Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-commits
Navigation:
Lists: gentoo-commits: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-commits@g.o
From: "Anthony G. Basile" <blueness@g.o>
Subject: proj/hardened-patchset:rsbac commit in: 3.2.19/
Date: Fri, 8 Jun 2012 10:59:26 +0000 (UTC)
commit:     d3f98259e053c7dc27f739281573805c43fddc1e
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Fri Jun  8 10:59:08 2012 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 10:59:08 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=d3f98259

RSBAC: bump to 3.2.19 plus pax patches

---
 3.2.19/0000_README                              |    8 +
 3.2.19/4500_patch-linux-3.2.19-rsbac-1.4.6.diff |139197 +++++++++++++++++++++++
 3.2.19/4520-pax-linux-3.2.18-test49.patch       |74368 ++++++++++++
 3 files changed, 213573 insertions(+), 0 deletions(-)

diff --git a/3.2.19/0000_README b/3.2.19/0000_README
new file mode 100644
index 0000000..dc91a63
--- /dev/null
+++ b/3.2.19/0000_README
@@ -0,0 +1,8 @@
+README
+-----------------------------------------------------------------------------
+
+Individual Patch Descriptions:
+-----------------------------------------------------------------------------
+Patch:	4500_patch-linux-3.1.5-rsbac-1.4.6.diff
+From:	Amon Ott <ao@...>
+Desc:	RSBAC patch from http://www.rsbac.org/

diff --git a/3.2.19/4500_patch-linux-3.2.19-rsbac-1.4.6.diff b/3.2.19/4500_patch-linux-3.2.19-rsbac-1.4.6.diff
new file mode 100644
index 0000000..93d80f2
--- /dev/null
+++ b/3.2.19/4500_patch-linux-3.2.19-rsbac-1.4.6.diff
@@ -0,0 +1,139197 @@
+diff --git a/Documentation/rsbac/COPYING b/Documentation/rsbac/COPYING
+new file mode 100644
+index 0000000..7e08278
+--- /dev/null
++++ b/Documentation/rsbac/COPYING
+@@ -0,0 +1,19 @@
++Copyright Notice
++----------------
++
++All RSBAC code is copyrighted by me (Amon Ott) unless specified otherwise,
++and published under the restrictions of the GNU General Public Licence
++as to be read in file COPYING in the main directory of the kernel source tree.
++All statements therein apply fully to all RSBAC sources.
++
++RSBAC is free software; you can redistribute it and/or modify
++it under the terms of the GNU General Public License as published by
++the Free Software Foundation; either version 2 of the License, or
++(at your option) any later version.
++
++This software is distributed in the hope that it will be useful,
++but WITHOUT ANY WARRANTY; without even the implied warranty of
++MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++GNU General Public License for more details.
++
++Amon Ott <ao@...>
+diff --git a/Documentation/rsbac/Changes b/Documentation/rsbac/Changes
+new file mode 100644
+index 0000000..8217276
+--- /dev/null
++++ b/Documentation/rsbac/Changes
+@@ -0,0 +1,683 @@
++RSBAC Changes
++-------------
++1.4.6:
++	- Port everything to kernel 3.1.5
++	- Show process name and parent when logging PROCESS target accesses
++	- Add RSBAC syscalls to get and set UM password history size per
++	  user.
++	- Do not allow to set attributes for FD targets with
++	  sys_rsbac_set_attr()
++
++1.4.5:
++	- Fix symlink's stat() call to return the real symlink size
++	  Fixes program that would assert on stat->s_size being the same size as when using readlink()
++	- Remove use of task_capability_lock.
++	- Fixes FS object hidding for most cases (still experimental)
++	- Backport fixes and internal features from 1.5:
++		- Add generic list option to use a separate kmem cache / slab per list.
++		- Use that option for several lists, general ACI, RC, ACL, UM.
++		- rkmem.h: define RSBAC_MAX_KMALLOC KMALLOC_MAX_SIZE
++		- Do not create our kmem caches with SLAB_DESTROY_BY_RCU, not needed.
++		- Big cleanup of DAZ code.
++		- Make DAZ path subselection by scanners optional, default is on in 1.4.
++		- Change DAZ module filename allocation to fixed size slabs.
++		- Remove rsbac_get_full_path_length(), which is not used anywhere any more.
++		- Use fixed DAZ filename size PATH_MAX, defined in include/linux/limits.h.
++		- DAZ: allocate memory with _unlocked functions where possible.
++		- Put device items into own slabs.
++		- Fix memory leak in case of failed list rehashing.
++	- Fix notification for setuid() etc: move after commit_creds().
++	- In Unix send and receive, use remote peercred.pid, if local is not available.
++	- Fix NULL pointer deref, if sk_socket is unset.
++	- Move SEND and RECEIVE for Unix sockets from net/socket.c to net/unix/af_inet.c.
++	- This makes interception code cleaner and more reliable, specially for named
++	  sockets.
++	- Fix file_p handling in list read functions.
++	- Use mntget() instead of path_get() in rsbac_read_open().
++
++1.4.4:
++	- Port to 2.6.33.2
++	- Fix RC check for CREATE right on new objects.
++	- Backport rsbac_read_open() and rsbac_read_close() fixes from 1.5.
++
++1.4.3:
++	- Depend CONFIG_RSBAC_RC_LEARN on CONFIG_RSBAC_DEBUG.
++	- Show transaction number in learning info messages.
++	- Add transaction names for human use and set names for learn transactions.
++	- Move CREATE checks in rc_main.c into common function rc_check_create() with lea
++	- Fix proc function return types in reg samples.
++	- Remove rsbac_read_lock(), rsbac_write_lock() etc.
++	- Remove rsbac_vmalloc, rsbac_vkmalloc, rsbac_vfree, rsbac_vkfree.
++	- New kernel config RSBAC_SWITCH_BOOT_OFF: 'Allow to switch modules off with kernel parameter'
++	- Join ta_committing and ta_forgetting to ta_committing.
++	- Fix three small memory leaks.
++	- Show program path in CAP learning messages and use INFO level, not DEBUG.
++	- Allow SCD mlock in PM.
++	- Show program path in AUTH learning messages.
++	- When committing or forgetting, lock per list and make other list functions sleep while committing or forgetting.
++	- Optionally put learning mode results into transactions, one per module.
++	- Add global RC learning mode for role rights to types.
++	- Control CAP learning mode switch in CAP module.
++	- Implement CAP learning mode for user and program max_caps.
++	- Move AUTH auth_program_file kernel-only attribute to GEN program_file.
++	- Fix lockup in rehashing, after failing of new hashed struct memory allocation, forgot to spin_unlock. Alloc unlocked instead, better anyway.
++	- Add notes for locking to generic lists.
++	- Store compare results in variable to avoid doing same compare twice.
++	- Only reset curr pointer, if same as removed item (usually the case).
++	- Show rcu_batches_completed() in proc gen_list_counts.
++	- Store nr_hashes in variable, if used after unlocking - might change.
++	- Fix *remove_count(): calling rcu_free on wrong updated pointer, so store.
++	- Do not use count values for checks, can be wrong. Always use head.
++	- Allow rcu rate >= 1 for testing purposes, config help still says 100.
++	- Reorder syscall case struct by frequency of calls (stats from real systems).
++	- Ifdef syscalls for disabled modules instead of returning error in them.
++	- Make RCU rate limit boot and runtime configurable.
++
++1.4.2:
++	- Change generic lists to use RCU instead of rw spinlocks
++	- Show a total of reads and writes in list statistics in gen_lists_count
++	- Disable rsbac attributes store on fuse
++	- Fix RC dev inheritance: Explicitely set minor to 0 before getting major attr
++	- Use Pseudo also for RC ADF debug messages
++	- Use RCU callbacks with a rate limit of 1000/s, use sync, if exceeded, configurable in kernel config
++
++1.4.1:
++	- Support ANY value 255 for NETLINK protocol
++	- Return -EPERM in sys_rsbac_um_check_account, if user does not exist.
++	- Add config option RSBAC_ENFORCE_CLOSE to really deny close, if decided.
++	- Check CLOSE requests in RC.
++	- Add SCD target videomem and kernel attribute pagenr.
++	- Split SCD kmem into kmem and videomem, split hooks in drivers/char/mem.c.
++	- Allow R_MODIFY_SYSTEM_DATA notifications on SCD in adf_check.c.
++	- ext4 secure delete support
++1.4.0:
++	- Added VUM (Virtual User Management) support	
++	- OTP support for UM
++	- Converted the common code to 2.6 only. From now on changes will be 2.6 only as well.
++1.3.5:
++	- Check crypto return codes (2.6) and fixed UM password hashing.
++	- Fix compilation issues for "disable writing to disk". See bug #98.
++	- Safety mesures for inheritence in case of null pointers.
++	- Disable debug message "rsbac_get_parent(): oops - d_parent == dentry_p".
++	- Increase string lengths in user and group items significantly.
++	- Add RSBAC memory slab 384 for new user item sizes.
++	- Do not try to write lists, if device is not writable.
++	- Do not sleep in rsbac_get_vfsmount(), can be called while atomic.
++	- Do not write attributes on Oracle Cluster FS 2 (OCFS2).
++	- Complete hook review.
++1.3.4:
++	- No changes :)
++1.3.3:
++	- Change FD cache counters to 64 Bit to avoid wrapping.
++	- Make FD Cache xstats output look nicer.
++	- Make an adf_request permission check when modyfing capabilities is the new set >> old one.
++	- Copy auth_last_auth on CLONE, gets reset on EXECUTE.
++	- Provide pid and process name in some UM debug output.
++	- 2.6 WARNING: sysrq key 'w' is GONE! no more wake up trigger possible
++1.3.2:
++	- mark FS_OBJ_HIDE as EXPERIMENTAL and depends on it
++	- clean compilation warnings, data types and such.
++	- removed double "ready" message in rsbac_do_init()
++	- disable partner process check for unix socks by default.
++	- Show fd cache hits/misses ratio in xstats. Really inline rsbac_is_initialized().
++	- Change fd cache descriptor to get rid of separate compare function in 2.4 kernels.
++	- Add FD inherited attribute value cache. Hash device list. Allow per-list max_ite
++ms_per_hash.
++	- Change return code in AUTH syscalls to INVALIDATTR, if group or eff/fs support i
++s not compiled in.
++	- port from ex 1.4 trunk: do not intercept PTRACE_DETACH request
++	- rewrite of error handling to be more logical in rsbac_handle_filldir().
++	- Also take partner pid from other on Unix socket stream connects.
++	- Accept syscalls from tools with all versions 1.3.x.
++	- Take partner process on UNIXSOCK CONNECT from other->sk_peercred.
++	- Try to get partner process for UNIXSOCK RECEIVE from other sources, if peercred is not filled.
++	- New error code INVALIDLIST, if list handle is invalid.
++	- New jail flags for syslog jail. 
++	- Extra check before reiserfs secure_delete call.
++	- Fix Dazuko device registration in 2.6. Return INVALIDPOINTER for invalid pointer
++s in some syscalls.
++	- lvm/md automount fix
++	- Fix oops on loop umounts: device was auto-mounted, if there were dirty lists. Ne
++ver auto-mount loop devices.
++	- 
++1.3.1:
++	- Add xstats counter for get_parent calls.
++	- Fix sort order of network templates.
++	- Add missing DAZ request in vector. Add role number in RC syscall denied log message.
++	- Create bitmasks for each module of which requests it is interested in and only call request_xy and set_attr_xy, if necessary.
++	- small performance tunning: removed usage of rsbac_list_compare_u32 (always use memcmp which is asm-tuned per arch)
++	- Reduce stack usage in list, ACL and RC init.
++	- Optimize list hash functions with bit masks instead of % operation.
++	- make sure that rsbac_list_max_hashes and rsbac_list_lol_max_hashes are always potential of 2 and warn the user at configuration time. (127 will round to 64).
++
++1.3.0:
++	- Restarted 1.3 tree from the 1.2.7 release
++	- System call rsbac_version to return numeric version without checking the caller’s version provided to syscall.
++	- JAIL: allow_parent_ipc to allow IPC into parent jail. Useful with Apache mod_jail and others. Needs another process attribute jail_parent
++	- JAIL: add a flag to allow suid/sgid files and dirs.
++	- Optionally check CHANGE_OWNER for PROCESS targets also as CHANGE_OWNER on the new USER. This allows fine grained control also in RC and ACL models.
++	- Change network templates to hold up to 25 ip networks and up to 10 port ranges.
++	- Automatic online resizing of per-list hash table. As list identifiers are pointers to list headers, which must not change, the arrays of list heads are allocated separately and accessed through a pointer.
++	- Change named UNIX sockets to be new filesystem target type T_UNIXSOCK and unnamed to be new IPC type anonunix (like pipes)
++	- RC role def_unixsock_create_type, which overrides the def_(ind_)fd_create_type. Default value use_def_fd.
++	- Change aci, acl and auth devices lists to use RCU on 2.6 kernels
++	- Dazuko udev support
++	- UM password history with configurable length to avoid password reuse.
++	- Update HTML doc in Documentation/rsbac, or point all docs to the website.
++	- Hide dir entries a process has no SEARCH right for
++	- Limit number of items per single list to 50000, so real limit is at 50000 * nr_hashes.
++	- New request type AUTHENTICATE against USER targets. No authentication against RSBAC UM without this right in RC and ACL.
++	- Complete hook review with several small fixes.
++	- More detailed JAIL decision logging for IPC and UNIXSOCK targets with rsbac_debug_adf_jail.
++
++1.2.7:
++	- Use new PaX flags location at current->mm->pax_flags.
++	- Removed remaining non-RSBAC code
++1.2.6:
++	- DAZ Renaming of files from non-scanned to scanned directory
++	  now works correctly (does not cache results from non scanned
++	  as CLEAN - and/but keep INFECTED status if set when moving file
++	  from scanned to non-scanned)
++	- DAZ unscanned files decision is now DO_NOT_CARE instead of
++	  GRANTED
++	- Full pathes returned by RSBAC do not display double
++	  (or more) / with double (or more) mounts anymore.
++	  ex: /home//bob => /home/bob
++	  This allows DAZ path based scanning to function normally.
++	- Fix setting of RC IPC type with def_ipc_create_type.
++	- Added ptrace hook for m32r architecture.
++	- New kthread notification code.
++	- Fix xstats to include GROUP targets.
++	- Mark lists dirty again, if saving failed.
++	- Fix FF to allow file READ (but not READ_OPEN) even with execute_only.
++	- Stop making SEND and RECEIVE requests for STREAM sockets, if
++	  CONFIG_RSBAC_NET_OBJ_RW is not set.
++	- Notify that shm is destroyed only when it really is (thanks rtp).
++	- Minor compile fixes
++
++1.2.5: - AUTH config switch to globally allow setuid to user (real, eff, fs),
++         who started the program. Boot time option and proc setting to enable
++         per uid type.
++       - Show missing Linux caps in JAIL like in CAP.
++       - Change device attribute backup to use a list of attribute objects
++         instead of traversing /dev and possibly missing some.
++       - Device attribute inheritance: Use values at type:major as default for
++         type:major:minor.
++       - Add a generic request directly in sys_ioctl with new request type
++         IOCTL on DEV and NETOBJ target.
++       - Finish ioctl extra interception with GET_STATUS_DATA and
++         MODIFY_SYSTEM_DATA, e.g. for SCSI.
++       - Store remote IP when process accepted its first INET connection as
++         process attribute and pass on to children. Log remote IP in request
++         log.
++       - Symlink redirection based on remote IP.
++       - Optional UM password limits: Min length, non-alpha char required
++       - Fix EINVALIDPOINTER when changing UM password with passwd via
++         pam_rsbac.
++       - Complete system call interception review with additional hooks where
++         necessary. See Interceptions log for details.
++       - Change USER attribute backup to list of known items.
++       - Fix dereference bug related to rsbac_get_parent: set_attr call in
++         do_exec sometimes used file struct after freeing.
++       - Fix 2.6.11 random file not found errors, caused by symlink redirection
++         and ext2/ext3 kernel fs layer violation.
++       - Add CREATE and DELETE notifications in um syscalls.
++       - Make RC apply default_{user|group}_create_type on {USER|GROUP} CREATE.
++       - Configure module switching per module. Only allow switching stateful
++         models on after switching off with extra kernel config switch.
++       - Review all devision modules, whether they decide on all relevant
++         request to target combinations and whether they protect all relevant
++         attributes.
++       - Full review of all interceptions to make them locks safe
++       - Fix initrd problems showing up with the Adamantix kernel
++
++1.2.4: - Per dir FD type RC default_fd_create_type
++       - Full kernel space user management as a replacement for /etc/passwd,
++         /etc/shadow, /etc/group
++       - Add GROUP target type
++       - Change RC copy_role to be allowed with role in admin_roles
++       - Log full program path, get dentry from mappings for this
++       - Make RSBAC remote logging target configurable at boot or runtime.
++         Suppress remote logging, if address or port is 0.
++       - audit_uid: Default value "unset". Set at CHANGE_OWNER away from a uid
++         != 0, kept, inherited to child processes and logged. Allows to log
++         actions of users who did an su etc. Configurable additional uid per
++         program which works like uid 0, e.g. for SSHD privilege separation
++         (new attr auid_exempt).
++       - AUTH protection for Linux group IDs.
++       - New kernel flag: rsbac_softmode_once: Sets softmode, but denies
++         setting it again during runtime. For those systems that for some
++         reason must start in softmode, disable it and do not want to have it
++         set again later.
++       - New kernel flag: rsbac_softmode_never: Disallows setting softmode
++         during this runtime.
++       - Keep last UM authenticated users in a per-process attribute
++         auth_last_auth. Allow processes with auth_may_set_cap flag to set
++         last_auth.
++       - New kernel flag: rsbac_freeze: Disallows all modifying administration
++         in RSBAC syscalls. Added new switch target FREEZE.
++       - Make PaX default flags configurable.
++       - RC check access to UNIX socket partner process
++       - Transaction support for administration: begin, add a set of desired
++         changes, commit atomically or forget.
++       - Add RC copy_type, to be allowed with ADMIN right.
++       - User Management "exclusive mode": Only users and groups known to
++         RSBAC UM can be reached. Kernel parameter and /proc setting to
++         temporarily disable the restrictions.
++       - Randomize UM password salt better
++       - Optionally randomize transaction numbers
++       - Reduce memory consumption of rsbac_do_init.
++       - Further reduce RSBAC's stack usage to prepare for 4 KB kernel stack
++         size.
++       - Password protection for transaction operations refresh, forget, commit
++       - Add hooks with MODIFY_SYSTEM_DATA on SCD network to queueing
++         administration
++       - Warn explicitely, if CAP max_caps do not get applied because of
++         running in softmode.
++       - Update Dazuko interface to 2.0.5
++       - Update defconfig in all archs 
++       - ACLs for Users and Linux groups
++       - Extend AUTH auth_may_setuid flag with values last_auth_only and
++         last_auth_and_gid to allow last authenticated uid to be reached.
++         The second allows all group ids, too, because you cannot auth for
++         them. No longer add process cap at UM authentication, but rather
++         check at CHANGE_OWNER with last_auth process attribute.
++       - Fix severe Oopses when forgetting transactions with lists of lists.
++       - Optionally log all denied calls to capable() function with
++         CONFIG_RSBAC_CAP_LOG_MISSING 
++
++1.2.3: - Port to linux kernel 2.6.0-test with LSM
++       - New JAIL flag allow_clock for ntpd encapsulation
++       - Removed LSM support (see http://rsbac.org/documentation/why_rsbac_does_not_use_lsm).
++       - Global AUTH learning mode
++       - AUTH cap inheritance from parent dir (single step only, not
++         accumulated)
++       - RC pretty-print config output
++       - Remove 2.2 kernel support.
++       - Improve AUTH learning mode to use special value for same user
++       - Trigger AUTH learning mode per program
++       - Show type, name and mode of new object in T_DIR/CREATE request log. 
++       - Statix PaX support decision module
++       - Faked (root) user ID in ''getuid()'' to make stupid programs with uid
++         checks happy.
++       - Full log separation between syslog and RSBAC log, also for debug
++         messages (except rsbac_debug_aef). RSBAC now really shuts up, if
++         rsbac_nosyslog is set, and sends everything to RSBAC own log only.
++       - ACL learning mode for user rights to filesystem objects, parameter
++         rsbac_acl_learn
++       - New RC syscall to get current role
++       - mac_trusted_for_user with list instead of single user.
++       - Block fchdir outside the jail, if some stupid program opened a dir,
++         called rsbac_jail() and then called fchdir(). Done by simply closing
++         all open dirs after rsbac_jail() called chroot.
++       - Fixed some JAIL bugs found, all relevant chroot items from regression
++         suite solved. Not urgent enough and too many changes to make a 1.2.2
++         bugfix.
++       - Added JAIL Linux Capability restriction
++       - Dazuko integration as fixed module, as replacement for MS module
++       - Dazuko result caching with generic lists (as in old MS module)
++       - AUTH special value for eff and fs uid (thanks to Arnout Engelen)
++       - New optional rsbac_jail parameter max_caps, which limits the Linux
++         capabilities of all processes in the jail
++       - Optionally hide process ids without GET_STATUS_DATA in /proc/
++         dir listing
++       - /proc/rsbac-info/active to get current version and list of active
++         modules: One line each for version, mode: Secure/Softmode/Maintenance,
++         softmode: available/unavailable and one line per module: on/softmode/off
++       - Solve the new "kernel complains about vmalloc with lock" uglyness:
++         removed all vmalloc use in 2.6 kernels, too many workarounds needed.
++       - Protect sysfs objects in 2.6 kernels
++       - Added three real life example REG modules to rsbac/adf/reg,
++         contributed by Michal Purzynski
++       - Changed DEV list descriptor to be compatible between 2.4 and 2.6
++         kernels
++       - Added RC types and compatibility settings for USER targets
++       - Allow to set a different RC boot role than that of user root
++       - Add RC process type for kernel threads
++
++1.2.2: - Added ms_need_scan attribute for selective scanning
++       - MS module support for F-Protd as scanning engine
++       - ms_need_scan FD attribute for selective scanning
++       - JAIL flag allow_inet_localhost to additionally allow to/from
++         local/remote IP 127.0.0.1
++       - RSBAC syscall version numbers
++       - New RES module with minimum and maximum resource settings for
++         users and programs
++       - Moved AUTH module to generic lists with ttl
++       - Added new requests CHANGE_DAC_(EFF|FS)_OWNER on PROCESS targets
++         for seteuid and setfsuid (configurable)
++       - Added caps and checks for effective and fs owner to AUTH module
++         (optional)
++       - Changed behaviour on setuid etc.: Notification is always sent, even
++         if the uid was set to the same value. This allows for restricted RC
++         initial roles with correct role after setuid to root.
