391,8 @@
391	391
392	392	/*
393	393	* Verify we have a legal set of flags
394		---- linux-3.17.orig/kernel/module.c
395		-+++ linux-3.17/kernel/module.c
	394	+--- linux-3.17.1.orig/kernel/module.c
	395	++++ linux-3.17.1/kernel/module.c
396	396	@@ -62,6 +62,7 @@
397	397	#include <linux/bsearch.h>
398	398	#include <uapi/linux/module.h>

		@@ -419,8 +419,8 @@
419	419
420	420	return 0;
421	421	}
422		---- linux-3.17.orig/kernel/ptrace.c
423		-+++ linux-3.17/kernel/ptrace.c
	422	+--- linux-3.17.1.orig/kernel/ptrace.c
	423	++++ linux-3.17.1/kernel/ptrace.c
424	424	@@ -1032,6 +1032,11 @@ SYSCALL_DEFINE4(ptrace, long, request, l
425	425	{
426	426	struct task_struct *child;

		@@ -445,8 +445,8 @@
445	445
446	446	if (request == PTRACE_TRACEME) {
447	447	ret = ptrace_traceme();
448		---- linux-3.17.orig/kernel/reboot.c
449		-+++ linux-3.17/kernel/reboot.c
	448	+--- linux-3.17.1.orig/kernel/reboot.c
	449	++++ linux-3.17.1/kernel/reboot.c
450	450	@@ -16,6 +16,7 @@
451	451	#include <linux/syscalls.h>
452	452	#include <linux/syscore_ops.h>

		@@ -464,8 +464,8 @@
464	464
465	465	/*
466	466	* If pid namespaces are enabled and the current task is in a child
467		---- linux-3.17.orig/kernel/sched/core.c
468		-+++ linux-3.17/kernel/sched/core.c
	467	+--- linux-3.17.1.orig/kernel/sched/core.c
	468	++++ linux-3.17.1/kernel/sched/core.c
469	469	@@ -3119,6 +3119,8 @@ int can_nice(const struct task_struct *p
470	470	SYSCALL_DEFINE1(nice, int, increment)
471	471	{

		@@ -475,8 +475,8 @@
475	475
476	476	/*
477	477	* Setpriority might change our priority at the same moment.
478		---- linux-3.17.orig/kernel/signal.c
479		-+++ linux-3.17/kernel/signal.c
	478	+--- linux-3.17.1.orig/kernel/signal.c
	479	++++ linux-3.17.1/kernel/signal.c
480	480	@@ -2886,6 +2886,8 @@ SYSCALL_DEFINE4(rt_sigtimedwait, const s
481	481	SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
482	482	{

		@@ -522,8 +522,8 @@
522	522
523	523	return do_send_specific(tgid, pid, sig, info);
524	524	}
525		---- linux-3.17.orig/kernel/sys.c
526		-+++ linux-3.17/kernel/sys.c
	525	+--- linux-3.17.1.orig/kernel/sys.c
	526	++++ linux-3.17.1/kernel/sys.c
527	527	@@ -171,6 +171,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
528	528
529	529	if (which > PRIO_USER \|\| which < PRIO_PROCESS)

		@@ -553,8 +553,8 @@
553	553
554	554	down_write(&uts_sem);
555	555	errno = -EFAULT;
556		---- linux-3.17.orig/kernel/time/ntp.c
557		-+++ linux-3.17/kernel/time/ntp.c
	556	+--- linux-3.17.1.orig/kernel/time/ntp.c
	557	++++ linux-3.17.1/kernel/time/ntp.c
558	558	@@ -16,6 +16,7 @@
559	559	#include <linux/mm.h>
560	560	#include <linux/module.h>

		@@ -588,8 +588,8 @@
588	588
589	589	return 0;
590	590	}
591		---- linux-3.17.orig/net/ipv4/raw.c
592		-+++ linux-3.17/net/ipv4/raw.c
	591	+--- linux-3.17.1.orig/net/ipv4/raw.c
	592	++++ linux-3.17.1/net/ipv4/raw.c
593	593	@@ -711,6 +711,10 @@ static int raw_recvmsg(struct kiocb *ioc
594	594	skb = skb_recv_datagram(sk, flags, noblock, &err);
595	595	if (!skb)