++       - New Process Hiding feature in CAP module
++       - Delayed init for initial ramdisks: delay RSBAC init until the first
++         real device mount.
++       - rsbac_init() syscall to trigger init by hand, if not yet
++         initialized - can be used with e.g. rsbac_delayed_root=99:99, which
++         will never trigger init automatically.
++       - MS module support for clamd as scanning engine.
++       - Almost complete reimplementation of the MAC model with many new
++         features.
++       - New system role 'auditor' for most models, which may read and flush
++         RSBAC own log.
++
++1.2.1: - Added support for all other architectures.
++       - Cleaned up rsbac syscall filesystem name lookup and target type
++         checks.
++       - New module JAIL: preconfigured process encapsulation (see kernel
++         config help).
++
++1.2.0: - Moved most lists to generic lists, splitting up between modules on
++         the way (GEN = general for all modules).
++       - DS for each module only included, if module is compiled in.
++       - New Linux Capabilities (CAP) module
++       - Split system_role into mac_role, fc_role, etc. Please do not use
++         old A_system_role attribute any longer.
++       - Changed rsbac_get/set_attr interface to include target module
++       - Added module guessing from attribute into sys_rsbac_get/set_attr,
++         if module is not given (value SW_NONE).
++       - Added user and RC role based symlink redirection
++       - Added network and firewall config protection as SCD network and
++         firewall targets
++       - Added NETDEV, NETTEMP and NETOBJ targets for network access control.
++       - Added network templates for default NETOBJ attribute values
++       - Renamed /rsbac dir to /rsbac.dat to avoid name conflicts.
++       - RC model with unlimited roles and types
++       - Selective dir tree disabling of Linux DAC
++       - Generic list ordering (needed for templates and optimization)
++       - List optimization
++       - Generic time-to-live support in generic lists (new on-disk version)
++       - Support time-to-live for ACL group members and ACL entries
++       - copy_net_temp
++       - Individual module soft mode
++       - Support time-to-live for RC entries
++       - Backport to 2.2.20
++
++1.1.2: - Own RSBAC memory allocation functions. Own RSBAC mem slabs in 2.4
++         kernels.
++       - Generic lists - simply register your list item sizes with filename
++         and persist flag, and a persistent list will be kept for you.
++       - Generic lists of lists, two level version.
++       - Moved pm_data_structures.c to new lists with proc backup files
++         Attention: There is no auto-update from older versions possible!
++       - proc backup files for RC and ACL are now optional
++       - New proc subdir pm, replaces old write_list call
++       - rsbac_pm write_list call removed
++       - New FD aci version with new rc_initial_role and 16 bit ff_flags
++       - New FF flag append_only, which limits all write accesses to
++         APPEND_OPEN and WRITE
++       - Fix for rename hole: rename could replace and thus delete an
++         existing file without DELETE check. Also performs secure_delete, if
++         necessary
++       - New rsbac_mount hook in change_root for initial ramdisk
++       - Fixed missing Linux check in bad_signal
++       - Added optional switch rsbac_dac_disable to disable Linux filesystem
++         access control
++       - Added count support for multiple mounts
++       - Added optional switch rsbac_nosyslog to temporarily disable logging
++         to syslog
++       - Added config option for DEBUG code
++
++1.1.1: - New target type FIFO, with a lot of cleanup, e.g. IPC type fifo
++         removed
++       - MAC module reworked, including MAC-Light option
++       - Several bugfixes
++       - Port to 2.4.0, 2.4.1 and 2.4.2
++       - New Makefiles with lists for 2.4 and without for 2.2 kernels
++         (Thanks to Edward Brocklesby for samples)
++       - init process default ACI now partly depends on root's ACI
++       - Optional interception of sys_read and sys_write.
++         Attention: you might have to add READ and WRITE rights to files,
++         fifos, dirs and sockets first, if upgrading from an older version
++       - REG overhaul. Now you can register syscall functions, everything is
++         kept in unlimited lists instead of arrays and registering is
++         versioned to allow for binary module shipping with REG version
++         checks.
++       - Inheritance is now fixed, except for MAC model
++       - MAC: optional inheritance, new option Smart Inheritance that tries
++         to avoid new attribute objects (see config help)
++       - New soft mode option: all decisions and logging are performed, but
++         DO_NOT_CARE is returned to enforcement. Off by default. See config
++         help for details.
++       - Optional initialization in extra rsbac_initd thread.
++
++1.1.0: - Port to 2.4.0-test11
++       - Interception of sys_mmap and sys_mprotect added. Now execution of
++         library code requires EXECUTE privilege on the library file, and
++         setting non-mmapped memory to EXEC mode requires EXECUTE on target
++         NONE.
++       - MAC Light option by Stanislav Ievlev added. See kernel config help or
++         modules.htm.
++
++1.0.9c:
++       - Port to 2.4.0-test{[789]|10}, this means major changes to the lookup and
++         inheritance code - of course #ifdef'd
++       - Change string declarations to kmalloc. On the way moved
++         MAX_PATH_LEN restriction from 1999 to max_kmalloc - 256
++         (>127K).
++       - Renamed several PM xy.class to xy.object_class for C++
++         compatibility
++       - Added SCD type ST_kmem
++       - Changed rc_force_role default to rc_role_inherit_parent,
++         terminated at root dir with old default rc_role_inherit_mixed.
++         This makes it much easier to keep a dir of force-roled binaries.
++1.0.9b:
++       - Port to 2.3.42 - 2.3.99-pre3
++       - Port to 2.2.14 - 2.2.16
++       - 32 Bit Uid/Gid with new attribute versions
++       - User and program based logging
++       - AUTH capability ranges
++       - Made write to MSDOS fs a config option, so use it on your own risk
++         (see config help)
++       - MAC levels 0-252
++       - Added config option for ioport access (X support)
++      
++1.0.9a:
++       - Added group management to ACL module.
++       - Removed CONFIG_RSBAC_SYNC option.
++       - Added module hints to logging
++       - Added RC separation of duty (see models.htm)
++       - Added RC force role inherit_up_mixed and made it default setting
++
++1.0.9: - Added registration of additional decision modules (REG)
++       - Wrote decision module examples (see README-reg and reg_samples dir)
++       - Port to 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12 (pre versions)
++       - Heavily changed RC model: Now it has a distinguished role-to-type
++         compatibility setting for each request type, instead of one setting
++         for all request types. This allows for much finer grained access
++         control.
++         Unfortunately there was no way to update existing role settings,
++         so those have to be reentered by hand. Still, the types entries are
++         kept.
++       - Set all MSDOS based file systems to read-only, because inode
++         numbers are likely to change between boots.
++       - Added Access Control List module. ACLs are kept on FILE, DIR,
++         DEV, IPC, SCD and PROCESS targets (IPC and PROCESS have only
++         one default ACL each). Each entry contains subject type (user,
++         rc_role, group), subject id and the rights this subject has. Also,
++         rights are inherited from parents and from a target specific default
++         ACL.
++         See html/models.htm for details.
++       - Added optional full path logging.
++
++1.0.8a:
++       - Port to 2.2.7
++       - File Flag no_execute added to prevent execution, e.g. of user
++         binaries under /home tree. Can be circumvented by scripts via
++         'interpreter scriptname'.
++
++1.0.8: - Port to 2.2.1
++       - Added /proc/rsbac-info/backup to provide an easier means of backup
++         for not device dependent stuff. To be extended.
++       - Added new Role Compatibility (RC) module.
++       - New on-disk binary layout, auto update from all versioned data
++         (1.0.5 upwards).
++       - AUTH module added to support proper authentification by enforcing
++         externally granted CHANGE_OWNER capabilities.
++       - Save to disk inconsistency in PM sets fixed.
++       - MAC categories added, but limited to a fixed number of 64. Apart
++         from that, the MAC module categories are as proposed in the
++         Bell-LaPadula model.
++       - Port to 2.2.2
++       - Port to 2.2.3 with minor changes
++       - Port to 2.2.4
++       - Port to 2.2.5
++
++1.0.7a:
++       - Added alpha support (with Shaun Savage). Has different storage sizes,
++         so default useraci does not work and you need a maint kernel.
++       - Added new error detection features for file/dir entries.
++       - Increasing of NR_FD_LISTS is now handled differently for error
++         detection reasons. See README-nrlists.
++       - Marked init functions as __init - though saving a few KB doesn't
++         make such a big difference while using RSBAC... ;)
++       - Fixed memory leaks in write_*_list while introducing vmalloc for
++         large lists. The number of file/dir lists is now only a matter of
++         performance and available memory.
++       - Added two flags to File Flags
++       - Port to 2.2.0-pre6
++       - Added secure deletion/truncation, needs a config switch to be
++         enabled. If on, all files marked with (inheritable) FF-flag
++         secure_delete and all files marked as PM-personal data are zeroed on
++         deletion and truncation - if the regarding modules are switched on.
++
++1.0.7: - Port to 2.1.131
++       - Added more fs types to non-writable: smbfs, ncpfs, codafs - so
++         there should be no writing on network mounts (unfortunately there
++         is no afs SUPER_MAGIC)
++       - Added configuration option NO_DECISION_ON_NETMOUNTS, which
++         additionally turns off all decisions for all these fs, so that
++         they are completely ignored
++       - Added attribute inheritance: Some attributes for files and dirs
++         have a special value 'inherit'. If this is set, the value of the
++         parent dir's attribute is used instead. This mechanism ends on
++         fs boundaries - each fs root dir gets old style standard values,
++         if attribute is set to 'inherit'.
++         Currently security_level, object_category and data_type are
++         inheritable.
++       - Added configuration option DEF_INHERIT. If set, default values for
++         inheritable attributes are *inherit, rather than the old default.
++         This option setting should not differ between different RSBAC
++         kernels to avoid deeper confusion for administrators and
++         rsbac_check().
++       - To support inheritance, added parameter inherit to both get_attr
++         system calls. If on, the effective (possibly inherited) value is
++         returned, if off, the real value is returned.
++       - Corrected a security hole in receiving from / sending via datagram
++         sockets (thanks to Simone). Now a read/append open and a close
++         request are done for every datagram (if net support is configured,
++         as usual).
++         Attention: Programs that open an UDP socket as one user (e.g. root)
++                    and then setuid to another (e.g. bin) may not be able
++                    to access that socket, if the new user has insufficent
++                    rights! (see config help)
++         Checking of net access can as before be turned on/off via
++         CONFIG_RSBAC_NET.
++       - Worked on rsbac_check(). Is more stable now, but should only be
++         called under maximum of moderate load.
++
++1.0.6: - Moved to 2.1.128
++       - Cleaned up old includes in syscalls.c
++       - Added RSBAC own logging in /proc/rsbac-info/rmsg, to be accessed
++         by modified klogd or sys_rsbac_log, restricted by most modules to
++         security officers.
++         Additionally, logging to standard syslog can be turned off to hide
++         security relevant log from all but those with explicit access.
++       - Added module File Flags with attribute ff_flags for FILE/DIR
++         targets
++       - Added auto-update of last version attributes (only FD changed
++         though)
++       - Changed ms_trusted from boolean to tristate: non-trusted, read,
++         full
++       - Fixed rm -r hang bug
++       - Added consistency check for RSBAC items, which can remove items for
++         deleted inodes (ext2 only) and entries containing only default
++         values (FILE/DIR targets only). It also recalculates item counts.
++       - Added sys_rsbac_check to trigger this check.
++
++1.0.5:
++       - Rewrote most of attribute saving to disk. Now disk writing is never
++         done with a spinlock held, increasing stability significantly
++         (is this a taboo? if yes, where is it documented?)
++       - Changed write-to-disk behaviour: The old immediate write is no
++         longer default, but optional (CONFIG_RSBAC_SYNC_WRITE). Instead,
++         sys_rsbac_write can be used from user space or a kernel daemon can
++         be activated to write changes automatically every n seconds
++         (CONFIG_RSBAC_AUTO_WRITE)
++       - Added kernel param rsbac_debug_auto for the daemon - gives a good
++         overview of attribute change rate
++       - Added proc interface for statistics and many RSBAC settings
++       - Added rsbac_adf_request calls MODIFY_SYSTEM_DATA to sysctl.c
++       - Wrote man pages for all RSBAC syscalls (in Documentation/rsbac/man)
++       - Added version information and check for all file/dir/dev aci and
++         for log_levels
++       - Added some more scan strings to Malware Scan module, had to change
++         string representation to a more general way
++
++1.0.4:
++       - Port via 2.1.115 and 2.1.124 to 2.1.125
++       - IPC targets: changed ids for sockets from pid/fd combination to
++         pointer to sock structure, including (many) changes in the
++         handling.
++       - Added socket level scanning (tcp and udp) to module Malware Scan.
++         This feature can stop malware while still being transferred to
++         your system. Added new attributes for IPC, process and file/dir
++         targets to manage socket scan.
++       - Reordered configuration options
++       - Added CONFIG_RSBAC_NO_WRITE to totally disable writing to disk for
++         testing purposes and kernel parameter rsbac_debug_no_write to
++         temporarily disable disk writing 
++       - Added CONFIG_RSBAC_*_ROLE_PROTection for all role dependant
++         modules: Now change-owner (setuid etc.) can be restricted between
++         users with special roles - see configuration help for details
++       - Some more bugfixes, mostly to decision modules
++
++1.0.4-pre2:
++       - Port to 2.1.111
++       - Attribute mac_trusted_for_user added to FILE aci. Value meanings:
++         RSBAC_NO_USER (-3): program is not MAC-trusted
++         RSBAC_ALL_USERS (-4): program is MAC-trusted for all users
++         other user-ID: program is MAC-trusted, if invoked by this user
++         Especially the last is useful for daemon programs that can be
++         started by all users.
++         Init process is checked, too, but is MAC-trusted by default.
++       - Syscalls rsbac_mac_set/get_max_seclevel added. Now a process can
++         reduce its own maximum security level. Useful for wrapper daemons
++         like inetd after forking and before invoking another program.
++       - Object dependent logging #ifdef'd with configuration option.
++       - Configuration option 'Maintenance Kernel' added. Disables all other
++         options.
++       - removed CONFIG_RSBAC_ADMIN and rsbac_admin() stuff - now we have
++         capabilities, and there is no suser() anymore to extend
++       - changed locking for Data Structures component from semaphores to
++         read/write spinlocks
++       - added (U)MOUNT requests for target DEV to sys_(u)mount. Now both
++         target dir and device are checked for access (MAC: dir: read-write,
++         dev: depending on mount mode read or read-write). Note: After
++         mount, all file/dir accesses on this device are checked as usual.
++       - Moved checks for valid request/target combinations from MAC module
++         to extra functions in rsbac/adf/check.c.
++
++1.0.3: - Target DEV added. Now devices can get their own attributes based
++         on major/minor numbers. Attributes based on their file representations
++         in /dev are no longer used for open, but still for all other calls.
++         MAC decisions on open requests for devices must be explicitely enabled
++         by mac_check to keep system bootable.
++         Short rule: Only if contents is accessed, DEV attributes apply.
++       - Attribute object_type removed, was not used anyway and maintained in
++         linux structures.
++       - Attributes log_array_low and log_array_high for FILE/DIR/DEV added,
++         providing individial request based logging for those objects.
++       - PM module: if DEV is personal_data, neccessary access is checked
++         for new class DEV (can be changed to custom class)
++       - A couple of minor bugfixes done
++
++1.0.2A: - Port to 2.0.34
++        - A few #ifdef CONFIG_RSBAC_USE_RSBAC_OWNER were missing, causing
++          error messages "rsbac_set/get_attr returned error" -> added
++
++
++13/Jun/2001
++Amon Ott <ao@...>
+diff --git a/Documentation/rsbac/Credits b/Documentation/rsbac/Credits
+new file mode 100644
+index 0000000..7f5921a
+--- /dev/null
++++ b/Documentation/rsbac/Credits
+@@ -0,0 +1,18 @@
++Credits
++-------
++
++You can find information about the RSBAC team on: <http://rsbac.org/contact>
++
++Credits for many patches showing bugs and possible fixes and lots of good
++ideas go to many people. We cannot recall them all so only a few are included
++here, if you are missing let us know :)
++
++  - 'Our Russian RSBAC Team',
++  - AltLinux with their AltLinux Castle distribution.
++  - Adamantix
++  - rtp, addobie, and the people from #rsbac[-dev]
++
++Also, there are several people doing lots of helpful promotion, too many to
++name them here. Their part cannot be rated too low.
++
++The RSBAC team.
+diff --git a/Documentation/rsbac/INSTALL b/Documentation/rsbac/INSTALL
+new file mode 100644
+index 0000000..6c6f9fe
+--- /dev/null
++++ b/Documentation/rsbac/INSTALL
+@@ -0,0 +1,18 @@
++RSBAC INSTALL
++=============
++
++Installation from a RSBAC tarball
++---------------------------------
++
++You probably already untar'ed the rsbac-x.y.z.tar.gz archive. You can safely
++untar this archive into your kernel main directory, or copy all files there
++- no file should be overwritten.
++
++To get RSBAC working, you must then patch the kernel using an RSBAC kernel
++patch patch-x.y.z-va.b.c.bz2, matching your kernel version. In kernel main dir
++call
++bzip2 -dc patch-x.y.z-va.b.c.bz2 | patch -p1 &>perr
++After patching, everything should be in place and a log should be in perr.
++
++If your kernel version is not supported, check at
++<http://www.rsbac.org/download> for newer patch files.
+diff --git a/Documentation/rsbac/Interceptions-2.4 b/Documentation/rsbac/Interceptions-2.4
+new file mode 100644
+index 0000000..e279865
+--- /dev/null
++++ b/Documentation/rsbac/Interceptions-2.4
+@@ -0,0 +1,97 @@
++Interceptions for access decisions (AEF) in RSBAC 1.2.5 for 2.4.30:
++(ordered as in asm-i386/unistd.h)
++
++Not necessary:
++sys_waitpid, sys_time, sys_lseek, sys_getpid, sys_alarm, sys_pause,
++sys_sync, sys_getuid, sys_alarm, sys_ftime, sys_dup, sys_times, sys_brk,
++sys_getgid, sys_signal, sys_geteuid, sys_getegid, sys_olduname, sys_umask,
++sys_ustat, sys_dup2, sys_getppid, sys_getpgrp, sys_setsid, sys_sigaction,
++sys_sgetmask, sys_ssetmask, sys_sigsuspend, sys_sigpending, sys_getrlimit,
++sys_getrusage, sys_gettimeofday, sys_getgroups, sys_select, sys_munmap,
++sys_getpriority, sys_setitimer, sys_getitimer, sys_uname, sys_vhangup,
++sys_vm86old, sys_wait4, sys_sysinfo, sys_fsync, sys_sigreturn, sys_newuname,
++sys_modify_ldt, sys_sigprocmask, sys_get_kernel_syms(? - see discussion),
++sys_sysfs, sys_personality, sys__llseek, sys_newselect, sys_flock,
++sys_msync, sys_fdatasync, sys_mlock, sys_munlock, sys_mlockall,
++sys_munlockall, sys_sched_getparam, sys_sched_getscheduler, sys_sched_yield,
++sys_sched_get_priority_max, sys_sched_get_priority_min,
++sys_sched_rr_get_interval, sys_nanosleep, sys_mremap, sys_getresuid,
++sys_vm86, sys_poll, sys_getresgid, sys_prctl, sys_rt_sigreturn,
++sys_rt_sigaction, sys_rt_sigprocmask, sys_rt_sigpending,
++sys_rt_sigtimedwait, sys_rt_sigqueueinfo, sys_rt_sigsuspend, sys_getcwd,
++sys_sigaltstack, sys_ugetrlimit, sys_getuid32, sys_getgid32, sys_geteuid32,
++sys_getegid32, sys_getgroups32, sys_getresuid32, sys_getresgid32,
++sys_mincore, sys_madvise, sys_gettid, sys_readahead, sys_setxattr,
++sys_munlockl, sys_munlockall
++
++Not implemented in this kernel:
++sys_ftime, sys_break, sys_stty, sys_gtty, sys_prof, sys_lock, sys_mpx,
++sys_ulimit, sys_profil, sys_idle, sys_afs_syscall, sys_getpmsg,
++sys_putpmsg, sys_security (used by RSBAC where available)
++
++Intercepted:
++sys_exit, sys_fork, sys_read, sys_write, sys_open, sys_close, sys_creat,
++sys_link, sys_unlink, sys_execve, sys_chdir, sys_mknod, sys_chmod,
++sys_lchmod, sys_oldstat, sys_mount, sys_umount (= oldumount), sys_setuid,
++sys_stime, sys_ptrace, sys_oldfstat, sys_utime, sys_access, sys_nice (if
++priority is raised), sys_rename, sys_mkdir, sys_rmdir, sys_setgid, sys_acct
++(APPEND_OPEN on file), sys_umount2 (= umount), sys_ioctl (socket_ioctl,
++tty_ioctl (tiocsti)), sys_fcntl (except locking - see discussion),
++sys_setpgid, sys_chroot, sys_setreuid, sys_setregid, sys_sethostname,
++sys_setrlimit, sys_settimeofday, sys_setgroups, sys_symlink, sys_oldlstat,
++sys_readlink, sys_uselib, sys_swapon, sys_reboot, sys_readdir,
++sys_mmap (for MAP_EXEC), sys_truncate, sys_ftruncate, sys_fchmod,
++sys_fchown, sys_setpriority, sys_statfs, sys_fstatfs, sys_ioperm,
++sys_socketcall, sys_stat, sys_lstat, sys_fstat, sys_iopl, sys_swapoff,
++sys_ipc, sys_clone, sys_setdomainname, sys_adjtimex, sys_mprotect, 
++sys_create_module, sys_init_module, sys_delete_module, 
++sys_getpgid, sys_fchdir, sys_setfsuid, sys_setfsgid, sys_vfsreaddir,
++sys_readv, sys_writev, sys_getsid, sys_sysctl, sys_setresuid, 
++sys_setresgid, sys_pread, sys_pwrite, sys_chown, sys_capget, sys_capset,
++sys_vfork, sys_mmap2, sys_truncate64, sys_ftruncate64, sys_stat64,
++sys_lstat64, sys_fstat64, sys_lchown32, sys_setreuid32, sys_setregid32,
++sys_setgroups32, sys_fchown, sys_setresuid32, sys_setresgid32,
++sys_chown32, sys_setuid32, sys_setgid32, sys_setfsuid32, sys_setfsgid32,
++sys_pivot_root, sys_getdents64, sys_fcntl64, sys_tkill, sys_sendfile64,
++
++
++Found missing in 1.2.4-bf5 and intercepted in 1.2.5-pre:
++ptrace (on sparc and sparc64), ioctl: BRCTL* (bridging control),
++sys_reboot: add reboot_cmd parameter to see command in log,
++sys_mount: lookback mounts in do_loopback(),
++sys_mount: move mounts in do_move_mounts(),
++sys_socketcall (sys_socketpair, sys_setsockopt, sys_getsockopt,
++sys_getsockname, sys_getpeername),
++sys_getxattr, sys_lgetxattr, sys_fgetxattr, sys_setxattr, sys_lsetxattr,
++sys_fsetxattr, sys_listxattr, sys_llistxattr, sys_flistxattr,
++sys_removexattr, sys_lremovexattr, sys_fremovexattr,
++sys_quotactl (new SCD quota), sys_bdflush, sys_sched_setparam,
++sys_sched_setscheduler, sys_query_module, sys_nfsservctl, sys_sendfile,
++NETLINK sockets (additional IP addresses, routing, firewall, tcpdiag, rules),
++sys_ioctl: fs/ext[3]2/ioctl.c:ext[23]_ioctl(), sys_pipe,
++sys_ioctl: drivers/ide/ide.c:ide_ioctl(),
++sys_ioctl: tty_ioctl,
++sys_fcntl: fs/fcntl.c:do_fcntl(): Control file locking,
++sys_flock: fs/locks.c:sys_flock(): Control file advisory locking,
++sys_get_kernel_syms: kernel/module.c: SCD ksyms, same for /proc/ksyms,
++sys_mlock, sys_mlockall: SCD mlock,
++sys_swapon: Also check access to the device as ADD_TO_KERNEL and
++REMOVE_FROM_KERNEL
++
++Not yet intercepted, for discussion:
++
++- netlink-sockets: iptables_ULOG, decnet, ipv6
++
++Other notes:
++- Added SCD target sysctl, now used by sys_sysctl and /proc/sys instead of
++  non-intuitive ST_other
++
++- Added SCD target nfsd for kernel NFS server control
++
++- Added IPC type anonpipe, used by anonymous T_FIFO (if inode on PIPEFS)
++
++- Added requests GET_STATUS_DATA, GET_PERMISSIONS_DATA, MODIFY_PERMISSIONS_DATA,
++  SEND for target type DEV
++
++- JAIL module: generally deny read, write, GET_STATUS_DATA and MODIFY_SYSTEM_DATA
++  accesses to devices, flags to allow
+diff --git a/Documentation/rsbac/Interceptions-2.6 b/Documentation/rsbac/Interceptions-2.6
+new file mode 100644
+index 0000000..bac1409
+--- /dev/null
++++ b/Documentation/rsbac/Interceptions-2.6
+@@ -0,0 +1,330 @@
++Interceptions for access decisions (AEF) in RSBAC for the kernel 2.6 as of 2.6.23.13:
++to check against LSM interceptions:
++egrep "static inline (.*) security_" include/linux/security.h |cut -d ' ' -f4|cut -d '(' -f1
++
++#define __NR_restart_syscall      0
++#define __NR_exit		  1 *
++#define __NR_fork		  2 *
++#define __NR_read		  3 *
++#define __NR_write		  4 * 
++#define __NR_open		  5 *
++#define __NR_close		  6 *
++#define __NR_waitpid		  7 -
++#define __NR_creat		  8 *
++#define __NR_link		  9 * [we do not need to check for T_DIR - hardlinks are not allowed for dirs anyway]
++#define __NR_unlink		 10 *
++#define __NR_execve		 11 *
++#define __NR_chdir		 12 *
++#define __NR_time		 13 *
++#define __NR_mknod		 14 *
++#define __NR_chmod		 15 *
++#define __NR_lchown		 16 *
++#define __NR_break		 17
++#define __NR_oldstat		 18
++#define __NR_lseek		 19 -
++#define __NR_getpid		 20 -
++#define __NR_mount		 21 !
++[do_loopback(), do_move_mount(), do_remount() are missing. we should take care of them, also reading rsbac attributes dirs when necesary]
++#define __NR_umount		 22 *
++#define __NR_setuid		 23 *
++#define __NR_getuid		 24 -
++#define __NR_stime		 25 *
++#define __NR_ptrace		 26 *
++#define __NR_alarm		 27 -
++#define __NR_oldfstat		 28 
++#define __NR_pause		 29 -
++#define __NR_utime		 30 *
++#define __NR_stty		 31 
++#define __NR_gtty		 32 
++#define __NR_access		 33 *
++#define __NR_nice		 34 *
++#define __NR_ftime		 35 
++#define __NR_sync		 36 -
++#define __NR_kill		 37 * 
++#define __NR_rename		 38 *
++#define __NR_mkdir		 39 *
++#define __NR_rmdir		 40 *
++#define __NR_dup		 41 -
++#define __NR_pipe		 42 ! [see Interceptions-2.4]
++#define __NR_times		 43 -
++#define __NR_prof		 44 
++#define __NR_brk		 45 -
++#define __NR_setgid		 46 *
++#define __NR_getgid		 47 -
++#define __NR_signal		 48 -
++#define __NR_geteuid		 49 -
++#define __NR_getegid		 50 -
++#define __NR_acct		 51 ! [missing in 2.6, _and_ also on intercepted on 2.4 !!]
++#define __NR_umount2		 52 
++#define __NR_lock		 53 
++#define __NR_ioctl		 54 ! [missing interception - should be fine grained]
++#define __NR_fcntl		 55 ! [missing interception - should be fine grained]
++#define __NR_mpx		 56 
++#define __NR_setpgid		 57 *
++#define __NR_ulimit		 58 
++#define __NR_oldolduname	 59 
++#define __NR_umask		 60 -
++#define __NR_chroot		 61 *
++#define __NR_ustat		 62 -
++#define __NR_dup2		 63 -
++#define __NR_getppid		 64 -
++#define __NR_getpgrp		 65 -
++#define __NR_setsid		 66 -
++#define __NR_sigaction		 67 -
++#define __NR_sgetmask		 68 -
++#define __NR_ssetmask		 69 -
++#define __NR_setreuid		 70 *
++#define __NR_setregid		 71 *
++#define __NR_sigsuspend		 72 -
++#define __NR_sigpending		 73 -
++#define __NR_sethostname	 74 *
++#define __NR_setrlimit		 75 *
++#define __NR_getrlimit		 76 -
++#define __NR_getrusage		 77 -
++#define __NR_gettimeofday	 78 -
++#define __NR_settimeofday	 79 *
++#define __NR_getgroups		 80 -
++#define __NR_setgroups		 81 *
++#define __NR_select		 82 -
++#define __NR_symlink		 83 *
++#define __NR_oldlstat		 84 
++#define __NR_readlink		 85 *
++#define __NR_uselib		 86 *
++#define __NR_swapon		 87 *
++#define __NR_reboot		 88 *
++#define __NR_readdir		 89 
++#define __NR_mmap		 90 *
++#define __NR_munmap		 91 -
++#define __NR_truncate		 92 *
++#define __NR_ftruncate		 93 * 
++#define __NR_fchmod		 94 *
++#define __NR_fchown		 95 *
++#define __NR_getpriority	 96 -
++#define __NR_setpriority	 97 *
++#define __NR_profil		 98 
++#define __NR_statfs		 99 *
++#define __NR_fstatfs		100 *
++#define __NR_ioperm		101 *
++#define __NR_socketcall		102 ! [missing interception]
++#define __NR_syslog		103 *
++#define __NR_setitimer		104 -
++#define __NR_getitimer		105 -
++#define __NR_stat		106 *
++#define __NR_lstat		107 *
++#define __NR_fstat		108 *
++#define __NR_olduname		109 -
++#define __NR_iopl		110 *
++#define __NR_vhangup		111 
++#define __NR_idle		112 
++#define __NR_vm86old		113 
++#define __NR_wait4		114 -
++#define __NR_swapoff		115 *
++#define __NR_sysinfo		116 -
++#define __NR_ipc		117 ! [missing interception]
++#define __NR_fsync		118 -
++#define __NR_sigreturn		119 -
++#define __NR_clone		120 *
++#define __NR_setdomainname	121 *
++#define __NR_uname		122 -
++#define __NR_modify_ldt		123 
++#define __NR_adjtimex		124 *
++#define __NR_mprotect		125 *
++#define __NR_sigprocmask	126 -
++#define __NR_create_module	127 
++#define __NR_init_module	128 *
++#define __NR_delete_module	129 
++#define __NR_get_kernel_syms	130 
++#define __NR_quotactl		131 ! [missing interception]
++#define __NR_getpgid		132 -
++#define __NR_fchdir		133 *
++#define __NR_bdflush		134 -
++#define __NR_sysfs		135 -
++#define __NR_personality	136 ? [what about it]
++#define __NR_afs_syscall	137 
++#define __NR_setfsuid		138 *
++#define __NR_setfsgid		139 *
++#define __NR__llseek		140 -
++#define __NR_getdents		141 ! [missing interception - should be in vfs_readdir]
++#define __NR__newselect		142 -
++#define __NR_flock		143 -
++#define __NR_msync		144 -
++#define __NR_readv		145 *
++#define __NR_writev		146 *
++#define __NR_getsid		147 *
++#define __NR_fdatasync		148 -
++#define __NR__sysctl		149 ! [missing interception]
++#define __NR_mlock		150 ? [to care or not to care. this is a question !]
++#define __NR_munlock		151 ? [see above]
++#define __NR_mlockall		152 ? [see above]
++#define __NR_munlockall		153 ? [see above]
++#define __NR_sched_setparam		154 ! [missing interception]
++#define __NR_sched_getparam		155 -
++#define __NR_sched_setscheduler		156 ! [missing interception]
++#define __NR_sched_getscheduler		157 -
++#define __NR_sched_yield		158 -
++#define __NR_sched_get_priority_max	159 -
++#define __NR_sched_get_priority_min	160 -
++#define __NR_sched_rr_get_interval	161 -
++#define __NR_nanosleep		162 -
++#define __NR_mremap		163 -
++#define __NR_setresuid		164 *
++#define __NR_getresuid		165 -
++#define __NR_vm86		166 
++#define __NR_query_module	167 ! [intercepted on 2.4, not found on 2.6]
++#define __NR_poll		168 
++#define __NR_nfsservctl		169 ! [missing interception]
++#define __NR_setresgid		170 *
++#define __NR_getresgid		171 -
++#define __NR_prctl              172 -
++#define __NR_rt_sigreturn	173 -
++#define __NR_rt_sigaction	174 -
++#define __NR_rt_sigprocmask	175 -
++#define __NR_rt_sigpending	176 -
++#define __NR_rt_sigtimedwait	177 -
++#define __NR_rt_sigqueueinfo	178 -
++#define __NR_rt_sigsuspend	179 -
++#define __NR_pread64		180 *
++#define __NR_pwrite64		181 *
++#define __NR_chown		182 *
++#define __NR_getcwd		183 -
++#define __NR_capget		184 *
++#define __NR_capset		185 *
++#define __NR_sigaltstack	186 -
++#define __NR_sendfile		187 *
++#define __NR_getpmsg		188 
++#define __NR_putpmsg		189 
++#define __NR_vfork		190 *
++#define __NR_ugetrlimit		191 -
++#define __NR_mmap2		192 *
++#define __NR_truncate64		193 *
++#define __NR_ftruncate64	194 *
++#define __NR_stat64		195 * vfs_stat() seems to be ok, but there is also cp_new_stat()/cp_new_stat64()]
++#define __NR_lstat64		196 *
++#define __NR_fstat64		197 *
++#define __NR_lchown32		198 *
++#define __NR_getuid32		199 -
++#define __NR_getgid32		200 -
++#define __NR_geteuid32		201 -
++#define __NR_getegid32		202 -
++#define __NR_setreuid32		203 
++#define __NR_setregid32		204 
++#define __NR_getgroups32	205 -
++#define __NR_setgroups32	206 
++#define __NR_fchown32		207 
++#define __NR_setresuid32	208  
++#define __NR_getresuid32	209 -
++#define __NR_setresgid32	210 
++#define __NR_getresgid32	211 -
++#define __NR_chown32		212 
++#define __NR_setuid32		213 
++#define __NR_setgid32		214 
++#define __NR_setfsuid32		215 
++#define __NR_setfsgid32		216 
++#define __NR_pivot_root		217 *
++#define __NR_mincore		218 ? [not intercepted - i do not think it is necesary thought]
++#define __NR_madvise		219 ? [not intercepted - maybe this one should be]
++#define __NR_madvise1		219 
++#define __NR_getdents64		220 ! [same as sys_getdents()]
++#define __NR_fcntl64		221 ! [same as sys_fcntl()]
++/* 223 is unused */
++#define __NR_gettid		224 ? [not intercepted, rather no need to]
++#define __NR_readahead		225 ? [not intercepted - shall we ?]
++#define __NR_setxattr		226 ? [do we care about xattr ?]
++#define __NR_lsetxattr		227 ? [see above]
++#define __NR_fsetxattr		228 ? [see above]
++#define __NR_getxattr		229 ? [see above]
++#define __NR_lgetxattr		230 ? [see above]
++#define __NR_fgetxattr		231 ? [see above]
++#define __NR_listxattr		232 ? [see above]
++#define __NR_llistxattr		233 ? [see above]
++#define __NR_flistxattr		234 ? [see above]
++#define __NR_removexattr	235 ? [see above]
++#define __NR_lremovexattr	236 ? [see above]
++#define __NR_fremovexattr	237 ? [see above]
++#define __NR_tkill		238 *
++#define __NR_sendfile64		239 *
++#define __NR_futex		240 ! [multiplexer - check it out]
++#define __NR_sched_setaffinity	241 ! [not intercepted - shall we ?] 
++#define __NR_sched_getaffinity	242 ! [not intercepted, there is no need to]
++#define __NR_set_thread_area	243 
++#define __NR_get_thread_area	244 
++#define __NR_io_setup		245 ? [not intercepted - wtf is it ?]
++#define __NR_io_destroy		246 [see above]
++#define __NR_io_getevents	247 [see above]
++#define __NR_io_submit		248 [see above]
++#define __NR_io_cancel		249 [see above]
++#define __NR_fadvise64		250 ? [not intercepted - don't ask me what the heck is it]
++
++#define __NR_exit_group		252 ? [not intercepted - should be treated like sys_exit() ?]
++#define __NR_lookup_dcookie	253 ? [not intercepted - not necesary]
++#define __NR_epoll_create	254 ? [do we care about epool ?]
++#define __NR_epoll_ctl		255 ? [see above]
++#define __NR_epoll_wait		256 ? [see above]
++#define __NR_remap_file_pages	257 ? [not intercepted - may be dangerous ?]
++#define __NR_set_tid_address	258 ? [not intercepted - no need to]
++#define __NR_timer_create	259 ? [not intercepted - no need to ?]
++#define __NR_timer_settime	    ? [see above]
++#define __NR_timer_gettime	    ? [see above]
++#define __NR_timer_getoverrun	    ? [see above]
++#define __NR_timer_delete	    ? [see above]
++#define __NR_clock_settime	    *
++#define __NR_clock_gettime	    -
++#define __NR_clock_getres	    -
++#define __NR_clock_nanosleep	    -
++#define __NR_statfs64		268 *
++#define __NR_fstatfs64		269 *
++#define __NR_tgkill		270 *
++#define __NR_utimes		271 *
++#define __NR_fadvise64_64	272 ? [not intercepted - look fadvise above]
++#define __NR_vserver		273 - [reservation for friendly project]
++#define __NR_mbind		274 ? [not intercepted - i am borring, but will ask once more - what the heck ? (memory allocation policy stuff ?)]
++#define __NR_get_mempolicy	275 ? [see above]
++#define __NR_set_mempolicy	276 ? [see above]
++#define __NR_mq_open 		277 ? [message queues - i think that may be security revelant]
++#define __NR_mq_unlink		    ? [see above]
++#define __NR_mq_timedsend	    ? [see above]
++#define __NR_mq_timedreceive	    ? [see above]
++#define __NR_mq_notify		    ? [see above]
++#define __NR_mq_getsetattr	    ? [see above]
++#define __NR_sys_kexec_load	283 ! [not found, but kexec is very dangerous - should be imidiatelly be taken care of]
++#define __NR_waitid		284 ? [not intercepted, probably no need to]
++/* #define __NR_sys_setaltroot	285 ? [if any day it will come out from deep shadows we will be playing with it hard] */
++#define __NR_add_key		286 ? [key infrastructure recently hit kernels, another redhat (read: stupid, wastefull and security risky) idea ?]
++#define __NR_request_key	287 ? [see above]
++#define __NR_keyctl		288 ? [see above]
++#define __NR_ioprio_set         289 *
++#define __NR_ioprio_get         290 - 
++#define __NR_inotify_init       291
++#define __NR_inotify_add_watch  292
++#define __NR_inotify_rm_watch   293
++#define __NR_migrate_pages      294
++#define __NR_openat             295
++#define __NR_mkdirat            296
++#define __NR_mknodat            297
++#define __NR_fchownat           298
++#define __NR_futimesat          299
++#define __NR_fstatat64          300
++#define __NR_unlinkat           301
++#define __NR_renameat           302
++#define __NR_linkat             303
++#define __NR_symlinkat          304
++#define __NR_readlinkat         305
++#define __NR_fchmodat           306
++#define __NR_faccessat          307
++#define __NR_pselect6           308
++#define __NR_ppoll              309
++#define __NR_unshare            310
++#define __NR_set_robust_list    311
++#define __NR_get_robust_list    312
++#define __NR_splice             313
++#define __NR_sync_file_range    314
++#define __NR_tee                315
++#define __NR_vmsplice           316
++#define __NR_move_pages         317
++#define __NR_getcpu             318
++#define __NR_epoll_pwait        319
++#define __NR_utimensat          320
++#define __NR_signalfd           321
++#define __NR_timerfd            322
++#define __NR_eventfd            323
++#define __NR_fallocate          324 *
+diff --git a/Documentation/rsbac/README b/Documentation/rsbac/README
+new file mode 100644
+index 0000000..fd676e9
+--- /dev/null
++++ b/Documentation/rsbac/README
+@@ -0,0 +1,49 @@
++RSBAC README
++------------
++
++Documentation in this section is here for information only.
++
++The full RSBAC documentation is available online, at:
++<http://www.rsbac.org/documentation>
++
++New RSBAC versions as well as support for other kernel versions and bugfixes
++can be downloaded from: <http://www.rsbac.org>
++
++For installation instructions read INSTALL.
++
++Files description:
++------------------
++
++README-kernparam:
++Describes the various kernel parameters that can be used with RSBAC.
++
++README-proc:
++Describes the proc interface to RSBAC.
++
++Information about the registration of additional RSBAC decision modules
++(option CONFIG_RSBAC_REG) can be found in README-reg and html/reg.htm.
++
++(Quite old) man pages for many RSBAC syscalls are in the man directory.
++Russian versions can be found in man-rus.
++
++README-nrlists:
++For large systems (very many files per partition) you might consider
++increasing RSBAC_NR_FD_LISTS in include/rsbac/aci_data_structures.h before
++compiling. Please read README-nrlists first.
++There is also now a kernel configuration option.
++
++README-patching:
++If you patched against another kernel version than stated in the patch
++filename, it is important to work through README-patching.
++
++README-reg:
++Information about the registration of additional RSBAC decision modules
++(option CONFIG_RSBAC_REG) can be found in README-reg.
++
++
++If you run into problems or have questions, please write to the RSBAC
++mailing list at rsbac@... (commands like 'subscribe rsbac' as single
++line in the message body to majordomo@...), or see:
++<http://www.rsbac.org/contact>
++
++The RSBAC team.
+diff --git a/Documentation/rsbac/README-kernparam b/Documentation/rsbac/README-kernparam
+new file mode 100644
+index 0000000..55c70df
+--- /dev/null
++++ b/Documentation/rsbac/README-kernparam
+@@ -0,0 +1,93 @@
++RSBAC README for the kernel parameters.
++---------------------------------------
++
++Also see: <http://rsbac.org/documentation/kernel_parameters>
++
++The RSBAC system accepts the following parameters:
++ - rsbac_debug_ds: Debug messages from the Data Structures component.
++ - rsbac_debug_aef: Debug messages from the enforcement component (AEF).
++ - rsbac_debug_no_adf: Set default log level value for all request
++   types to 0: Do not log.
++ - rsbac_debug_adf (default, so obsolete): Set default log level value for all
++   request types to 1: Logging messages
++   from the decision component (ADF) for all requests that were denied (highly
++   recommended for testing, even in normal use). If provided, pseudonyms of
++   users are used.
++ - rsbac_debug_adf_all: Set default log level value for all request types to 2:
++   Logging messages from the decision component (ADF) for all requests. If
++   provided, pseudonyms of users are used. Gives a real lot of logging stuff
++    - never try this, if checking of sys_syslog is turned on and log levels
++   have not yet been saved to keep them permanent...
++ - rsbac_debug_ds_pm: Debug messages from the Data Structures component,
++   on access to privacy model data.
++ - rsbac_debug_aef_pm: Debug messages for privacy model specific system
++   calls.
++ - rsbac_debug_adf_pm: Debug messages for access control in privacy module.
++ - rsbac_debug_pm: Sets rsbac_debug_ds_pm, rsbac_debug_aef_pm,
++   rsbac_debug_adf_pm (recommended for testing privacy model).
++ - rsbac_debug_adf_ms: Debug messages for access control in Malware Scan.
++ - rsbac_debug_ds_rc: Debug messages from the Data Structures component,
++   on access to Role Compatibility model data.
++ - rsbac_debug_aef_rc: Debug messages for Role Compatibility model specific
++   system calls.
++ - rsbac_debug_adf_rc: Debug messages for access control in RC module.
++ - rsbac_debug_rc: Sets rsbac_debug_ds_rc, rsbac_debug_aef_rc,
++   rsbac_debug_adf_rc.
++ - rsbac_debug_ds_auth: Debug messages from the Data Structures component,
++   on access to AUTH model data.
++ - rsbac_debug_aef_auth: Debug messages for AUTH model specific system calls.
++ - rsbac_debug_adf_auth: Debug messages for access control in AUTH module.
++ - rsbac_debug_auth: Sets rsbac_debug_ds_auth, rsbac_debug_aef_auth,
++   rsbac_debug_adf_auth.
++ - rsbac_debug_ds_acl: Debug messages from the Data Structures component,
++   on access to Access Control Lists (ACL) model data.
++ - rsbac_debug_aef_acl: Debug messages for ACL model specific
++   system calls.
++ - rsbac_debug_adf_acl: Debug messages for access control in ACL module.
++ - rsbac_debug_acl: Sets rsbac_debug_ds_acl, rsbac_debug_aef_acl,
++   rsbac_debug_adf_acl.
++ - rsbac_debug_all: Sets all debug options - in fact turns on a huge amount
++   of logging. Beware of a fast growing system log. Hardly ever recommended.