		@@ -601,8 +601,8 @@
601	601
602	602	copied = skb->len;
603	603	if (len < copied) {
604		---- linux-3.17.orig/net/ipv4/udp.c
605		-+++ linux-3.17/net/ipv4/udp.c
	604	+--- linux-3.17.1.orig/net/ipv4/udp.c
	605	++++ linux-3.17.1/net/ipv4/udp.c
606	606	@@ -1260,6 +1260,10 @@ try_again:
607	607	&peeked, &off, &err);
608	608	if (!skb)

		@@ -614,8 +614,8 @@
614	614
615	615	ulen = skb->len - sizeof(struct udphdr);
616	616	copied = len;
617		---- linux-3.17.orig/net/ipv6/raw.c
618		-+++ linux-3.17/net/ipv6/raw.c
	617	+--- linux-3.17.1.orig/net/ipv6/raw.c
	618	++++ linux-3.17.1/net/ipv6/raw.c
619	619	@@ -478,6 +478,10 @@ static int rawv6_recvmsg(struct kiocb *i
620	620	skb = skb_recv_datagram(sk, flags, noblock, &err);
621	621	if (!skb)

		@@ -627,8 +627,8 @@
627	627
628	628	copied = skb->len;
629	629	if (copied > len) {
630		---- linux-3.17.orig/net/ipv6/udp.c
631		-+++ linux-3.17/net/ipv6/udp.c
	630	+--- linux-3.17.1.orig/net/ipv6/udp.c
	631	++++ linux-3.17.1/net/ipv6/udp.c
632	632	@@ -402,6 +402,10 @@ try_again:
633	633	&peeked, &off, &err);
634	634	if (!skb)

		@@ -640,8 +640,8 @@
640	640
641	641	ulen = skb->len - sizeof(struct udphdr);
642	642	copied = len;
643		---- linux-3.17.orig/net/socket.c
644		-+++ linux-3.17/net/socket.c
	643	+--- linux-3.17.1.orig/net/socket.c
	644	++++ linux-3.17.1/net/socket.c
645	645	@@ -1642,6 +1642,10 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
646	646	if (err < 0)
647	647	goto out_fd;

		@@ -653,8 +653,8 @@
653	653	if (upeer_sockaddr) {
654	654	if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
655	655	&len, 2) < 0) {
656		---- linux-3.17.orig/net/unix/af_unix.c
657		-+++ linux-3.17/net/unix/af_unix.c
	656	+--- linux-3.17.1.orig/net/unix/af_unix.c
	657	++++ linux-3.17.1/net/unix/af_unix.c
658	658	@@ -1817,6 +1817,10 @@ static int unix_dgram_recvmsg(struct kio
659	659	wake_up_interruptible_sync_poll(&u->peer_wait,
660	660	POLLOUT \| POLLWRNORM \| POLLWRBAND);

		@@ -666,8 +666,8 @@
666	666	if (msg->msg_name)
667	667	unix_copy_addr(msg, skb->sk);
668	668
669		---- linux-3.17.orig/security/Kconfig
670		-+++ linux-3.17/security/Kconfig
	669	+--- linux-3.17.1.orig/security/Kconfig
	670	++++ linux-3.17.1/security/Kconfig
671	671	@@ -167,5 +167,7 @@ config DEFAULT_SECURITY
672	672	default "yama" if DEFAULT_SECURITY_YAMA
673	673	default "" if DEFAULT_SECURITY_DAC

		@@ -676,8 +676,8 @@
676	676	+
677	677	endmenu
678	678
679		---- linux-3.17.orig/security/Makefile
680		-+++ linux-3.17/security/Makefile
	679	+--- linux-3.17.1.orig/security/Makefile
	680	++++ linux-3.17.1/security/Makefile
681	681	@@ -27,3 +27,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_c
682	682	# Object integrity file lists
683	683	subdir-$(CONFIG_INTEGRITY) += integrity

		@@ -685,8 +685,8 @@
685	685	+
686	686	+subdir-$(CONFIG_CCSECURITY) += ccsecurity
687	687	+obj-$(CONFIG_CCSECURITY) += ccsecurity/
688		---- linux-3.17.orig/security/security.c
689		-+++ linux-3.17/security/security.c
	688	+--- linux-3.17.1.orig/security/security.c
	689	++++ linux-3.17.1/security/security.c
690	690	@@ -203,7 +203,10 @@ int security_syslog(int type)
691	691
692	692	int security_settime(const struct timespec ts, const struct timezone tz)