++ - rsbac_debug_no_write: Turn writing to disk off for this
++   single boot time. For testing.
++ - rsbac_debug_auto: Debug messages from auto-write / rsbacd. Recommended
++   for a good disk saving overview.
++ - rsbac_debug_write: Debug messages from all attribute writing related
++   procedures.
++ - rsbac_no_defaults: suppress creation of default settings, useful for
++   restore from existing backup. Warning: An unconfigured system will only
++   come up in softmode or maint mode, and softmode will produce loads of
++   logging (see rsbac_nosyslog option...).
++ - rsbac_auth_enable_login: Sets auth_may_setuid for /bin/login, if AUTH
++   module is on. A good emergency helper, if you cannot login anymore.
++ - rsbac_softmode (only, if enabled on kernel config): switch to softmode
++ - rsbac_softmode_once (only, if enabled on kernel config): switch to softmode
++   and disallow to switch it on again later
++ - rsbac_softmode_never (only, if softmode enabled on kernel config):
++   disallow to switch softmode on during this runtime
++ - rsbac_softmode_<mod> (module name in lowercase, e.g. rc, only if enabled):
++   switch individual model softmode to on
++ - rsbac_freeze (only, if enabled in kernel config): Disallow RSBAC
++   administration for this runtime.
++ - rsbac_dac_disable (only, if enabled in kernel config): disable Linux DAC
++ - rsbac_nosyslog: do not log to syslog for this boot time
++ - rsbac_no_init_delay: disable delayed init for this single boot (if
++   init delay is enabled in kernel config)
++ - rsbac_delayed_root=major[:minor]: initialize, when this device gets
++   mounted. Omit minor or set to 00 to match all devices with this major
++   number. Delayed init must be enabled in kernel config.
++ - rsbac_auth_learn (only, if enabled in kernel config): enable AUTH
++   learning mode, where AUTH module adds all missing capabilities
++   automatically instead of denying the request.
++ - rsbac_acl_learn and rsbac_acl_learn_fd (only, if enabled in kernel
++   config): enable ACL learning mode for user rights to filesystem objects
++ - rsbac_log_remote_addr=a.b.c.d: Set remote logging address to a.b.c.d
++ - rsbac_log_remote_port=n: Set remote logging port to n. Remote logging
++   must be enabled in kernel config.
++ - rsbac_um_no_excl: Disable exlusive user management for this uptime.
++ - rsbac_daz_ttl=n: Set DAZ cache item ttl to n seconds for this boot.
++ - rsbac_cap_log_missing: Log all calls to capable() for caps, which are
++   not in the process set of effective Linux capabilities, i.e., failed
++   capable() checks.
++
++Last updated: 28/Jan/2005
+diff --git a/Documentation/rsbac/README-nrlists b/Documentation/rsbac/README-nrlists
+new file mode 100644
+index 0000000..496aad4
+--- /dev/null
++++ b/Documentation/rsbac/README-nrlists
+@@ -0,0 +1,28 @@
++RSBAC README-nrlists
++--------------------
++
++For large systems (very many files per partition) you should increase
++RSBAC_NR_FD_LISTS in include/rsbac/aci_data_structures.h before compiling.
++
++You should earnestly consider increasing, if you get warning messages like
++"write_fd_list(): list n too large (m bytes), calling partial_write_fd_list()!"
++(this does not lead to data loss though - it only decreases stability a
++bit). This should not happen any longer though - if it does, please send a
++note to RSBAC mailing list containing your /proc/rsbac-info/stats output and
++the output of free at the time when the messages appear for examination.
++
++CAUTION:
++- When restarting with a larger number of lists for the first time, you *must*
++  use the kernel parameter rsbac_change_nr! Only then old attributes are
++  allowed to be sorted into the now correct lists, otherwise they get lost and
++  that's it.
++- Please remember mounting rw all partitions used by RSBAC so far, while
++  rsbac_change_nr is still active.
++- There is definately no way back to a smaller number. All following RSBAC
++  versions must be set to the same value, and rebooting with an older kernel
++  can result in unnoticable attribute losses.
++
++To test this feature, you can use rsbac_debug_no_write. This prevents
++attribute saving and thus attribute loss from previous runs. Those
++partitions that are not mounted rw at boot time can be tested by mounting
++read-only.
+diff --git a/Documentation/rsbac/README-patching b/Documentation/rsbac/README-patching
+new file mode 100644
+index 0000000..2cf1691
+--- /dev/null
++++ b/Documentation/rsbac/README-patching
+@@ -0,0 +1,27 @@
++RSBAC README for patching against other versions.
++-------------------------------------------------
++
++To make my point clear: I do not recommend patching against other kernel
++versions than stated in the patch filename. Rather check RSBAC homepage
++for new versions or send a note to the RSBAC mailing list (see README).
++
++If you had to patch against another version, you will have to do the following:
++ - Make sure you understand how rsbac_adf_request() and rsbac_adf_set_attr()
++   calls work
++ - Patch in all rejects by hand.
++ - Edit fs/namei.c:
++     rsbac_lookup_one_len/hash must be lookup_one_len/hash minus
++     checks (permission(), rsbac_adf_request()).
++     Please do not forget to change the call to lookup_hash in
++     rsbac_lookup_one_len into rsbac_lookup_hash.
++ - arch/i386/kernel/entry.S must contain the RSBAC syscall number added,
++   embraced by #ifdef CONFIG_RSBAC.
++   You may have to adjust syscall numbers there and in
++   include/rsbac/unistd-i386.h. After that make sure you recompiled the
++   admin tools.
++ - Same for all other archs
++ - Check in rsbac/data_structures/aci_data_structures.c, if file opening and
++   closing are done correctly (rsbac_read_open, rsbac_write_open,
++   rsbac_read_close, rsbac_write_close).
++ - Check in rsbac/help/debug.c, whether the logging in rsbac_log() is
++   implemented correctly - see sys_syslog() in kernel/printk.c
+diff --git a/Documentation/rsbac/README-proc b/Documentation/rsbac/README-proc
+new file mode 100644
+index 0000000..168516e
+--- /dev/null
++++ b/Documentation/rsbac/README-proc
+@@ -0,0 +1,93 @@
++RSBAC README for the proc interface.
++------------------------------------
++
++Also see: <http://rsbac.org/documentation/proc_interface>
++
++If enabled in the kernel configuration, RSBAC adds one directory to the
++main proc dir: rsbac-info. Since proc is treated as a normal read-only fs,
++rsbac could not be used.
++
++All successful write accesses are logged via syslog at KERN_INFO level.
++The rsbac-info dir contains the following entries:
++
++ - stats: shows rsbac status, same contents as sys_rsbac_stats writes into
++   syslog
++
++ - active: short summary of version, mode and module states, good for scripts
++
++ - stats_pm (if PM is enabled): shows PM status, same contents as
++   sys_rsbac_stats_pm writes into syslog
++
++ - stats_rc (if RC is enabled): shows RC status
++
++ - stats_auth (if AUTH is enabled): shows AUTH status
++
++ - stats_acl (if ACL is enabled): shows ACL status
++
++ - xstats (if extended status is enabled): shows extended status, e.g. table
++   of call counts for requests and targets
++
++ - devices: shows all rsbac-mounted devices in n:m notation and their
++   no_write status (no_write is set on fd-list read, if wrong version).
++   No_write status can be changed by calling
++          echo "devices no_write n:m k" >devices
++   with n:m is the device in major:minor notation, k is 0 or 1.
++
++ - acl_devices, auth_devices: same for ACL and AUTH data structures
++
++ - debug: shows all RSBAC debug settings, softmode, dac_disable and nosyslog.
++   Levels can be changed by calling
++          echo "debug name n" >debug
++   Valid names are ds, aef, no_write, ds_pm, aef_pm, adf_pm, adf_ms, ds_rc,
++   aef_rc, adf_rc, ds_acl, aef_acl, adf_acl, auto, softmode, dac_disable and 
++   nosyslog, but only, if shown when reading this file. Valid levels are 0
++   and 1.
++   Debug levels can be preset to 1 by kernel parameters with same name as
++   variable name shown, e.g. rsbac_debug_ds or rsbac_softmode.
++   Individual model softmode can be switched by calling
++          echo "debug ind_softmode <modname> n" >debug
++   Remote logging address and port can be changed with
++          echo "debug log_remote_addr a.b.c.d" >debug
++          echo "debug log_remote_port n" >debug
++   DAZ cache ttl is set via
++          echo "debug daz_ttl n" >debug
++
++ - log_levels: shows adf log levels for all requests. Log levels can be
++   changed by calling
++   echo "log_levels request n" >log_levels
++   with request = request name, e.g. WRITE, n = level.
++
++ - auto_write (if auto-write is enabled): shows auto write status, currently
++   auto interval in jiffies and auto debug level only.
++   Auto interval can be changed by calling
++          echo "auto interval n" >auto_write
++   with n = number of jiffies, debug level (0 or 1) by calling
++          echo "auto debug n" >auto_write
++
++ - versions: shows aci versions for dev and user list and adf request array
++   version for log_level array and the no_write status of each (set on boot,
++   if wrong version is tried to be read). No_write status can be changed by
++   calling
++          echo "no_write listname n" >versions
++   with listname is one of dev, user, log_levels, n is 0 or 1.
++
++ - rmsg (if own logging is enabled): similar to kmsg in main proc dir, logging
++   of RSBAC requests. This file can be used by programs like klogd.
++
++ - auth_caplist (if AUTH is enabled): shows all AUTH capabilities currently
++   set.
++
++ - reg_modules (if REG is enabled): shows currently registered additional
++   decision modules and syscalls.
++
++ - acl_acllist (if ACL is enabled): Detailed listing of all ACL entries and
++   masks in the system.
++
++ - backup subdir: It contains backups of what would be
++   current aci data files. You can use cp for backups of system independent aci
++   data structures, e.g. rc_roles, rc_types, and the admin backup tools for
++   system dependent ones, e.g. file/dir attributes or AUTH file capabilities.
++   Using the backup_all script or single lines from it is however strongly
++   recommended.
++
++Last updated: 18/Jan/2005
+diff --git a/Documentation/rsbac/README-reg b/Documentation/rsbac/README-reg
+new file mode 100644
+index 0000000..10d6b8b
+--- /dev/null
++++ b/Documentation/rsbac/README-reg
+@@ -0,0 +1,37 @@
++RSBAC README for the REG facility.
++----------------------------------
++
++Also see: <http://rsbac.org/documentation/write_your_decision_module>
++
++If enabled in the kernel configuration, RSBAC REG allows the registration
++and unregistration of additional decision modules at runtime, usually from
++a kernel module.
++
++These modules register with a name and a chosen magic handle, which can be
++used for switching on/off and for unregistration.
++
++By registration, a request (the decision itself), a set_attr (called after 
++successful syscall completion) and a need_overwrite (called to determine,
++whether a file needs to be securely deleted/truncated) function can be
++installed.
++
++Apart from these decision functions some support routines can be registered.
++Currently these are write (signal asynchronous attribute writing to disk,
++called regularly by rsbacd), mount and umount (a device has been (u)mounted).
++
++However, each of these function pointers can be set to NULL, if
++no call of this type is wanted.
++
++All functions are *additional* to the existing functions from builtin
++modules, e.g. MAC or RC. This way, they can only further restrict access,
++but not grant anything denied by other models.
++
++Also, you can now register system calls and generic lists.
++
++For examples of builtin real decision modules and their functions see
++subdirs below rsbac/adf/.
++
++Working example modules with simple call counters and a proc pseudo file
++for counter display can be found in the examples/reg/ directory of the
++rsbac-admin tools. These are basically the same modules that are built if
++you enabled building of sample modules in kernel config.
+diff --git a/MAINTAINERS b/MAINTAINERS
+index f986e7d..d2509c5 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -5564,6 +5564,13 @@ F:	include/linux/rose.h
+ F:	include/net/rose.h
+ F:	net/rose/
+ 
++RSBAC
++P:	Amon Ott
++M:	ao@...
++L:	rsbac@...
++W:	http://www.rsbac.org
++S:	Maintained
++
+ RTL8180 WIRELESS DRIVER
+ M:	"John W. Linville" <linville@...>
+ L:	linux-wireless@...
+diff --git a/Makefile b/Makefile
+index c291184..2cfa3e4 100644
+--- a/Makefile
++++ b/Makefile
+@@ -681,6 +681,13 @@ export KBUILD_IMAGE ?= vmlinux
+ export	INSTALL_PATH ?= /boot
+ 
+ #
++
++# Add RSBAC version
++ifeq ($(CONFIG_RSBAC),y)
++EXTRAVERSION:=$(EXTRAVERSION)-rsbac
++core-y		+= rsbac/
++endif
++
+ # INSTALL_MOD_PATH specifies a prefix to MODLIB for module directory
+ # relocations required by build roots.  This is not defined in the
+ # makefile but the argument can be passed to make if needed.
+diff --git a/arch/alpha/include/asm/unistd.h b/arch/alpha/include/asm/unistd.h
+index 2207fc6..6982eac 100644
+--- a/arch/alpha/include/asm/unistd.h
++++ b/arch/alpha/include/asm/unistd.h
+@@ -332,7 +332,11 @@
+ #define __NR_getdents64			377
+ #define __NR_gettid			378
+ #define __NR_readahead			379
++#ifdef CONFIG_RSBAC
++#define __NR_rsbac                      380
++#else
+ /* 380 is unused */
++#endif
+ #define __NR_tkill			381
+ #define __NR_setxattr			382
+ #define __NR_lsetxattr			383
+diff --git a/arch/alpha/kernel/asm-offsets.c b/arch/alpha/kernel/asm-offsets.c
+index 6ff8886..658ecc4 100644
+--- a/arch/alpha/kernel/asm-offsets.c
++++ b/arch/alpha/kernel/asm-offsets.c
+@@ -35,6 +35,9 @@ void foo(void)
+ 	DEFINE(PT_PTRACED, PT_PTRACED);
+ 	DEFINE(CLONE_VM, CLONE_VM);
+ 	DEFINE(CLONE_UNTRACED, CLONE_UNTRACED);
++#ifdef CONFIG_RSBAC
++	DEFINE(CLONE_KTHREAD, CLONE_KTHREAD);
++#endif
+ 	DEFINE(SIGCHLD, SIGCHLD);
+ 	BLANK();
+ 
+diff --git a/arch/alpha/kernel/entry.S b/arch/alpha/kernel/entry.S
+index 6d159ce..8df575e 100644
+--- a/arch/alpha/kernel/entry.S
++++ b/arch/alpha/kernel/entry.S
+@@ -653,7 +653,11 @@ kernel_thread:
+ 	stq	$2, 152($sp)		/* HAE */
+ 
+ 	/* Shuffle FLAGS to the front; add CLONE_VM.  */
++#ifdef CONFIG_RSBAC
++	ldi	$1, CLONE_VM|CLONE_UNTRACED | CLONE_KTHREAD;
++#else
+ 	ldi	$1, CLONE_VM|CLONE_UNTRACED
++#endif
+ 	or	$18, $1, $16
+ 	bsr	$26, sys_clone
+ 
+diff --git a/arch/alpha/kernel/ptrace.c b/arch/alpha/kernel/ptrace.c
+index e2af5eb..1e45259 100644
+--- a/arch/alpha/kernel/ptrace.c
++++ b/arch/alpha/kernel/ptrace.c
+@@ -21,6 +21,8 @@
+ 
+ #include "proto.h"
+ 
++#include <rsbac/hooks.h>
++
+ #define DEBUG	DBG_MEM
+ #undef DEBUG
+ 
+@@ -275,6 +277,26 @@ long arch_ptrace(struct task_struct *child, long request,
+ 	unsigned long tmp;
+ 	size_t copied;
+ 	long ret;
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = task_pid(child);
++	rsbac_attribute_value.trace_request = request;
++	if (!rsbac_adf_request(R_TRACE,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_trace_request,
++				rsbac_attribute_value))
++	{
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
+ 
+ 	switch (request) {
+ 	/* When I and D space are separate, these will need to be fixed.  */
+diff --git a/arch/arm/include/asm/unistd.h b/arch/arm/include/asm/unistd.h
+index 4a11237..c880c84 100644
+--- a/arch/arm/include/asm/unistd.h
++++ b/arch/arm/include/asm/unistd.h
+@@ -248,7 +248,12 @@
+ #define __NR_madvise			(__NR_SYSCALL_BASE+220)
+ #define __NR_fcntl64			(__NR_SYSCALL_BASE+221)
+ 					/* 222 for tux */
+-					/* 223 is unused */
++/* RSBAC - we use 223, the old sys_security */
++#ifdef CONFIG_RSBAC
++#define __NR_rsbac                      (__NR_SYSCALL_BASE+223)
++#else
++                                        /* 223 is unused */
++#endif
+ #define __NR_gettid			(__NR_SYSCALL_BASE+224)
+ #define __NR_readahead			(__NR_SYSCALL_BASE+225)
+ #define __NR_setxattr			(__NR_SYSCALL_BASE+226)
+diff --git a/arch/arm/kernel/calls.S b/arch/arm/kernel/calls.S
+index 463ff4a..09aae70 100644
+--- a/arch/arm/kernel/calls.S
++++ b/arch/arm/kernel/calls.S
+@@ -232,7 +232,11 @@
+ /* 220 */	CALL(sys_madvise)
+ 		CALL(ABI(sys_fcntl64, sys_oabi_fcntl64))
+ 		CALL(sys_ni_syscall) /* TUX */
++#ifdef CONFIG_RSBAC
++		CALL(sys_rsbac)
++#else
+ 		CALL(sys_ni_syscall)
++#endif
+ 		CALL(sys_gettid)
+ /* 225 */	CALL(ABI(sys_readahead, sys_oabi_readahead))
+ 		CALL(sys_setxattr)
+diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
+index 3d0c6fb..7c2e552 100644
+--- a/arch/arm/kernel/process.c
++++ b/arch/arm/kernel/process.c
+@@ -450,6 +450,10 @@ pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags)
+ {
+ 	struct pt_regs regs;
+ 
++#ifdef CONFIG_RSBAC
++	int rsbac_retval;
++#endif
++
+ 	memset(&regs, 0, sizeof(regs));
+ 
+ 	regs.ARM_r4 = (unsigned long)arg;
+@@ -459,7 +463,12 @@ pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags)
+ 	regs.ARM_pc = (unsigned long)kernel_thread_helper;
+ 	regs.ARM_cpsr = regs.ARM_r7 | PSR_I_BIT;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_retval = do_fork(flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD, 0, &regs, 0, NULL, NULL);
++	return rsbac_retval;
++#else
+ 	return do_fork(flags|CLONE_VM|CLONE_UNTRACED, 0, &regs, 0, NULL, NULL);
++#endif
+ }
+ EXPORT_SYMBOL(kernel_thread);
+ 
+diff --git a/arch/avr32/kernel/process.c b/arch/avr32/kernel/process.c
+index ef5a2a0..ae0c932 100644
+--- a/arch/avr32/kernel/process.c
++++ b/arch/avr32/kernel/process.c
+@@ -101,8 +101,13 @@ int kernel_thread(int (*fn)(void *), void *arg, unsigned long flags)
+ 	regs.pc = (unsigned long)kernel_thread_helper;
+ 	regs.sr = MODE_SUPERVISOR;
+ 
+-	return do_fork(flags | CLONE_VM | CLONE_UNTRACED,
++#ifdef CONFIG_RSBAC
++	return do_fork(flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD,
+ 		       0, &regs, 0, NULL, NULL);
++#else
++	return do_fork(flags | CLONE_VM | CLONE_UNTRACED,
++                       0, &regs, 0, NULL, NULL);
++#endif
+ }
+ EXPORT_SYMBOL(kernel_thread);
+ 
+diff --git a/arch/blackfin/kernel/process.c b/arch/blackfin/kernel/process.c
+index 6a80a9e..3650435 100644
+--- a/arch/blackfin/kernel/process.c
++++ b/arch/blackfin/kernel/process.c
+@@ -127,8 +127,13 @@ pid_t kernel_thread(int (*fn) (void *), void *arg, unsigned long flags)
+ 	   mode.  */
+ 	regs.ipend = 0x8002;
+ 	__asm__ __volatile__("%0 = syscfg;":"=da"(regs.syscfg):);
+-	return do_fork(flags | CLONE_VM | CLONE_UNTRACED, 0, &regs, 0, NULL,
++#ifdef CONFIG_RSBAC
++	return do_fork(flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD, 0, &regs, 0, NULL,
+ 		       NULL);
++#else
++	return do_fork(flags | CLONE_VM | CLONE_UNTRACED, 0, &regs, 0, NULL,
++                       NULL);
++#endif
+ }
+ EXPORT_SYMBOL(kernel_thread);
+ 
+diff --git a/arch/cris/arch-v10/kernel/entry.S b/arch/cris/arch-v10/kernel/entry.S
+index 592fbe9..0360b7f 100644
+--- a/arch/cris/arch-v10/kernel/entry.S
++++ b/arch/cris/arch-v10/kernel/entry.S
+@@ -825,7 +825,11 @@ sys_call_table:
+ 	.long sys_getdents64	/* 220 */
+ 	.long sys_fcntl64
+ 	.long sys_ni_syscall	/* reserved for TUX */
+-	.long sys_ni_syscall
++#ifdef CONFIG_RSBAC
++	.long sys_rsbac 	/*	reserved for sys_security */
++#else
++	.long sys_ni_syscall 	/*	reserved for sys_security */
++#endif
+ 	.long sys_gettid
+ 	.long sys_readahead	/* 225 */
+ 	.long sys_setxattr
+diff --git a/arch/cris/arch-v10/kernel/process.c b/arch/cris/arch-v10/kernel/process.c
+index 9a57db6..9f672b6 100644
+--- a/arch/cris/arch-v10/kernel/process.c
++++ b/arch/cris/arch-v10/kernel/process.c
+@@ -93,6 +93,10 @@ int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags)
+ {
+ 	struct pt_regs regs;
+ 
++#ifdef CONFIG_RSBAC
++	int rsbac_retval;
++#endif
++
+ 	memset(&regs, 0, sizeof(regs));
+ 
+         /* Don't use r10 since that is set to 0 in copy_thread */
+@@ -102,7 +106,12 @@ int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags)
+ 	regs.dccr = 1 << I_DCCR_BITNR;
+ 
+ 	/* Ok, create the new process.. */
+-        return do_fork(flags | CLONE_VM | CLONE_UNTRACED, 0, &regs, 0, NULL, NULL);
++#ifdef CONFIG_RSBAC
++	rsbac_retval = do_fork(flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD, 0, &regs, 0, NULL, NULL);
++	return rsbac_retval;
++#else
++	return do_fork(flags | CLONE_VM | CLONE_UNTRACED, 0, &regs, 0, NULL, NULL);
++#endif
+ }
+ 
+ /* setup the child's kernel stack with a pt_regs and switch_stack on it.
+diff --git a/arch/cris/arch-v32/kernel/process.c b/arch/cris/arch-v32/kernel/process.c
+index 0570e8c..bfe24d2 100644
+--- a/arch/cris/arch-v32/kernel/process.c
++++ b/arch/cris/arch-v32/kernel/process.c
+@@ -116,7 +116,11 @@ kernel_thread(int (*fn)(void *), void * arg, unsigned long flags)
+ 	regs.ccs = 1 << (I_CCS_BITNR + CCS_SHIFT);
+ 
+ 	/* Create the new process. */
+-        return do_fork(flags | CLONE_VM | CLONE_UNTRACED, 0, &regs, 0, NULL, NULL);
++#ifdef CONFIG_RSBAC
++	return do_fork(flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD, 0, &regs, 0, NULL, NULL);
++#else
++	return do_fork(flags | CLONE_VM | CLONE_UNTRACED, 0, &regs, 0, NULL, NULL);
++#endif
+ }
+ 
+ /*
+diff --git a/arch/frv/kernel/kernel_thread.S b/arch/frv/kernel/kernel_thread.S
+index 4531c83..e97275e7 100644
+--- a/arch/frv/kernel/kernel_thread.S
++++ b/arch/frv/kernel/kernel_thread.S
+@@ -13,6 +13,10 @@
+ #include <asm/unistd.h>
+ 
+ #define CLONE_VM	0x00000100	/* set if VM shared between processes */
++#ifdef CONFIG_RSBAC
++#define CLONE_KTHREAD   0x100000000ULL      /* kernel thread */
++#define CLONE_KT        (CLONE_VM | CLONE_KTHREAD) /* kernel thread flags */
++#endif
+ #define	KERN_ERR	"<3>"
+ 
+ 	.section .rodata
+@@ -37,7 +41,11 @@ kernel_thread:
+ 
+ 	# start by forking the current process, but with shared VM
+ 	setlos.p	#__NR_clone,gr7		; syscall number
++#ifdef CONFIG_RSBAC
++	ori 		gr10,#CLONE_KT,gr8 	; first syscall arg	[clone_flags]
++#else
+ 	ori		gr10,#CLONE_VM,gr8	; first syscall arg	[clone_flags]
++#endif
+ 	sethi.p		#0xe4e4,gr9		; second syscall arg	[newsp]
+ 	setlo		#0xe4e4,gr9
+ 	setlos.p	#0,gr10			; third syscall arg	[parent_tidptr]
+diff --git a/arch/h8300/kernel/process.c b/arch/h8300/kernel/process.c
+index 933bd38..a71f60d 100644
+--- a/arch/h8300/kernel/process.c
++++ b/arch/h8300/kernel/process.c
+@@ -133,7 +133,11 @@ int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags)
+ 
+ 	fs = get_fs();
+ 	set_fs (KERNEL_DS);
++#ifdef CONFIG_RSBAC
++	clone_arg = flags | CLONE_VM | CLONE_KTHREAD;
++#else
+ 	clone_arg = flags | CLONE_VM;
++#endif
+ 	__asm__("mov.l sp,er3\n\t"
+ 		"sub.l er2,er2\n\t"
+ 		"mov.l %2,er1\n\t"
+@@ -152,6 +156,12 @@ int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags)
+ 		:"i"(__NR_clone),"g"(clone_arg),"g"(fn),"g"(arg),"i"(__NR_exit)
+ 		:"er0","er1","er2","er3");
+ 	set_fs (fs);
++
++#ifdef CONFIG_RSBAC
++	if (retval > 0)
++		rsbac_kthread_notify(find_pid_ns(retval, &init_pid_ns));
++#endif
++
+ 	return retval;
+ }
+ 
+diff --git a/arch/ia64/include/asm/unistd.h b/arch/ia64/include/asm/unistd.h
+index 7a3bd25..7e37d15 100644
+--- a/arch/ia64/include/asm/unistd.h
++++ b/arch/ia64/include/asm/unistd.h
+@@ -325,10 +325,18 @@
+ #define __NR_process_vm_writev		1333
+ #define __NR_accept4			1334
+ 
+-#ifdef __KERNEL__
++#ifdef CONFIG_RSBAC
++#define __NR_rsbac                      1335
++#endif
++
+ 
++#ifdef __KERNEL__
+ 
++#ifdef CONFIG_RSBAC
++#define NR_syscalls			312
++#else
+ #define NR_syscalls			311 /* length of syscall table */
++#endif
+ 
+ /*
+  * The following defines stop scripts/checksyscalls.sh from complaining about
+diff --git a/arch/ia64/kernel/asm-offsets.c b/arch/ia64/kernel/asm-offsets.c
+index af56501..98608b3 100644
+--- a/arch/ia64/kernel/asm-offsets.c
++++ b/arch/ia64/kernel/asm-offsets.c
+@@ -205,6 +205,9 @@ void foo(void)
+     /* for assembly files which can't include sched.h: */
+ 	DEFINE(IA64_CLONE_VFORK, CLONE_VFORK);
+ 	DEFINE(IA64_CLONE_VM, CLONE_VM);
++#ifdef CONFIG_RSBAC
++	DEFINE(IA64_CLONE_KTHREAD, CLONE_KTHREAD);
++#endif
+ 
+ 	BLANK();
+ 	DEFINE(IA64_CPUINFO_NSEC_PER_CYC_OFFSET,
+diff --git a/arch/ia64/kernel/entry.S b/arch/ia64/kernel/entry.S
+index 1ccbe12..24e8de1 100644
+--- a/arch/ia64/kernel/entry.S
++++ b/arch/ia64/kernel/entry.S
+@@ -1758,6 +1758,9 @@ sys_call_table:
+ 	data8 sys_timerfd_create		// 1310
+ 	data8 sys_timerfd_settime
+ 	data8 sys_timerfd_gettime
++#ifdef CONFIG_RSBAC
++	data8 sys_rsbac
++#endif
+ 	data8 sys_signalfd4
+ 	data8 sys_eventfd2
+ 	data8 sys_epoll_create1			// 1315
+diff --git a/arch/ia64/kernel/process.c b/arch/ia64/kernel/process.c
+index 6d33c5c..2d05282 100644
+--- a/arch/ia64/kernel/process.c
++++ b/arch/ia64/kernel/process.c
+@@ -657,6 +657,10 @@ kernel_thread (int (*fn)(void *), void *arg, unsigned long flags)
+ 		struct pt_regs pt;
+ 	} regs;
+ 
++#ifdef CONFIG_RSBAC
++	int rsbac_retval;
++#endif
++
+ 	memset(&regs, 0, sizeof(regs));
+ 	regs.pt.cr_iip = helper_fptr[0];	/* set entry point (IP) */
+ 	regs.pt.r1 = helper_fptr[1];		/* set GP */
+@@ -668,7 +672,12 @@ kernel_thread (int (*fn)(void *), void *arg, unsigned long flags)
+ 	regs.sw.ar_fpsr = regs.pt.ar_fpsr = ia64_getreg(_IA64_REG_AR_FPSR);
+ 	regs.sw.ar_bspstore = (unsigned long) current + IA64_RBS_OFFSET;
+ 	regs.sw.pr = (1 << PRED_KERNEL_STACK);
++#ifdef CONFIG_RSBAC
++	rsbac_retval = do_fork(flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD, 0, &regs.pt, 0, NULL, NULL);
++	return rsbac_retval;
++#else
+ 	return do_fork(flags | CLONE_VM | CLONE_UNTRACED, 0, &regs.pt, 0, NULL, NULL);
++#endif
+ }
+ EXPORT_SYMBOL(kernel_thread);
+ 
+diff --git a/arch/ia64/kernel/ptrace.c b/arch/ia64/kernel/ptrace.c
+index 8848f43..03dcaf9 100644
+--- a/arch/ia64/kernel/ptrace.c
++++ b/arch/ia64/kernel/ptrace.c
+@@ -35,6 +35,8 @@
+ 
+ #include "entry.h"
+ 
++#include <rsbac/hooks.h>
++
+ /*
+  * Bits in the PSR that we allow ptrace() to change:
+  *	be, up, ac, mfl, mfh (the user mask; five bits total)
+diff --git a/arch/m32r/kernel/process.c b/arch/m32r/kernel/process.c
+index 422bea9..78e75a3 100644
+--- a/arch/m32r/kernel/process.c
++++ b/arch/m32r/kernel/process.c
+@@ -194,7 +194,11 @@ int kernel_thread(int (*fn)(void *), void *arg, unsigned long flags)
+ 	regs.psw = M32R_PSW_BIE;
+ 
+ 	/* Ok, create the new process. */
++#ifdef CONFIG_RSBAC
++	return do_fork(flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD, 0, &regs, 0, NULL,
++#else
+ 	return do_fork(flags | CLONE_VM | CLONE_UNTRACED, 0, &regs, 0, NULL,
++#endif
+ 		NULL);
+ }
+ 
+diff --git a/arch/m32r/kernel/ptrace.c b/arch/m32r/kernel/ptrace.c
+index 2074375..fbc92cd 100644
+--- a/arch/m32r/kernel/ptrace.c
++++ b/arch/m32r/kernel/ptrace.c
+@@ -33,6 +33,8 @@
+ #include <asm/processor.h>
+ #include <asm/mmu_context.h>
+ 
++#include <rsbac/hooks.h>
++
+ /*
+  * This routine will get a word off of the process kernel stack.
+  */
+@@ -626,6 +628,25 @@ arch_ptrace(struct task_struct *child, long request,
+ 	    unsigned long addr, unsigned long data)
+ {
+ 	int ret;
++
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.process = task_pid(child);
++		rsbac_attribute_value.trace_request = request;
++		if (!rsbac_adf_request(R_TRACE,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_trace_request,
++					rsbac_attribute_value))
++		{
++			return -EPERM;
++		}
++#endif
++
+ 	unsigned long __user *datap = (unsigned long __user *) data;
+ 
+ 	switch (request) {
+diff --git a/arch/m68k/include/asm/unistd.h b/arch/m68k/include/asm/unistd.h
+index 303192f..e96a2b3 100644
+--- a/arch/m68k/include/asm/unistd.h
++++ b/arch/m68k/include/asm/unistd.h
+@@ -353,9 +353,17 @@
+ #define __NR_process_vm_readv	345
+ #define __NR_process_vm_writev	346
+ 
++#ifdef CONFIG_RSBAC
++#define __NR_rsbac              347
++#endif
++
+ #ifdef __KERNEL__
+ 
++#ifdef CONFIG_RSBAC
++#define NR_syscalls		348
++#else
+ #define NR_syscalls		347
++#endif
+ 
+ #define __ARCH_WANT_IPC_PARSE_VERSION
+ #define __ARCH_WANT_OLD_READDIR
+diff --git a/arch/m68k/kernel/entry.S b/arch/m68k/kernel/entry.S
+index 081cf96..5af2c07 100644
+--- a/arch/m68k/kernel/entry.S
++++ b/arch/m68k/kernel/entry.S
+@@ -3,3 +3,10 @@
+ #else
+ #include "entry_no.S"
+ #endif
++#ifdef CONFIG_RSBAC
++	/* we use 400, until sys_security gets defined here */
++	.rept 399-343
++		.long sys_ni_syscall
++	.endr
++	.long sys_rsbac
++#endif
+diff --git a/arch/m68k/kernel/process.c b/arch/m68k/kernel/process.c
+index 6cf4bd6..ae5dc84 100644
+--- a/arch/m68k/kernel/process.c
++++ b/arch/m68k/kernel/process.c
+@@ -3,3 +3,13 @@
+ #else
+ #include "process_no.c"
+ #endif
++#ifdef CONFIG_RSBAC
++	register long clone_arg __asm__ ("d1") = flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD;
++#else
++#endif
++
++#ifdef CONFIG_RSBAC
++	if (pid > 0)
++		rsbac_kthread_notify(find_pid_ns(pid, &init_pid_ns));
++#endif
++
+diff --git a/arch/m68k/kernel/process_no.c b/arch/m68k/kernel/process_no.c
+index 5e1078c..c03104a 100644
+--- a/arch/m68k/kernel/process_no.c
++++ b/arch/m68k/kernel/process_no.c
+@@ -121,7 +121,11 @@ void show_regs(struct pt_regs * regs)
+ int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags)
+ {
+ 	int retval;
++#ifdef CONFIG_RSBAC
++	long clone_arg = flags | CLONE_VM | CLONE_KTHREAD;
++#else
+ 	long clone_arg = flags | CLONE_VM;
++#endif
+ 	mm_segment_t fs;
+ 
+ 	fs = get_fs();
+@@ -149,6 +153,12 @@ int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags)
+ 		: "cc", "%d0", "%d1", "%d2");
+ 
+ 	set_fs(fs);
++
++#ifdef CONFIG_RSBAC
++	if (retval > 0)
++		rsbac_kthread_notify(find_pid_ns(retval, &init_pid_ns));
++#endif
++
+ 	return retval;
+ }
+ EXPORT_SYMBOL(kernel_thread);
+diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
+index c47f96e..75fae79 100644
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -233,6 +233,7 @@ static void __noreturn kernel_thread_helper(void *arg, int (*fn)(void *))
+ long kernel_thread(int (*fn)(void *), void *arg, unsigned long flags)
+ {
+ 	struct pt_regs regs;
++	int retval;
+ 
+ 	memset(&regs, 0, sizeof(regs));
+ 
+@@ -248,7 +249,12 @@ long kernel_thread(int (*fn)(void *), void *arg, unsigned long flags)
+ #endif
+ 
+ 	/* Ok, create the new process.. */
+-	return do_fork(flags | CLONE_VM | CLONE_UNTRACED, 0, &regs, 0, NULL, NULL);
++#ifdef CONFIG_RSBAC
++	retval = do_fork(flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD, 0, &regs, 0, NULL, NULL);
++#else
++	retval = do_fork(flags | CLONE_VM | CLONE_UNTRACED, 0, &regs, 0, NULL, NULL);
++#endif
++        return retval;
+ }
+ 
+ /*
+diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
+index a632bc1..3e527cd 100644
+--- a/arch/mips/kernel/scall32-o32.S
++++ b/arch/mips/kernel/scall32-o32.S
+@@ -456,7 +456,11 @@ einval:	li	v0, -ENOSYS
+ 	sys	sys_madvise		3
+ 	sys	sys_getdents64		3
+ 	sys	sys_fcntl64		3	/* 4220 */
++#ifdef CONFIG_RSBAC
++	sys	sys_rsbac		2	/* Security */
++#else
+ 	sys	sys_ni_syscall		0
++#endif
+ 	sys	sys_gettid		0
+ 	sys	sys_readahead		5
+ 	sys	sys_setxattr		5
+diff --git a/arch/mips/kernel/scall64-64.S b/arch/mips/kernel/scall64-64.S
+index 3b5a5e9..45b0b3e 100644
+--- a/arch/mips/kernel/scall64-64.S
++++ b/arch/mips/kernel/scall64-64.S
+@@ -303,7 +303,11 @@ sys_call_table:
+ 	PTR	sys_ni_syscall			/* res. for getpmsg */
+ 	PTR	sys_ni_syscall			/* 5175  for putpmsg */
+ 	PTR	sys_ni_syscall			/* res. for afs_syscall */
++#ifdef CONFIG_RSBAC
++	PTR	sys_rsbac			/* Security */
++#else
+ 	PTR	sys_ni_syscall			/* res. for security */
++#endif
+ 	PTR	sys_gettid
+ 	PTR	sys_readahead
+ 	PTR	sys_setxattr			/* 5180 */
+diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
+index 5422855..3fd990a 100644
+--- a/arch/mips/kernel/scall64-o32.S
++++ b/arch/mips/kernel/scall64-o32.S
+@@ -424,7 +424,11 @@ sys_call_table:
+ 	PTR	sys_madvise
+ 	PTR	sys_getdents64
+ 	PTR	compat_sys_fcntl64		/* 4220 */
++#ifdef CONFIG_RSBAC
++	PTR	sys_rsbac			/* Security */
++#else
+ 	PTR	sys_ni_syscall
++#endif
+ 	PTR	sys_gettid
+ 	PTR	sys32_readahead
+ 	PTR	sys_setxattr
+diff --git a/arch/mn10300/kernel/process.c b/arch/mn10300/kernel/process.c
+index 28eec31..2e8973f 100644
+--- a/arch/mn10300/kernel/process.c
++++ b/arch/mn10300/kernel/process.c
+@@ -180,8 +180,13 @@ int kernel_thread(int (*fn)(void *), void *arg, unsigned long flags)
+ 	regs.epsw |= EPSW_IE | EPSW_IM_7;
+ 
+ 	/* Ok, create the new process.. */
++#ifdef CONFIG_RSBAC
++	return do_fork(flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD, 0, &regs, 0,
++                       NULL, NULL);
++#else
+ 	return do_fork(flags | CLONE_VM | CLONE_UNTRACED, 0, &regs, 0,
+ 		       NULL, NULL);
++#endif
+ }
+ EXPORT_SYMBOL(kernel_thread);
+ 
+diff --git a/arch/parisc/kernel/process.c b/arch/parisc/kernel/process.c
+index 4b4b918..822e4f1 100644
+--- a/arch/parisc/kernel/process.c
++++ b/arch/parisc/kernel/process.c
+@@ -176,7 +176,12 @@ pid_t kernel_thread(int (*fn)(void *), void *arg, unsigned long flags)
+ 	 *	  kernel_thread can become a #define.