--- branches/editpolicy.diff (nonexistent)

+++ branches/editpolicy.diff (revision 6354)

		@@ -0,0 +1,86 @@
	1	+Index: trunk/1.8.x/ccs-tools/usr_sbin/editpolicy_optimizer.c
	2	+===================================================================
	3	+--- trunk/1.8.x/ccs-tools/usr_sbin/editpolicy_optimizer.c (revision 6333)
	4	++++ trunk/1.8.x/ccs-tools/usr_sbin/editpolicy_optimizer.c (working copy)
	5	+@@ -257,6 +257,42 @@
	6	+ buffer = cp + 1;
	7	+ }
	8	+ w[4] = buffer;
	9	++ if (index != CCS_DIRECTIVE_FILE_EXECUTE)
	10	++ return;
	11	++ if (ccs_domain_def(buffer)) {
	12	++ char *cp = strchr(buffer, ' ');
	13	++ w[1] = buffer;
	14	++ w[4] = "";
	15	++ if (!cp)
	16	++ return;
	17	++ while (*cp) {
	18	++ if (cp++ != ' ' \|\| cp++ == '/')
	19	++ continue;
	20	++ cp -= 2;
	21	++ break;
	22	++ }
	23	++ if (!*cp)
	24	++ return;
	25	++ *cp = '\0';
	26	++ w[4] = cp + 1;
	27	++ } else {
	28	++ char *cp = strchr(buffer, ' ');
	29	++ if (cp)
	30	++ *cp = '\0';
	31	++ if (ccs_correct_path(buffer) \|\| !strcmp(buffer, "keep") \|\|
	32	++ !strcmp(buffer, "reset") \|\|
	33	++ !strcmp(buffer, "initialize") \|\|
	34	++ !strcmp(buffer, "child") \|\| !strcmp(buffer, "parent")) {
	35	++ w[1] = buffer;
	36	++ if (cp)
	37	++ w[4] = cp + 1;
	38	++ else
	39	++ w[4] = "";
	40	++ return;
	41	++ }
	42	++ if (cp)
	43	++ *cp = ' ';
	44	++ }
	45	+ }
	46	+
	47	+ /**
	48	+@@ -375,23 +411,20 @@
	49	+ continue;
	50	+ ccs_tokenize(line, d, d_index);
	51	+ /* Compare condition part. */
	52	+- if (strcmp(s[4], d[4]))
	53	++ if (s[4][0] && strcmp(s[4], d[4]))
	54	+ continue;
	55	+ /* Compare non condition word. */
	56	+- if (0) {
	57	+- FILE *fp = fopen("/tmp/log", "a+");
	58	+- int i;
	59	+- for (i = 0; i < 5; i++) {
	60	+- fprintf(fp, "s[%d]='%s'\n", i, s[i]);
	61	+- fprintf(fp, "d[%d]='%s'\n", i, d[i]);
	62	+- }
	63	+- fclose(fp);
	64	+- }
	65	+ switch (d_index) {
	66	+ struct ccs_path_info sarg;
	67	+ struct ccs_path_info darg;
	68	+ char c;
	69	+ int len;
	70	++ case CCS_DIRECTIVE_FILE_EXECUTE:
	71	++ if (!ccs_compare_path(s[0], d[0]))
	72	++ continue;
	73	++ if (strcmp(s[1], d[1]))
	74	++ continue;
	75	++ break;
	76	+ case CCS_DIRECTIVE_FILE_MKBLOCK:
	77	+ case CCS_DIRECTIVE_FILE_MKCHAR:
	78	+ if (!ccs_compare_number(s[3], d[3]) \|\|
	79	+@@ -409,7 +442,6 @@
	80	+ if (!ccs_compare_number(s[1], d[1]))
	81	+ continue;
	82	+ /* fall through */
	83	+- case CCS_DIRECTIVE_FILE_EXECUTE:
	84	+ case CCS_DIRECTIVE_FILE_READ:
	85	+ case CCS_DIRECTIVE_FILE_WRITE:
	86	+ case CCS_DIRECTIVE_FILE_UNLINK:

旧リポジトリブラウザで表示

TOMOYO Fork

tomoyo: コミット

コミットメタ情報

ログメッセージ

変更サマリ

差分

TOMOYO
Fork