+ 	 */
+ 
++	/* Ok, create the new process.. */
++#ifdef CONFIG_RSBAC
++	return __kernel_thread(fn, arg, flags | CLONE_KTHREAD);
++#else
+ 	return __kernel_thread(fn, arg, flags);
++#endif
+ }
+ EXPORT_SYMBOL(kernel_thread);
+ 
+diff --git a/arch/parisc/kernel/syscall_table.S b/arch/parisc/kernel/syscall_table.S
+index 3735abd..97347de 100644
+--- a/arch/parisc/kernel/syscall_table.S
++++ b/arch/parisc/kernel/syscall_table.S
+@@ -407,6 +407,9 @@
+ 	ENTRY_SAME(timerfd_create)
+ 	ENTRY_COMP(timerfd_settime)
+ 	ENTRY_COMP(timerfd_gettime)
++#ifdef CONFIG_RSBAC
++	ENTRY_SAME(rsbac)
++#endif
+ 	ENTRY_COMP(signalfd4)
+ 	ENTRY_SAME(eventfd2)		/* 310 */
+ 	ENTRY_SAME(epoll_create1)
+diff --git a/arch/powerpc/include/asm/systbl.h b/arch/powerpc/include/asm/systbl.h
+index 559ae1e..46d9105 100644
+--- a/arch/powerpc/include/asm/systbl.h
++++ b/arch/powerpc/include/asm/systbl.h
+@@ -227,7 +227,11 @@ SYSCALL_SPU(fremovexattr)
+ COMPAT_SYS_SPU(futex)
+ COMPAT_SYS_SPU(sched_setaffinity)
+ COMPAT_SYS_SPU(sched_getaffinity)
++#ifdef CONFIG_RSBAC
++SYSCALL(rsbac)
++#else
+ SYSCALL(ni_syscall)
++#endif
+ SYSCALL(ni_syscall)
+ SYS32ONLY(sendfile64)
+ COMPAT_SYS_SPU(io_setup)
+diff --git a/arch/powerpc/include/asm/unistd.h b/arch/powerpc/include/asm/unistd.h
+index d3d1b5e..70c3f22 100644
+--- a/arch/powerpc/include/asm/unistd.h
++++ b/arch/powerpc/include/asm/unistd.h
+@@ -238,6 +238,10 @@
+ #define __NR_futex		221
+ #define __NR_sched_setaffinity	222
+ #define __NR_sched_getaffinity	223
++/* RSBAC - we use 224, the old sys_security */
++#ifdef CONFIG_RSBAC
++#define __NR_rsbac              224
++#endif
+ /* 224 currently unused */
+ #define __NR_tuxcall		225
+ #ifndef __powerpc64__
+diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c
+index 7c5324f..222e03c 100644
+--- a/arch/powerpc/kernel/asm-offsets.c
++++ b/arch/powerpc/kernel/asm-offsets.c
+@@ -317,6 +317,9 @@ int main(void)
+ #endif
+ 	DEFINE(CLONE_VM, CLONE_VM);
+ 	DEFINE(CLONE_UNTRACED, CLONE_UNTRACED);
++#ifdef CONFIG_RSBAC
++	DEFINE(CLONE_KTHREAD, CLONE_KTHREAD);
++#endif
+ 
+ #ifndef CONFIG_PPC64
+ 	DEFINE(MM_PGD, offsetof(struct mm_struct, pgd));
+diff --git a/arch/powerpc/kernel/misc_32.S b/arch/powerpc/kernel/misc_32.S
+index 7cd07b4..ff5bc66 100644
+--- a/arch/powerpc/kernel/misc_32.S
++++ b/arch/powerpc/kernel/misc_32.S
+@@ -674,7 +674,11 @@ _GLOBAL(kernel_thread)
+ 	mr	r30,r3		/* function */
+ 	mr	r31,r4		/* argument */
+ 	ori	r3,r5,CLONE_VM	/* flags */
++#ifdef CONFIG_RSBAC
++	oris	r3,r3,(CLONE_UNTRACED|CLONE_KTHREAD)>>16
++#else
+ 	oris	r3,r3,CLONE_UNTRACED>>16
++#endif
+ 	li	r4,0		/* new sp (unused) */
+ 	li	r0,__NR_clone
+ 	sc
+diff --git a/arch/powerpc/kernel/misc_64.S b/arch/powerpc/kernel/misc_64.S
+index 616921e..9f8aeb4 100644
+--- a/arch/powerpc/kernel/misc_64.S
++++ b/arch/powerpc/kernel/misc_64.S
+@@ -422,7 +422,11 @@ _GLOBAL(kernel_thread)
+ 	mr	r29,r3
+ 	mr	r30,r4
+ 	ori	r3,r5,CLONE_VM	/* flags */
++#ifdef CONFIG_RSBAC
++	oris    r3,r3,(CLONE_UNTRACED|CLONE_KTHREAD)>>16
++#else
+ 	oris	r3,r3,(CLONE_UNTRACED>>16)
++#endif
+ 	li	r4,0		/* new sp (unused) */
+ 	li	r0,__NR_clone
+ 	sc
+diff --git a/arch/s390/kernel/process.c b/arch/s390/kernel/process.c
+index 53088e2..3aa880c 100644
+--- a/arch/s390/kernel/process.c
++++ b/arch/s390/kernel/process.c
+@@ -116,6 +116,10 @@ int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags)
+ {
+ 	struct pt_regs regs;
+ 
++#ifdef CONFIG_RSBAC
++	int rsbac_retval;
++#endif
++
+ 	memset(&regs, 0, sizeof(regs));
+ 	regs.psw.mask = psw_kernel_bits |
+ 		PSW_MASK_DAT | PSW_MASK_IO | PSW_MASK_EXT | PSW_MASK_MCHECK;
+@@ -126,8 +130,13 @@ int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags)
+ 	regs.orig_gpr2 = -1;
+ 
+ 	/* Ok, create the new process.. */
++#ifdef CONFIG_RSBAC
++	rsbac_retval = do_fork(flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD, 0, &regs, 0, NULL, NULL);
++	return rsbac_retval;
++#else
+ 	return do_fork(flags | CLONE_VM | CLONE_UNTRACED,
+ 		       0, &regs, 0, NULL, NULL);
++#endif
+ }
+ EXPORT_SYMBOL(kernel_thread);
+ 
+diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
+index afe82bc..bea005a 100644
+--- a/arch/s390/kernel/ptrace.c
++++ b/arch/s390/kernel/ptrace.c
+@@ -35,6 +35,8 @@
+ #include "compat_ptrace.h"
+ #endif
+ 
++#include <rsbac/hooks.h>
++
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/syscalls.h>
+ 
+diff --git a/arch/sh/include/asm/unistd_32.h b/arch/sh/include/asm/unistd_32.h
+index 152b862..c951ebc 100644
+--- a/arch/sh/include/asm/unistd_32.h
++++ b/arch/sh/include/asm/unistd_32.h
+@@ -231,7 +231,11 @@
+ #define __NR_madvise		219
+ #define __NR_getdents64		220
+ #define __NR_fcntl64		221
++#ifdef CONFIG_RSBAC
++#define __NR_rsbac              223
++#else
+ /* 223 is unused */
++#endif
+ #define __NR_gettid		224
+ #define __NR_readahead		225
+ #define __NR_setxattr		226
+diff --git a/arch/sh/include/asm/unistd_64.h b/arch/sh/include/asm/unistd_64.h
+index c330c23..2a12398 100644
+--- a/arch/sh/include/asm/unistd_64.h
++++ b/arch/sh/include/asm/unistd_64.h
+@@ -271,7 +271,11 @@
+ 
+ #define __NR_getdents64		248
+ #define __NR_fcntl64		249
+-/* 223 is unused */
++#ifdef CONFIG_RSBAC
++#define __NR_rsbac              251
++#else
++				/* 251 is unused */
++#endif
+ #define __NR_gettid		252
+ #define __NR_readahead		253
+ #define __NR_setxattr		254
+diff --git a/arch/sh/kernel/process_32.c b/arch/sh/kernel/process_32.c
+index aaf6d59..d378af7 100644
+--- a/arch/sh/kernel/process_32.c
++++ b/arch/sh/kernel/process_32.c
+@@ -92,10 +92,16 @@ int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags)
+ #endif
+ 
+ 	/* Ok, create the new process.. */
++#ifdef CONFIG_RSBAC
++	pid = do_fork(flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD,
++			0, &regs, 0, NULL, NULL);
++#else
+ 	pid = do_fork(flags | CLONE_VM | CLONE_UNTRACED, 0,
+ 		      &regs, 0, NULL, NULL);
++#endif
+ 
+ 	return pid;
++#endif
+ }
+ EXPORT_SYMBOL(kernel_thread);
+ 
+diff --git a/arch/sh/kernel/process_64.c b/arch/sh/kernel/process_64.c
+index 210c1ca..d0493ec 100644
+--- a/arch/sh/kernel/process_64.c
++++ b/arch/sh/kernel/process_64.c
+@@ -310,8 +310,12 @@ int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags)
+ 	regs.sr = (1 << 30);
+ 
+ 	/* Ok, create the new process.. */
++#ifdef CONFIG_RSBAC
++	return do_fork(flags | CLONE_VM | CLONE_UNTRACED | KERNEL_THREAD, 0,
++#else
+ 	return do_fork(flags | CLONE_VM | CLONE_UNTRACED, 0,
+ 		      &regs, 0, NULL, NULL);
++#endif
+ }
+ EXPORT_SYMBOL(kernel_thread);
+ 
+diff --git a/arch/sh/kernel/syscalls_32.S b/arch/sh/kernel/syscalls_32.S
+index ee56a9b..ddcfc45 100644
+--- a/arch/sh/kernel/syscalls_32.S
++++ b/arch/sh/kernel/syscalls_32.S
+@@ -239,7 +239,11 @@ ENTRY(sys_call_table)
+ 	.long sys_getdents64	/* 220 */
+ 	.long sys_fcntl64
+ 	.long sys_ni_syscall	/* reserved for TUX */
++#ifdef CONFIG_RSBAC
++        .long sys_rsbac
++#else
+ 	.long sys_ni_syscall	/* Reserved for Security */
++#endif
+ 	.long sys_gettid
+ 	.long sys_readahead	/* 225 */
+ 	.long sys_setxattr
+diff --git a/arch/sh/kernel/syscalls_64.S b/arch/sh/kernel/syscalls_64.S
+index 9af7de2..35a9846 100644
+--- a/arch/sh/kernel/syscalls_64.S
++++ b/arch/sh/kernel/syscalls_64.S
+@@ -276,7 +276,11 @@ sys_call_table:
+ 	.long sys_getdents64
+ 	.long sys_fcntl64
+ 	.long sys_ni_syscall		/* 250 reserved for TUX */
++#ifdef CONFIG_RSBAC
++        .long sys_rsbac
++#else
+ 	.long sys_ni_syscall		/* Reserved for Security */
++#endif
+ 	.long sys_gettid
+ 	.long sys_readahead
+ 	.long sys_setxattr
+diff --git a/arch/sparc/include/asm/unistd.h b/arch/sparc/include/asm/unistd.h
+index c7cb0af..0cf7434 100644
+--- a/arch/sparc/include/asm/unistd.h
++++ b/arch/sparc/include/asm/unistd.h
+@@ -409,7 +409,12 @@
+ #define __NR_process_vm_readv	338
+ #define __NR_process_vm_writev	339
+ 
++#ifdef CONFIG_RSBAC
++#define __NR_rsbac              340
++#define NR_SYSCALLS		341
++#else
+ #define NR_syscalls		340
++#endif
+ 
+ #ifdef __32bit_syscall_numbers__
+ /* Sparc 32-bit only has the "setresuid32", "getresuid32" variants,
+diff --git a/arch/sparc/kernel/process_32.c b/arch/sparc/kernel/process_32.c
+index f793742..af327b1 100644
+--- a/arch/sparc/kernel/process_32.c
++++ b/arch/sparc/kernel/process_32.c
+@@ -678,9 +678,14 @@ pid_t kernel_thread(int (*fn)(void *), void * arg, unsigned long flags)
+ 			     /* Notreached by child. */
+ 			     "1: mov %%o0, %0\n\t" :
+ 			     "=r" (retval) :
++#ifdef CONFIG_RSBAC
++			     "i" (__NR_clone), "r" (flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD),
++#else
+ 			     "i" (__NR_clone), "r" (flags | CLONE_VM | CLONE_UNTRACED),
++#endif
+ 			     "i" (__NR_exit),  "r" (fn), "r" (arg) :
+ 			     "g1", "g2", "g3", "o0", "o1", "memory", "cc");
++
+ 	return retval;
+ }
+ EXPORT_SYMBOL(kernel_thread);
+diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c
+index 3739a06..db3fd41 100644
+--- a/arch/sparc/kernel/process_64.c
++++ b/arch/sparc/kernel/process_64.c
+@@ -643,7 +643,11 @@ pid_t kernel_thread(int (*fn)(void *), void * arg, unsigned long flags)
+ 			     /* Notreached by child. */
+ 			     "1:" :
+ 			     "=r" (retval) :
++#ifdef CONFIG_RSBAC
++			     "i" (__NR_clone), "r" (flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD),
++#else
+ 			     "i" (__NR_clone), "r" (flags | CLONE_VM | CLONE_UNTRACED),
++#endif
+ 			     "i" (__NR_exit),  "r" (fn), "r" (arg) :
+ 			     "g1", "g2", "g3", "o0", "o1", "memory", "cc");
+ 	return retval;
+diff --git a/arch/sparc/kernel/ptrace_32.c b/arch/sparc/kernel/ptrace_32.c
+index 27b9e93..0f57948 100644
+--- a/arch/sparc/kernel/ptrace_32.c
++++ b/arch/sparc/kernel/ptrace_32.c
+@@ -26,6 +26,8 @@
+ #include <asm/system.h>
+ #include <asm/uaccess.h>
+ 
++#include <rsbac/hooks.h>
++
+ /* #define ALLOW_INIT_TRACING */
+ 
+ /*
+@@ -213,6 +215,28 @@ static int fpregs32_get(struct task_struct *target,
+ 	const unsigned long *fpregs = target->thread.float_regs;
+ 	int ret = 0;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = find_pid_ns(pid, &init_pid_ns);
++	rsbac_attribute_value.trace_request = request;
++	if (!rsbac_adf_request(R_TRACE,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_trace_request,
++				rsbac_attribute_value))
++	{
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
++
++
+ #if 0
+ 	if (target == current)
+ 		save_and_clear_fpu();
+diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c
+index 96ee50a..83bf9b0 100644
+--- a/arch/sparc/kernel/ptrace_64.c
++++ b/arch/sparc/kernel/ptrace_64.c
+@@ -38,6 +38,8 @@
+ #include <asm/cpudata.h>
+ #include <asm/cacheflush.h>
+ 
++#include <rsbac/hooks.h>
++
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/syscalls.h>
+ 
+@@ -870,9 +872,32 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
+ 	unsigned long data = cdata;
+ 	int ret;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	pregs = (struct pt_regs32 __user *) addr;
+ 	fps = (struct compat_fps __user *) addr;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = task_pid(child);
++	rsbac_attribute_value.trace_request = request;
++	if (!rsbac_adf_request(R_TRACE,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_trace_request,
++				rsbac_attribute_value))
++	{
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
++
+ 	switch (request) {
+ 	case PTRACE_PEEKUSR:
+ 		ret = (addr != 0) ? -EIO : 0;
+diff --git a/arch/sparc/kernel/systbls_32.S b/arch/sparc/kernel/systbls_32.S
+index 63402f9..ede75f0 100644
+--- a/arch/sparc/kernel/systbls_32.S
++++ b/arch/sparc/kernel/systbls_32.S
+@@ -48,7 +48,11 @@ sys_call_table:
+ /*145*/	.long sys_setrlimit, sys_pivot_root, sys_prctl, sys_pciconfig_read, sys_pciconfig_write
+ /*150*/	.long sys_nis_syscall, sys_inotify_init, sys_inotify_add_watch, sys_poll, sys_getdents64
+ /*155*/	.long sys_fcntl64, sys_inotify_rm_watch, sys_statfs, sys_fstatfs, sys_oldumount
++#ifdef CONFIG_RSBAC /* we use 164, which seems to be unused */
++/*160*/	.long sys_sched_setaffinity, sys_sched_getaffinity, sys_getdomainname, sys_setdomainname, sys_rsbac
++#else
+ /*160*/	.long sys_sched_setaffinity, sys_sched_getaffinity, sys_getdomainname, sys_setdomainname, sys_nis_syscall
++#endif
+ /*165*/	.long sys_quotactl, sys_set_tid_address, sys_mount, sys_ustat, sys_setxattr
+ /*170*/	.long sys_lsetxattr, sys_fsetxattr, sys_getxattr, sys_lgetxattr, sys_getdents
+ /*175*/	.long sys_setsid, sys_fchdir, sys_fgetxattr, sys_listxattr, sys_llistxattr
+diff --git a/arch/sparc/kernel/systbls_64.S b/arch/sparc/kernel/systbls_64.S
+index 3a58e0d..4798576 100644
+--- a/arch/sparc/kernel/systbls_64.S
++++ b/arch/sparc/kernel/systbls_64.S
+@@ -50,7 +50,11 @@ sys_call_table32:
+ 	.word compat_sys_setrlimit, sys_pivot_root, sys32_prctl, sys_pciconfig_read, sys_pciconfig_write
+ /*150*/	.word sys_nis_syscall, sys_inotify_init, sys_inotify_add_watch, sys_poll, sys_getdents64
+ 	.word compat_sys_fcntl64, sys_inotify_rm_watch, compat_sys_statfs, compat_sys_fstatfs, sys_oldumount
++#ifdef CONFIG_RSBAC /* we use 164, which seems to be unused */
++/*160*/	.word compat_sys_sched_setaffinity, compat_sys_sched_getaffinity, sys32_getdomainname, sys32_setdomainname, sys_rsbac
++#else
+ /*160*/	.word compat_sys_sched_setaffinity, compat_sys_sched_getaffinity, sys32_getdomainname, sys32_setdomainname, sys_nis_syscall
++#endif
+ 	.word sys_quotactl, sys_set_tid_address, compat_sys_mount, compat_sys_ustat, sys32_setxattr
+ /*170*/	.word sys32_lsetxattr, sys32_fsetxattr, sys_getxattr, sys_lgetxattr, compat_sys_getdents
+ 	.word sys_setsid, sys_fchdir, sys32_fgetxattr, sys_listxattr, sys_llistxattr
+diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c
+index c533835..b849121 100644
+--- a/arch/um/kernel/process.c
++++ b/arch/um/kernel/process.c
+@@ -74,7 +74,11 @@ int kernel_thread(int (*fn)(void *), void * arg, unsigned long flags)
+ 
+ 	current->thread.request.u.thread.proc = fn;
+ 	current->thread.request.u.thread.arg = arg;
++#ifdef CONFIG_RSBAC
++	pid = do_fork(CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD | flags, 0,
++#else
+ 	pid = do_fork(CLONE_VM | CLONE_UNTRACED | flags, 0,
++#endif
+ 		      &current->thread.regs, 0, NULL, NULL);
+ 	return pid;
+ }
+diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
+index a6253ec..c0f2228 100644
+--- a/arch/x86/ia32/ia32entry.S
++++ b/arch/x86/ia32/ia32entry.S
+@@ -726,7 +726,11 @@ ia32_sys_call_table:
+ 	.quad compat_sys_getdents64	/* 220 getdents64 */
+ 	.quad compat_sys_fcntl64	
+ 	.quad quiet_ni_syscall		/* tux */
+-	.quad quiet_ni_syscall    	/* security */
++#ifdef CONFIG_RSBAC
++	.quad sys_rsbac         /* security */
++#else
++	.quad quiet_ni_syscall          /* security */
++#endif
+ 	.quad sys_gettid	
+ 	.quad sys32_readahead	/* 225 */
+ 	.quad sys_setxattr
+diff --git a/arch/x86/include/asm/unistd_32.h b/arch/x86/include/asm/unistd_32.h
+index 599c77d..e003158 100644
+--- a/arch/x86/include/asm/unistd_32.h
++++ b/arch/x86/include/asm/unistd_32.h
+@@ -228,7 +228,7 @@
+ #define __NR_madvise1		219	/* delete when C lib stub is removed */
+ #define __NR_getdents64		220
+ #define __NR_fcntl64		221
+-/* 223 is unused */
++#define __NR_rsbac		223	/* was security */
+ #define __NR_gettid		224
+ #define __NR_readahead		225
+ #define __NR_setxattr		226
+diff --git a/arch/x86/include/asm/unistd_64.h b/arch/x86/include/asm/unistd_64.h
+index 0431f19..4dec509 100644
+--- a/arch/x86/include/asm/unistd_64.h
++++ b/arch/x86/include/asm/unistd_64.h
+@@ -431,7 +431,14 @@ __SYSCALL(__NR_afs_syscall, sys_ni_syscall)
+ __SYSCALL(__NR_tuxcall, sys_ni_syscall)
+ 
+ #define __NR_security				185
++#ifdef CONFIG_RSBAC
++#ifndef __NR_rsbac
++#define __NR_rsbac __NR_security
++#endif
++__SYSCALL(__NR_rsbac, sys_rsbac)
++#else
+ __SYSCALL(__NR_security, sys_ni_syscall)
++#endif
+ 
+ #define __NR_gettid				186
+ __SYSCALL(__NR_gettid, sys_gettid)
+diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
+index 8c96897..524e039 100644
+--- a/arch/x86/kernel/ioport.c
++++ b/arch/x86/kernel/ioport.c
+@@ -17,6 +17,8 @@
+ #include <linux/bitmap.h>
+ #include <asm/syscalls.h>
+ 
++#include <rsbac/hooks.h>
++
+ /*
+  * this changes the io permissions bitmap in the current task.
+  */
+@@ -26,11 +28,31 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
+ 	struct tss_struct *tss;
+ 	unsigned int i, max_long, bytes, bytes_updated;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t       rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
+ 		return -EINVAL;
+ 	if (turn_on && !capable(CAP_SYS_RAWIO))
+ 		return -EPERM;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_ioports;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_PERMISSIONS_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	/*
+ 	 * If it's the first ioperm() call in this thread's lifetime, set the
+ 	 * IO bitmap up. ioperm() is much less timing critical than clone(),
+@@ -98,6 +120,11 @@ long sys_iopl(unsigned int level, struct pt_regs *regs)
+ 	unsigned int old = (regs->flags >> 12) & 3;
+ 	struct thread_struct *t = &current->thread;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t       rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (level > 3)
+ 		return -EINVAL;
+ 	/* Trying to gain more privileges? */
+@@ -105,6 +132,22 @@ long sys_iopl(unsigned int level, struct pt_regs *regs)
+ 		if (!capable(CAP_SYS_RAWIO))
+ 			return -EPERM;
+ 	}
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_ioports;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_PERMISSIONS_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
+ 	t->iopl = level << 12;
+ 	set_iopl_mask(t->iopl);
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
+index ee5d4fb..5f5f187 100644
+--- a/arch/x86/kernel/process.c
++++ b/arch/x86/kernel/process.c
+@@ -276,6 +276,10 @@ int kernel_thread(int (*fn)(void *), void *arg, unsigned long flags)
+ {
+ 	struct pt_regs regs;
+ 
++#ifdef CONFIG_RSBAC
++	long rsbac_retval;
++#endif
++
+ 	memset(&regs, 0, sizeof(regs));
+ 
+ 	regs.si = (unsigned long) fn;
+@@ -296,7 +300,12 @@ int kernel_thread(int (*fn)(void *), void *arg, unsigned long flags)
+ 	regs.flags = X86_EFLAGS_IF | 0x2;
+ 
+ 	/* Ok, create the new process.. */
++#ifdef CONFIG_RSBAC
++	rsbac_retval = do_fork(flags | CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD, 0, &regs, 0, NULL, NULL);
++	return rsbac_retval;
++#else
+ 	return do_fork(flags | CLONE_VM | CLONE_UNTRACED, 0, &regs, 0, NULL, NULL);
++#endif
+ }
+ EXPORT_SYMBOL(kernel_thread);
+ 
+diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
+index 6a364a6..4db5cd6 100644
+--- a/arch/x86/kernel/process_64.c
++++ b/arch/x86/kernel/process_64.c
+@@ -58,6 +58,12 @@ asmlinkage extern void ret_from_fork(void);
+ DEFINE_PER_CPU(unsigned long, old_rsp);
+ static DEFINE_PER_CPU(unsigned char, is_idle);
+ 
++#ifdef CONFIG_RSBAC
++unsigned long kernel_thread_flags = CLONE_VM | CLONE_UNTRACED | CLONE_KTHREAD;
++#else
++unsigned long kernel_thread_flags = CLONE_VM | CLONE_UNTRACED;
++#endif
++
+ static ATOMIC_NOTIFIER_HEAD(idle_notifier);
+ 
+ void idle_notifier_register(struct notifier_block *n)
+diff --git a/arch/x86/kernel/syscall_table_32.S b/arch/x86/kernel/syscall_table_32.S
+index 9a0e312..53751e1 100644
+--- a/arch/x86/kernel/syscall_table_32.S
++++ b/arch/x86/kernel/syscall_table_32.S
+@@ -222,7 +222,11 @@ ENTRY(sys_call_table)
+ 	.long sys_getdents64	/* 220 */
+ 	.long sys_fcntl64
+ 	.long sys_ni_syscall	/* reserved for TUX */
++#ifdef CONFIG_RSBAC
++	.long sys_rsbac
++#else
+ 	.long sys_ni_syscall
++#endif
+ 	.long sys_gettid
+ 	.long sys_readahead	/* 225 */
+ 	.long sys_setxattr
+diff --git a/arch/xtensa/kernel/entry.S b/arch/xtensa/kernel/entry.S
+index 6223f33..2f27c3d 100644
+--- a/arch/xtensa/kernel/entry.S
++++ b/arch/xtensa/kernel/entry.S
+@@ -1845,7 +1845,11 @@ ENTRY(kernel_thread)
+ 	mov	a5, a2			# preserve fn over syscall
+ 	mov	a7, a3			# preserve args over syscall
+ 
++#ifdef CONFIG_RSBAC
++	movi	a3, _CLONE_VM | _CLONE_UNTRACED | _CLONE_KTHREAD
++#else
+ 	movi	a3, _CLONE_VM | _CLONE_UNTRACED
++#endif
+ 	movi	a2, __NR_clone
+ 	or	a6, a4, a3		# arg0: flags
+ 	mov	a3, a1			# arg1: sp
+diff --git a/block/ioctl.c b/block/ioctl.c
+index ca939fc..3644401 100644
+--- a/block/ioctl.c
++++ b/block/ioctl.c
+@@ -9,6 +9,12 @@
+ #include <linux/blktrace_api.h>
+ #include <asm/uaccess.h>
+ 
++#ifdef CONFIG_RSBAC
++#include <rsbac/adf.h>
++#include <linux/hdreg.h>
++#endif
++
++
+ static int blkpg_ioctl(struct block_device *bdev, struct blkpg_ioctl_arg __user *arg)
+ {
+ 	struct block_device *bdevp;
+@@ -190,6 +196,61 @@ int blkdev_ioctl(struct block_device *bdev, fmode_t mode, unsigned cmd,
+ 	loff_t size;
+ 	int ret, n;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_adf_request_t rsbac_request;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++
++	rsbac_pr_debug(aef, "blkdev_ioctl(): calling ADF\n");
++
++	/* values taken from include/linux/fs.h and hdreg.h */
++	switch (cmd) {
++		case BLKGETSIZE:   /* Return device size */
++		case BLKGETSIZE64:
++		case BLKROGET:
++		case BLKRAGET:
++		case BLKFRAGET:
++		case BLKSECTGET:
++		case BLKSSZGET:
++		case BLKBSZGET:
++		case HDIO_GETGEO:
++		case HDIO_OBSOLETE_IDENTITY:
++		case HDIO_GET_UNMASKINTR:
++		case HDIO_GET_IDENTITY:
++		case HDIO_GET_NICE:
++		case HDIO_GET_BUSSTATE:
++		case HDIO_GET_QDMA:
++		case HDIO_GET_MULTCOUNT:
++		case HDIO_GET_KEEPSETTINGS:
++		case HDIO_GET_32BIT:
++		case HDIO_GET_NOWERR:
++		case HDIO_GET_DMA:
++		case HDIO_GET_WCACHE:
++		case HDIO_GET_ACOUSTIC:
++		case HDIO_GET_ADDRESS:
++			rsbac_request = R_GET_STATUS_DATA;
++			break;
++
++		default:
++			rsbac_request = R_MODIFY_SYSTEM_DATA;
++	}
++
++	rsbac_target_id.dev.type = D_block;
++	rsbac_target_id.dev.major = RSBAC_MAJOR(bdev->bd_dev);
++	rsbac_target_id.dev.minor = RSBAC_MINOR(bdev->bd_dev);
++
++	rsbac_attribute_value.ioctl_cmd = cmd;
++	if (!rsbac_adf_request(rsbac_request,
++				task_pid(current),
++				T_DEV,
++				rsbac_target_id,
++				A_ioctl_cmd,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	switch(cmd) {
+ 	case BLKFLSBUF:
+ 		if (!capable(CAP_SYS_ADMIN))
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index 1e888c9..99d24f1 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -80,6 +80,8 @@
+ 
+ #include <asm/uaccess.h>
+ 
++#include <rsbac/hooks.h>
++
+ static DEFINE_IDR(loop_index_idr);
+ static DEFINE_MUTEX(loop_index_mutex);
+ 
+@@ -814,6 +816,12 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode,
+ 	int		error;
+ 	loff_t		size;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	/* This is safe, since we have a reference from open(). */
+ 	__module_get(THIS_MODULE);
+ 
+@@ -863,6 +871,46 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode,
+ 
+ 	error = 0;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[lo_ioctl()]: calling ADF for FILE/DEV\n");
++	if (S_ISREG(inode->i_mode)) {
++		rsbac_target = T_FILE;
++		rsbac_target_id.dir.device = file->f_dentry->d_sb->s_dev;
++		rsbac_target_id.dir.inode  = inode->i_ino;
++		rsbac_target_id.dir.dentry_p = file->f_dentry;
++	}
++	else { /* must be block */
++		rsbac_target = T_DEV;
++		rsbac_target_id.dev.type = D_block;
++		rsbac_target_id.dev.major = RSBAC_MAJOR(inode->i_rdev);
++		rsbac_target_id.dev.minor = RSBAC_MINOR(inode->i_rdev);
++	}
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MOUNT,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		error = -EPERM;
++		goto out_putf;
++	}
++	rsbac_pr_debug(aef, "[lo_ioctl()]: calling ADF for DEV\n");
++	rsbac_target_id.dev.type = D_block;
++	rsbac_target_id.dev.major = RSBAC_MAJOR(bdev->bd_dev);
++	rsbac_target_id.dev.minor = RSBAC_MINOR(bdev->bd_dev);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MOUNT,
++				task_pid(current),
++				T_DEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		error = -EPERM;
++		goto out_putf;
++	}
++#endif
++
+ 	set_device_ro(bdev, (lo_flags & LO_FLAGS_READ_ONLY) != 0);
+ 
+ 	lo->lo_blocksize = lo_blocksize;
+@@ -972,6 +1020,12 @@ static int loop_clr_fd(struct loop_device *lo)
+ 	gfp_t gfp = lo->old_gfp_mask;
+ 	struct block_device *bdev = lo->lo_device;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (lo->lo_state != Lo_bound)
+ 		return -ENXIO;
+ 
+@@ -981,6 +1035,44 @@ static int loop_clr_fd(struct loop_device *lo)
+ 	if (filp == NULL)
+ 		return -EINVAL;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[lo_ioctl()]: calling ADF for FILE/DEV\n");
++	if (S_ISREG(filp->f_dentry->d_inode->i_mode)) {
++		rsbac_target = T_FILE;
++		rsbac_target_id.dir.device = filp->f_dentry->d_sb->s_dev;
++		rsbac_target_id.dir.inode  = filp->f_dentry->d_inode->i_ino;
++		rsbac_target_id.dir.dentry_p = filp->f_dentry;
++	}
++	else { /* must be block dev */
++		rsbac_target = T_DEV;
++		rsbac_target_id.dev.type = D_block;
++		rsbac_target_id.dev.major = RSBAC_MAJOR(filp->f_dentry->d_inode->i_rdev);
++		rsbac_target_id.dev.minor = RSBAC_MINOR(filp->f_dentry->d_inode->i_rdev);
++	}
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_UMOUNT,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++	rsbac_pr_debug(aef, "[lo_ioctl()]: calling ADF for DEV\n");
++	rsbac_target_id.dev.type = D_block;
++	rsbac_target_id.dev.major = LOOP_MAJOR;
++	rsbac_target_id.dev.minor = lo->lo_number;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_UMOUNT,
++				task_pid(current),
++				T_DEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	spin_lock_irq(&lo->lo_lock);
+ 	lo->lo_state = Lo_rundown;
+ 	spin_unlock_irq(&lo->lo_lock);
+diff --git a/drivers/char/mem.c b/drivers/char/mem.c
+index 1451790..02cc1c9 100644
+--- a/drivers/char/mem.c
++++ b/drivers/char/mem.c
+@@ -35,6 +35,8 @@
+ # include <linux/efi.h>
+ #endif
+ 
++#include <rsbac/hooks.h>
++
+ static inline unsigned long size_inside_page(unsigned long start,
+ 					     unsigned long size)
+ {
+@@ -98,6 +100,11 @@ static ssize_t read_mem(struct file *file, char __user *buf,
+ 	ssize_t read, sz;
+ 	char *ptr;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t       rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!valid_phys_addr_range(p, count))
+ 		return -EFAULT;
+ 	read = 0;
+@@ -124,6 +131,25 @@ static ssize_t read_mem(struct file *file, char __user *buf,
+ 		if (!range_is_allowed(p >> PAGE_SHIFT, count))
+ 			return -EPERM;
+ 
++#ifdef CONFIG_RSBAC
++		rsbac_attribute_value.pagenr = p >> PAGE_SHIFT;
++		if (rsbac_is_videomem(rsbac_attribute_value.pagenr, count))
++			rsbac_target_id.scd = ST_videomem;
++		else
++			rsbac_target_id.scd = ST_kmem;
++		rsbac_pr_debug(aef, "calling ADF\n");
++		if (!rsbac_adf_request(R_GET_STATUS_DATA,
++					task_pid(current),
++					T_SCD,
++					rsbac_target_id,
++					A_pagenr,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_INFO "read_mem(): RSBAC denied read access to kernel mem page %u, size %u\n",
++					rsbac_attribute_value.pagenr, count);
++			return -EPERM;
++		}
++#endif
++
+ 		/*
+ 		 * On ia64 if a page has been mapped somewhere as uncached, then
+ 		 * it must also be accessed uncached by the kernel or data
+@@ -156,6 +182,11 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
+ 	unsigned long copied;
+ 	void *ptr;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t       rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!valid_phys_addr_range(p, count))
+ 		return -EFAULT;
+ 
+@@ -179,6 +210,25 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
+ 		if (!range_is_allowed(p >> PAGE_SHIFT, sz))
+ 			return -EPERM;
+ 
++#ifdef CONFIG_RSBAC
++		rsbac_attribute_value.pagenr = p >> PAGE_SHIFT;
++		if (rsbac_is_videomem(rsbac_attribute_value.pagenr, sz))
++			rsbac_target_id.scd = ST_videomem;
++		else
++			rsbac_target_id.scd = ST_kmem;
++		rsbac_pr_debug(aef, "calling ADF\n");
++		if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++					task_pid(current),
++					T_SCD,
++					rsbac_target_id,
++					A_pagenr,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_INFO "write_mem(): RSBAC denied write access to kernel mem page %u, size %u\n",
++					rsbac_attribute_value.pagenr, sz);
++			return -EPERM;
++		}
++#endif
++
+ 		/*
+ 		 * On ia64 if a page has been mapped somewhere as uncached, then
+ 		 * it must also be accessed uncached by the kernel or data
+@@ -301,6 +351,11 @@ static int mmap_mem(struct file *file, struct vm_area_struct *vma)
+ {
+ 	size_t size = vma->vm_end - vma->vm_start;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t       rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!valid_mmap_phys_addr_range(vma->vm_pgoff, size))
+ 		return -EINVAL;
+ 
+@@ -314,6 +369,25 @@ static int mmap_mem(struct file *file, struct vm_area_struct *vma)
+ 						&vma->vm_page_prot))
+ 		return -EINVAL;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_attribute_value.pagenr = vma->vm_pgoff;
++	if (rsbac_is_videomem(rsbac_attribute_value.pagenr, size))
++		rsbac_target_id.scd = ST_videomem;
++	else
++		rsbac_target_id.scd = ST_kmem;
++	rsbac_pr_debug(aef, "calling ADF\n");
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_pagenr,
++				rsbac_attribute_value)) {
++		rsbac_printk(KERN_INFO "mmap_mem(): RSBAC denied mmap access to kernel mem page %u, size %u\n",
++				rsbac_attribute_value.pagenr, size);
++		return -EPERM;
++	}
++#endif
++
+ 	vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
+ 						 size,
+ 						 vma->vm_page_prot);
+diff --git a/drivers/ide/ide-ioctls.c b/drivers/ide/ide-ioctls.c
+index 4d19eb9..60918d4 100644
+--- a/drivers/ide/ide-ioctls.c
++++ b/drivers/ide/ide-ioctls.c
+@@ -6,6 +6,7 @@
+ #include <linux/hdreg.h>
+ #include <linux/ide.h>
+ #include <linux/slab.h>
++#include <rsbac/hooks.h>
+ 
+ static const struct ide_ioctl_devset ide_ioctl_settings[] = {
+ { HDIO_GET_32BIT,	 HDIO_SET_32BIT,	&ide_devset_io_32bit  },
+@@ -236,6 +237,58 @@ int generic_ide_ioctl(ide_drive_t *drive, struct block_device *bdev,
+ {
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_adf_request_t rsbac_request;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++
++	rsbac_pr_debug(aef, "calling ADF\n");
++	/* values taken from include/linux/fs.h and hdreg.h */
++	switch (cmd) {
++		case BLKGETSIZE:   /* Return device size */
++		case BLKGETSIZE64:
++		case BLKROGET:
++		case BLKRAGET:
++		case BLKFRAGET:
++		case BLKSECTGET:
++		case BLKSSZGET:
++		case BLKBSZGET:
++		case HDIO_GETGEO:
++		case HDIO_OBSOLETE_IDENTITY:
++		case HDIO_GET_UNMASKINTR:
++		case HDIO_GET_IDENTITY:
++		case HDIO_GET_NICE:
++		case HDIO_GET_BUSSTATE:
++		case HDIO_GET_QDMA:
++		case HDIO_GET_MULTCOUNT:
++		case HDIO_GET_KEEPSETTINGS:
++		case HDIO_GET_32BIT:
++		case HDIO_GET_NOWERR:
++		case HDIO_GET_DMA:
++		case HDIO_GET_WCACHE:
++		case HDIO_GET_ACOUSTIC:
++		case HDIO_GET_ADDRESS:
++			rsbac_request = R_GET_STATUS_DATA;
++			break;
++
++		default:
++			rsbac_request = R_MODIFY_SYSTEM_DATA;
++	}
++	rsbac_target_id.dev.type = D_block;
++	rsbac_target_id.dev.major = RSBAC_MAJOR(bdev->bd_dev);
++	rsbac_target_id.dev.minor = RSBAC_MINOR(bdev->bd_dev);
++	rsbac_attribute_value.ioctl_cmd = cmd;
++	if (!rsbac_adf_request(rsbac_request,
++				task_pid(current),
++				T_DEV,
++				rsbac_target_id,
++				A_ioctl_cmd,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	err = ide_setting_ioctl(drive, bdev, cmd, arg, ide_ioctl_settings);
+ 	if (err != -EOPNOTSUPP)
+ 		return err;
+diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
+index 43db715..ec958c5 100644
+--- a/drivers/tty/sysrq.c
++++ b/drivers/tty/sysrq.c
+@@ -45,6 +45,11 @@
+ #include <asm/ptrace.h>
+ #include <asm/irq_regs.h>
+ 
++#ifdef CONFIG_RSBAC
++#include <rsbac/types.h>
++#include <rsbac/debug.h>
++#endif
++
+ /* Whether we react on sysrq keys or just ignore them */
+ static int __read_mostly sysrq_enabled = SYSRQ_DEFAULT_ENABLE;
+ static bool __read_mostly sysrq_always_enabled;
+@@ -186,6 +191,24 @@ static struct sysrq_key_op sysrq_mountro_op = {
+ 	.enable_mask	= SYSRQ_ENABLE_REMOUNT,
+ };
+ 
++#ifdef CONFIG_RSBAC_SOFTMODE_SYSRQ
++static void sysrq_handle_rsbac_softmode(int key) {
++	if (rsbac_softmode) {
++		rsbac_printk(KERN_WARNING "Soft mode disabled via SysRq!\n");
++		rsbac_softmode = 0;
++	}
++	else {
++		rsbac_printk(KERN_WARNING "Soft mode enabled via SysRq!\n");
++		rsbac_softmode = 1;
++	}
++}
++static struct sysrq_key_op sysrq_rsbac_softmode_op = {
++	handler:	sysrq_handle_rsbac_softmode,
++	help_msg:	"rsbac_toggle_softmode_X",
++	action_msg:	"RSBAC toggle softmode\n",
++};
++#endif
++
+ #ifdef CONFIG_LOCKDEP
+ static void sysrq_handle_showlocks(int key)
+ {
+@@ -449,7 +472,11 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
+ 	NULL,				/* v */
+ 	&sysrq_showstate_blocked_op,	/* w */
+ 	/* x: May be registered on ppc/powerpc for xmon */
++#ifdef CONFIG_RSBAC_SOFTMODE_SYSRQ
++	&sysrq_rsbac_softmode_op,	/* x */
++#else
+ 	NULL,				/* x */
++#endif
+ 	/* y: May be registered on sparc64 for global register dump */
+ 	NULL,				/* y */
+ 	&sysrq_ftrace_dump_op,		/* z */
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index 05085be..c6efc32 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -106,6 +106,8 @@
+ #include <linux/kmod.h>
+ #include <linux/nsproxy.h>
+ 
++#include <rsbac/hooks.h>
++
+ #undef TTY_DEBUG_HANGUP
+ 
+ #define TTY_PARANOIA_CHECK 1
+@@ -2080,10 +2082,33 @@ static int tiocsti(struct tty_struct *tty, char __user *p)
+ 	char ch, mbz = 0;
+ 	struct tty_ldisc *ld;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN))
+ 		return -EPERM;
+ 	if (get_user(ch, p))
+ 		return -EFAULT;
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.dev.type = D_char;
++	rsbac_target_id.dev.major = tty->driver->major;
++	rsbac_target_id.dev.minor = tty->driver->minor_start + tty->index;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_SEND,
++				task_pid(current),
++				T_DEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	tty_audit_tiocsti(tty, ch);
+ 	ld = tty_ldisc_ref_wait(tty);
+ 	ld->ops->receive_buf(tty, &ch, &mbz, 1);
+diff --git a/drivers/tty/tty_ioctl.c b/drivers/tty/tty_ioctl.c
+index 9314d93..5c9ae5d 100644
+--- a/drivers/tty/tty_ioctl.c
++++ b/drivers/tty/tty_ioctl.c
+@@ -25,6 +25,8 @@
+ #include <asm/uaccess.h>
+ #include <asm/system.h>
+ 
++#include <rsbac/hooks.h>
++
+ #undef TTY_DEBUG_WAIT_UNTIL_SENT
+ 
+ #undef	DEBUG
+@@ -952,14 +954,57 @@ int tty_mode_ioctl(struct tty_struct *tty, struct file *file,
+ 	int ret = 0;
+ 	struct ktermios kterm;
+ 
+-	BUG_ON(file == NULL);
++#ifdef CONFIG_RSBAC
++	enum  rsbac_adf_request_t rsbac_request;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
+ 
++	BUG_ON(file == NULL);
+ 	if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
+ 	    tty->driver->subtype == PTY_TYPE_MASTER)
+ 		real_tty = tty->link;
+ 	else
+ 		real_tty = tty;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	switch (cmd) {
++#ifdef TIOCGETP
++		case TIOCGETP:
++#endif
++#ifdef TIOCGETC
++		case TIOCGETC:
++#endif
++#ifdef TIOCGLTC
++		case TIOCGLTC:
++#endif
++		case TCGETS:
++		case TCGETA:
++		case TIOCOUTQ:
++		case TIOCINQ:
++		case TIOCGLCKTRMIOS:
++		case TIOCGSOFTCAR:
++			rsbac_request = R_GET_PERMISSIONS_DATA;
++			break;
++		default:
++			rsbac_request = R_MODIFY_PERMISSIONS_DATA;
++	}
++	rsbac_target_id.dev.type = D_char;
++	rsbac_target_id.dev.major = tty->driver->major;
++	rsbac_target_id.dev.minor = tty->driver->minor_start + tty->index;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(rsbac_request,
++				task_pid(current),
++				T_DEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	switch (cmd) {
+ #ifdef TIOCGETP
+ 	case TIOCGETP:
+diff --git a/fs/exec.c b/fs/exec.c
+index 160cd2f..c8b9c5b 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -61,6 +61,8 @@
+ #include <asm/tlb.h>
+ #include "internal.h"
+ 
++#include <rsbac/hooks.h>
++
+ int core_uses_pid;
+ char core_pattern[CORENAME_MAX_SIZE] = "core";
+ unsigned int core_pipe_limit;
+@@ -121,6 +123,11 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
+ 		.intent = LOOKUP_OPEN
+ 	};
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (IS_ERR(tmp))
+ 		goto out;
+ 
+@@ -134,10 +141,36 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
+ 	if (!S_ISREG(file->f_path.dentry->d_inode->i_mode))
+ 		goto exit;
+ 
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
++	if (rsbac_dac_part_disabled(file->f_path.dentry))
++		error = 0;
++	else
++#endif
+ 	error = -EACCES;
+ 	if (file->f_path.mnt->mnt_flags & MNT_NOEXEC)
+ 		goto exit;
+ 
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.file.device = file->f_path.dentry->d_inode->i_sb->s_dev;
++	rsbac_target_id.file.inode  = file->f_path.dentry->d_inode->i_ino;
++	rsbac_target_id.file.dentry_p = file->f_path.dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MAP_EXEC,
++				task_pid(current),
++				T_FILE,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		rsbac_pr_debug(aef, "request not granted, my PID: %i\n",
++			       task_pid(current));
++		error = -EPERM;
++		goto exit;
++	}
++#endif
++
+ 	fsnotify_open(file);
+ 
+ 	error = -ENOEXEC;
+@@ -160,6 +193,29 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
+ 		read_unlock(&binfmt_lock);
+ 	}
+ exit:
++
++	/* RSBAC: notify ADF of mapped segment */
++#ifdef CONFIG_RSBAC
++	if (!error) {
++		union rsbac_target_id_t rsbac_new_target_id;
++
++		rsbac_pr_debug(aef, "calling ADF_set_attr\n");
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_MAP_EXEC,
++					task_pid(current),
++					T_FILE,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value))
++		{
++			rsbac_printk(KERN_WARNING
++					"sys_uselib(): rsbac_adf_set_attr() returned error\n");
++		}
++	}
++#endif
++
+ 	fput(file);
+ out:
+   	return error;
+@@ -782,6 +838,13 @@ struct file *open_exec(const char *name)
+ 
+ 	fsnotify_open(file);
+ 
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
++	if (rsbac_dac_part_disabled(file->f_path.dentry))
++		err = 0;
++	else
++#endif
++
++
+ 	err = deny_write_access(file);
+ 	if (err)
+ 		goto exit;
+@@ -1460,6 +1523,12 @@ static int do_execve_common(const char *filename,
+ 	int retval;
+ 	const struct cred *cred = current_cred();
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	/*
+ 	 * We move the actual failure in case of RLIMIT_NPROC excess from
+ 	 * set*uid() to execve() because too many poorly written programs
+@@ -1518,6 +1587,26 @@ static int do_execve_common(const char *filename,
+ 	if ((retval = bprm->envc) < 0)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_execve()]: calling ADF\n");
++	rsbac_target_id.file.device = file->f_dentry->d_sb->s_dev;
++	rsbac_target_id.file.inode  = file->f_dentry->d_inode->i_ino;
++	rsbac_target_id.file.dentry_p = file->f_dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_EXECUTE,
++				task_pid(current),
++				T_FILE,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		rsbac_pr_debug(aef, "[sys_execve()]: request not granted, my PID: %i\n",
++				task_pid(current));
++		retval = -EPERM;
++		goto out;
++	}
++#endif
++
+ 	retval = prepare_binprm(bprm);
+ 	if (retval < 0)
+ 		goto out;
+@@ -1543,6 +1632,25 @@ static int do_execve_common(const char *filename,
+ 	current->fs->in_exec = 0;
+ 	current->in_execve = 0;
+ 	acct_update_integrals(current);
++/* RSBAC: notify ADF of changed program in this process
++ * Most structures are already filled
++ */
++#ifdef CONFIG_RSBAC
++		rsbac_pr_debug(aef, "[sys_execve()]: calling ADF_set_attr\n");
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_EXECUTE,
++					task_pid(current),
++					T_FILE,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value))
++		{
++			rsbac_printk(KERN_WARNING
++					"do_execve() [sys_execve]: rsbac_adf_set_attr() returned error\n");
++		}
++#endif
+ 	free_bprm(bprm);
+ 	if (displaced)
+ 		put_files_struct(displaced);
+diff --git a/fs/ext2/ioctl.c b/fs/ext2/ioctl.c
+index f81e250..48be9f3 100644
+--- a/fs/ext2/ioctl.c
++++ b/fs/ext2/ioctl.c
+@@ -16,6 +16,10 @@
+ #include <asm/current.h>
+ #include <asm/uaccess.h>
+ 
++#ifdef CONFIG_RSBAC
++#include <net/sock.h>
++#include <rsbac/hooks.h>
++#endif
+ 
+ long ext2_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ {
+@@ -25,6 +29,73 @@ long ext2_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ 	unsigned short rsv_window_size;
+ 	int ret;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_adf_request_t rsbac_request;
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	switch (cmd) {
++		case EXT2_IOC_GETFLAGS:
++		case EXT2_IOC_GETVERSION:
++			rsbac_request = R_GET_PERMISSIONS_DATA;
++			break;
++		case EXT2_IOC_SETFLAGS:
++		case EXT2_IOC_SETVERSION:
++			rsbac_request = R_MODIFY_PERMISSIONS_DATA;
++			break;
++		default:
++			rsbac_request = R_NONE;
++	}
++	if(S_ISSOCK(inode->i_mode)) {
++		if(SOCKET_I(inode)->ops
++				&& (SOCKET_I(inode)->ops->family == AF_UNIX)) {
++			rsbac_target = T_UNIXSOCK;
++			rsbac_target_id.unixsock.device = filp->f_dentry->d_sb->s_dev;
++			rsbac_target_id.unixsock.inode  = inode->i_ino;
++			rsbac_target_id.unixsock.dentry_p = filp->f_dentry;
++		}
++#ifdef CONFIG_RSBAC_NET_OBJ
++		else {
++			rsbac_target = T_NETOBJ;
++			rsbac_target_id.netobj.sock_p
++				= SOCKET_I(inode);
++			rsbac_target_id.netobj.local_addr = NULL;
++			rsbac_target_id.netobj.local_len = 0;
++			rsbac_target_id.netobj.remote_addr = NULL;
++			rsbac_target_id.netobj.remote_len = 0;
++		}
++#endif
++	}
++	else {
++		if (S_ISDIR(inode->i_mode))
++			rsbac_target = T_DIR;
++		else if (S_ISFIFO(inode->i_mode))
++			rsbac_target = T_FIFO;
++		else if (S_ISLNK(inode->i_mode))
++			rsbac_target = T_SYMLINK;
++		else
++			rsbac_target = T_FILE;
++		rsbac_target_id.file.device = filp->f_dentry->d_sb->s_dev;
++		rsbac_target_id.file.inode  = inode->i_ino;
++		rsbac_target_id.file.dentry_p = filp->f_dentry;
++	}
++	rsbac_attribute_value.ioctl_cmd = cmd;
++	if(   (rsbac_request != R_NONE)
++			&& !rsbac_adf_request(rsbac_request,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_ioctl_cmd,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	ext2_debug ("cmd = %u, arg = %lu\n", cmd, arg);
+ 
+ 	switch (cmd) {
+diff --git a/fs/ext2/namei.c b/fs/ext2/namei.c
+index 761fde8..360b78d 100644
+--- a/fs/ext2/namei.c
++++ b/fs/ext2/namei.c
+@@ -37,6 +37,8 @@
+ #include "acl.h"
+ #include "xip.h"
+ 
++#include <rsbac/hooks.h>
++
+ static inline int ext2_add_nondir(struct dentry *dentry, struct inode *inode)
+ {
+ 	int err = ext2_add_link(dentry, inode);
+@@ -280,6 +282,11 @@ static int ext2_unlink(struct inode * dir, struct dentry *dentry)
+ 	if (err)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC_SECDEL
++	if (inode->i_nlink == 1)
++		rsbac_sec_del(dentry, TRUE);
++#endif
++
+ 	inode->i_ctime = dir->i_ctime;
+ 	inode_dec_link_count(inode);
+ 	err = 0;
+@@ -340,6 +347,12 @@ static int ext2_rename (struct inode * old_dir, struct dentry * old_dentry,
+ 		new_de = ext2_find_entry (new_dir, &new_dentry->d_name, &new_page);
+ 		if (!new_de)
+ 			goto out_dir;
++
++#ifdef CONFIG_RSBAC_SECDEL
++		if (new_inode->i_nlink == 1)
++			rsbac_sec_del(new_dentry, TRUE);
++#endif
++
+ 		ext2_set_link(new_dir, new_de, new_page, old_inode, 1);
+ 		new_inode->i_ctime = CURRENT_TIME_SEC;
+ 		if (dir_de)
+diff --git a/fs/ext3/ioctl.c b/fs/ext3/ioctl.c
+index ba1b54e..183b464 100644
+--- a/fs/ext3/ioctl.c
++++ b/fs/ext3/ioctl.c
+@@ -17,6 +17,11 @@
+ #include <linux/compat.h>
+ #include <asm/uaccess.h>
+ 
++#ifdef CONFIG_RSBAC
++#include <net/sock.h>
++#include <rsbac/hooks.h>
++#endif
++
+ long ext3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ {
+ 	struct inode *inode = filp->f_dentry->d_inode;
+@@ -24,6 +29,83 @@ long ext3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ 	unsigned int flags;
+ 	unsigned short rsv_window_size;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_adf_request_t rsbac_request;
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	switch (cmd) {
++#ifdef CONFIG_JBD_DEBUG
++		case EXT3_IOC_WAIT_FOR_READONLY:
++#endif
++		case EXT3_IOC_GETFLAGS:
++		case EXT3_IOC_GETVERSION:
++		case EXT3_IOC_GETVERSION_OLD:
++		case EXT3_IOC_GETRSVSZ:
++			rsbac_request = R_GET_PERMISSIONS_DATA;
++			break;
++		case EXT3_IOC_SETFLAGS:
++		case EXT3_IOC_SETVERSION:
++		case EXT3_IOC_SETVERSION_OLD:
++		case EXT3_IOC_SETRSVSZ:
++		case EXT3_IOC_GROUP_EXTEND:
++		case EXT3_IOC_GROUP_ADD:
++			rsbac_request = R_MODIFY_PERMISSIONS_DATA;
++			break;
++		default:
++			rsbac_request = R_NONE;
++	}
++	if(S_ISSOCK(inode->i_mode)) {
++		if(SOCKET_I(inode)->ops
++				&& (SOCKET_I(inode)->ops->family == AF_UNIX)) {
++			rsbac_target = T_UNIXSOCK;
++			rsbac_target_id.unixsock.device = filp->f_dentry->d_sb->s_dev;
++			rsbac_target_id.unixsock.inode  = inode->i_ino;
++			rsbac_target_id.unixsock.dentry_p = filp->f_dentry;
++
++		}
++#ifdef CONFIG_RSBAC_NET_OBJ
++		else {
++			rsbac_target = T_NETOBJ;
++			rsbac_target_id.netobj.sock_p
++				= SOCKET_I(inode);
++			rsbac_target_id.netobj.local_addr = NULL;
++			rsbac_target_id.netobj.local_len = 0;
++			rsbac_target_id.netobj.remote_addr = NULL;
++			rsbac_target_id.netobj.remote_len = 0;
++		}
++#endif
++	}
++	else {
++		if (S_ISDIR(inode->i_mode))
++			rsbac_target = T_DIR;
++		else if (S_ISFIFO(inode->i_mode))
++			rsbac_target = T_FIFO;
++		else if (S_ISLNK(inode->i_mode))
++			rsbac_target = T_SYMLINK;
++		else
++			rsbac_target = T_FILE;
++		rsbac_target_id.file.device = filp->f_dentry->d_sb->s_dev;
++		rsbac_target_id.file.inode  = inode->i_ino;
++		rsbac_target_id.file.dentry_p = filp->f_dentry;
++	}
++	rsbac_attribute_value.ioctl_cmd = cmd;
++	if(   (rsbac_request != R_NONE)
++			&& !rsbac_adf_request(rsbac_request,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_ioctl_cmd,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	ext3_debug ("cmd = %u, arg = %lu\n", cmd, arg);
+ 
+ 	switch (cmd) {
+diff --git a/fs/ext3/namei.c b/fs/ext3/namei.c
+index 642dc6d..8e142a0 100644
+--- a/fs/ext3/namei.c
++++ b/fs/ext3/namei.c
+@@ -42,6 +42,8 @@
+ #include "xattr.h"
+ #include "acl.h"
+ 
++#include <rsbac/hooks.h>
++
+ /*
+  * define how far ahead to read directories while searching them.
+  */
+@@ -2162,6 +2164,19 @@ static int ext3_unlink(struct inode * dir, struct dentry *dentry)
+ 
+ 	inode = dentry->d_inode;
+ 
++#ifdef CONFIG_RSBAC_SECDEL
++	if(inode->i_nlink == 1) {
++		ext3_journal_stop(handle);
++		rsbac_sec_del(dentry, TRUE);
++		handle = ext3_journal_start(dir, EXT3_DELETE_TRANS_BLOCKS(dir->i_sb));
++		if (IS_ERR(handle))
++			return PTR_ERR(handle);
++
++		if (IS_DIRSYNC(dir))
++			handle->h_sync = 1;
++	}
++#endif
++
+ 	retval = -EIO;
+ 	if (le32_to_cpu(de->inode) != inode->i_ino)
+ 		goto end_unlink;
+@@ -2412,6 +2427,22 @@ static int ext3_rename (struct inode * old_dir, struct dentry *old_dentry,
+ 		if (retval)
+ 			goto end_rename;
+ 	} else {
++
++#ifdef CONFIG_RSBAC_SECDEL
++	if (new_inode->i_nlink == 1) {
++			ext3_journal_stop(handle);
++			rsbac_sec_del(new_dentry, TRUE);
++			handle = ext3_journal_start(old_dir, 2 *
++					EXT3_DATA_TRANS_BLOCKS(old_dir->i_sb) +
++					EXT3_INDEX_EXTRA_TRANS_BLOCKS + 2);
++			if (IS_ERR(handle))
++				return PTR_ERR(handle);
++
++			if (IS_DIRSYNC(old_dir) || IS_DIRSYNC(new_dir))
++				handle->h_sync = 1;
++	}
++#endif
++
+ 		BUFFER_TRACE(new_bh, "get write access");
+ 		retval = ext3_journal_get_write_access(handle, new_bh);
+ 		if (retval)
+diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
+index ab25f57..ea4d853 100644
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -18,6 +18,11 @@
+ #include "ext4_jbd2.h"
+ #include "ext4.h"
+ 
++#ifdef CONFIG_RSBAC
++#include <net/sock.h>
++#endif
++#include <rsbac/hooks.h>
++
+ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ {
+ 	struct inode *inode = filp->f_dentry->d_inode;
+@@ -25,6 +30,77 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ 	struct ext4_inode_info *ei = EXT4_I(inode);
+ 	unsigned int flags;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_adf_request_t rsbac_request;
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++
++	rsbac_pr_debug(aef, "calling ADF\n");
++	switch (cmd) {
++		case EXT4_IOC_GETFLAGS:
++		case EXT4_IOC_GETVERSION:
++		case EXT4_IOC_GETVERSION_OLD:
++		case EXT4_IOC_GETRSVSZ:
++			rsbac_request = R_GET_PERMISSIONS_DATA;
++			break;
++		case EXT4_IOC_SETFLAGS:
++		case EXT4_IOC_SETVERSION:
++		case EXT4_IOC_SETVERSION_OLD:
++		case EXT4_IOC_SETRSVSZ:
++		case EXT4_IOC_GROUP_EXTEND:
++		case EXT4_IOC_GROUP_ADD:
++		case EXT4_IOC_MIGRATE:
++			rsbac_request = R_MODIFY_PERMISSIONS_DATA;
++			break;
++		default:
++			rsbac_request = R_NONE;
++	}
++	if(S_ISSOCK(inode->i_mode)) {
++		if(SOCKET_I(inode)->ops
++				&& (SOCKET_I(inode)->ops->family == AF_UNIX)) {
++			rsbac_target = T_UNIXSOCK;
++			rsbac_target_id.unixsock.device = filp->f_dentry->d_sb->s_dev;
++			rsbac_target_id.unixsock.inode  = inode->i_ino;
++			rsbac_target_id.unixsock.dentry_p = filp->f_dentry;
++		}
++#ifdef CONFIG_RSBAC_NET_OBJ
++		else {
++			rsbac_target = T_NETOBJ;
++			rsbac_target_id.netobj.sock_p
++				= SOCKET_I(inode);
++			rsbac_target_id.netobj.local_addr = NULL;
++			rsbac_target_id.netobj.local_len = 0;
++			rsbac_target_id.netobj.remote_addr = NULL;
++			rsbac_target_id.netobj.remote_len = 0;
++		}
++#endif
++		}
++	else {
++		if (S_ISDIR(inode->i_mode))
++			rsbac_target = T_DIR;
++		else if (S_ISFIFO(inode->i_mode))
++			rsbac_target = T_FIFO;
++		else if (S_ISLNK(inode->i_mode))
++			rsbac_target = T_SYMLINK;
++		else
++			rsbac_target = T_FILE;
++		rsbac_target_id.file.device = filp->f_dentry->d_sb->s_dev;
++		rsbac_target_id.file.inode  = inode->i_ino;
++		rsbac_target_id.file.dentry_p = filp->f_dentry;
++	}
++	rsbac_attribute_value.ioctl_cmd = cmd;
++	if(   (rsbac_request != R_NONE)
++		&& !rsbac_adf_request(rsbac_request,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_ioctl_cmd,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	ext4_debug("cmd = %u, arg = %lu\n", cmd, arg);
+ 
+ 	switch (cmd) {
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index aa4c782..cb8e4ab 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -41,6 +41,9 @@
+ #include "acl.h"
+ 
+ #include <trace/events/ext4.h>
++
++#include <rsbac/hooks.h>
++
+ /*
+  * define how far ahead to read directories while searching them.
+  */
+@@ -2205,6 +2208,19 @@ static int ext4_unlink(struct inode *dir, struct dentry *dentry)
+ 
+ 	inode = dentry->d_inode;
+ 
++#ifdef CONFIG_RSBAC_SECDEL
++        if(inode->i_nlink == 1) {
++                ext4_journal_stop(handle);
++                rsbac_sec_del(dentry, TRUE);
++                handle = ext4_journal_start(dir, EXT4_DELETE_TRANS_BLOCKS(dir->i_sb));
++                if (IS_ERR(handle))
++                        return PTR_ERR(handle);
++
++                if (IS_DIRSYNC(dir))
++                        handle->h_sync = 1;
++        }
++#endif
++
+ 	retval = -EIO;
+ 	if (le32_to_cpu(de->inode) != inode->i_ino)
+ 		goto end_unlink;
+@@ -2462,6 +2478,21 @@ static int ext4_rename(struct inode *old_dir, struct dentry *old_dentry,
+ 		if (retval)
+ 			goto end_rename;
+ 	} else {
++
++#ifdef CONFIG_RSBAC_SECDEL
++		if(new_inode->i_nlink == 1) {
++			ext4_journal_stop(handle);
++			rsbac_sec_del(new_dentry, TRUE);
++			handle = ext4_journal_start(old_dir,
++					EXT4_DELETE_TRANS_BLOCKS(old_dir->i_sb));
++			if (IS_ERR(handle))
++				return PTR_ERR(handle);
++
++			if (IS_DIRSYNC(old_dir) || IS_DIRSYNC(new_dir))
++				handle->h_sync = 1;
++		}
++#endif
++
+ 		BUFFER_TRACE(new_bh, "get write access");
+ 		retval = ext4_journal_get_write_access(handle, new_bh);
+ 		if (retval)
+diff --git a/fs/fat/namei_msdos.c b/fs/fat/namei_msdos.c
+index 216b419..c021426 100644
+--- a/fs/fat/namei_msdos.c
++++ b/fs/fat/namei_msdos.c
+@@ -9,6 +9,7 @@
+ #include <linux/module.h>
+ #include <linux/time.h>
+ #include <linux/buffer_head.h>
++#include <rsbac/hooks.h>
+ #include "fat.h"
+ 
+ /* Characters that are undesirable in an MS-DOS file name */
+@@ -423,6 +424,9 @@ static int msdos_unlink(struct inode *dir, struct dentry *dentry)
+ 	clear_nlink(inode);
+ 	inode->i_ctime = CURRENT_TIME_SEC;
+ 	fat_detach(inode);
++#ifdef CONFIG_RSBAC_SECDEL
++        rsbac_sec_del(dentry, TRUE);
++#endif
+ out:
+ 	unlock_super(sb);
+ 	if (!err)
+@@ -516,6 +520,11 @@ static int do_msdos_rename(struct inode *old_dir, unsigned char *old_name,
+ 	}
+ 	new_dir->i_version++;
+ 
++#ifdef CONFIG_RSBAC_SECDEL
++        if (new_inode && (new_inode->i_nlink == 1))
++		rsbac_sec_del(new_dentry, TRUE);
++#endif
++
+ 	fat_detach(old_inode);
+ 	fat_attach(old_inode, new_i_pos);
+ 	if (is_hid)
+diff --git a/fs/fat/namei_vfat.c b/fs/fat/namei_vfat.c
+index a87a656..f11fd14 100644
+--- a/fs/fat/namei_vfat.c
++++ b/fs/fat/namei_vfat.c
+@@ -21,6 +21,7 @@
+ #include <linux/slab.h>
+ #include <linux/buffer_head.h>
+ #include <linux/namei.h>
++#include <rsbac/hooks.h>
+ #include "fat.h"
+ 
+ /*
+@@ -858,6 +859,10 @@ static int vfat_unlink(struct inode *dir, struct dentry *dentry)
+ 	if (err)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC_SECDEL
++        rsbac_sec_del(dentry, TRUE);
++#endif
++
+ 	err = fat_remove_entries(dir, &sinfo);	/* and releases bh */
+ 	if (err)
+ 		goto out;
+@@ -954,6 +959,11 @@ static int vfat_rename(struct inode *old_dir, struct dentry *old_dentry,
+ 			if (err)
+ 				goto out;
+ 		}
++#ifdef CONFIG_RSBAC_SECDEL
++		else
++			if(new_inode->i_nlink == 1)
++				rsbac_sec_del(new_dentry, TRUE);
++#endif
+ 		new_i_pos = MSDOS_I(new_inode)->i_pos;
+ 		fat_detach(new_inode);
+ 	} else {
+diff --git a/fs/ioctl.c b/fs/ioctl.c
+index 1d9b9fc..9f55d27 100644
+--- a/fs/ioctl.c
++++ b/fs/ioctl.c
+@@ -18,6 +18,11 @@
+ 
+ #include <asm/ioctls.h>
+ 
++#ifdef CONFIG_RSBAC_IOCTL
++#include <net/sock.h>
++#endif
++#include <rsbac/hooks.h>
++
+ /* So that the fiemap access checks can't overflow on 32 bit machines. */
+ #define FIEMAP_MAX_EXTENTS	(UINT_MAX / sizeof(struct fiemap_extent))
+ 
+@@ -37,9 +42,78 @@ static long vfs_ioctl(struct file *filp, unsigned int cmd,
+ {
+ 	int error = -ENOTTY;
+ 
++#ifdef CONFIG_RSBAC_IOCTL
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!filp->f_op || !filp->f_op->unlocked_ioctl)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC_IOCTL
++	if (S_ISBLK(filp->f_dentry->d_inode->i_mode)) {
++		rsbac_target = T_DEV;
++		rsbac_target_id.dev.type = D_block;
++		rsbac_target_id.dev.major = RSBAC_MAJOR(filp->f_dentry->d_inode->i_rdev);
++		rsbac_target_id.dev.minor = RSBAC_MINOR(filp->f_dentry->d_inode->i_rdev);
++	}
++	else
++		if (S_ISCHR(filp->f_dentry->d_inode->i_mode)) {
++			rsbac_target = T_DEV;
++			rsbac_target_id.dev.type = D_char;
++			rsbac_target_id.dev.major = RSBAC_MAJOR(filp->f_dentry->d_inode->i_rdev);
++			rsbac_target_id.dev.minor = RSBAC_MINOR(filp->f_dentry->d_inode->i_rdev);
++		}
++		else
++			if (S_ISSOCK(filp->f_dentry->d_inode->i_mode)) {
++				if (   SOCKET_I(filp->f_dentry->d_inode)->ops
++						&& (SOCKET_I(filp->f_dentry->d_inode)->ops->family == AF_UNIX)
++				  ) {
++					if (filp->f_dentry->d_sb->s_magic == SOCKFS_MAGIC) {
++						rsbac_target = T_IPC;
++						rsbac_target_id.ipc.type = I_anonunix;
++						rsbac_target_id.ipc.id.id_nr = filp->f_dentry->d_inode->i_ino;
++					}
++					else {
++						rsbac_target = T_UNIXSOCK;
++						rsbac_target_id.unixsock.device = filp->f_dentry->d_sb->s_dev;
++						rsbac_target_id.unixsock.inode  = filp->f_dentry->d_inode->i_ino;
++						rsbac_target_id.unixsock.dentry_p = filp->f_dentry;
++					}
++				}
++				else {
++#ifdef CONFIG_RSBAC_NET_OBJ
++					rsbac_target = T_NETOBJ;
++					rsbac_target_id.netobj.sock_p
++						= SOCKET_I(filp->f_dentry->d_inode);
++					rsbac_target_id.netobj.local_addr = NULL;
++					rsbac_target_id.netobj.local_len = 0;
++					rsbac_target_id.netobj.remote_addr = NULL;
++					rsbac_target_id.netobj.remote_len = 0;
++#else
++					rsbac_target = T_NONE;
++#endif
++				}
++			}
++			else
++				rsbac_target = T_NONE;
++	if (rsbac_target != T_NONE) {
++		rsbac_pr_debug(aef, "[sys_ioctl()]: calling ADF\n");
++		rsbac_attribute_value.ioctl_cmd = cmd;
++		if (!rsbac_adf_request(R_IOCTL,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					A_ioctl_cmd,
++					rsbac_attribute_value))
++		{
++			error = -EPERM;
++			goto out;
++		}
++	}
++#endif
++
+ 	error = filp->f_op->unlocked_ioctl(filp, cmd, arg);
+ 	if (error == -ENOIOCTLCMD)
+ 		error = -EINVAL;
+diff --git a/fs/ioprio.c b/fs/ioprio.c
+index f79dab8..407775f 100644
+--- a/fs/ioprio.c
++++ b/fs/ioprio.c
+@@ -27,6 +27,7 @@
+ #include <linux/capability.h>
+ #include <linux/syscalls.h>
+ #include <linux/security.h>
++#include <rsbac/hooks.h>
+ #include <linux/pid_namespace.h>
+ 
+ int set_task_ioprio(struct task_struct *task, int ioprio)
+@@ -83,6 +84,26 @@ SYSCALL_DEFINE3(ioprio_set, int, which, int, who, int, ioprio)
+ 	struct pid *pgrp;
+ 	int ret;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_priority;
++	rsbac_attribute_value.priority = ioprio;
++
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_priority,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	switch (class) {
+ 		case IOPRIO_CLASS_RT:
+ 			if (!capable(CAP_SYS_ADMIN))
+@@ -157,6 +178,26 @@ static int get_task_ioprio(struct task_struct *p)
+ {
+ 	int ret;
+ 
++#ifdef CONFIG_RSBAC
++        union rsbac_target_id_t rsbac_target_id;
++        union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++        rsbac_pr_debug(aef, "calling ADF\n");
++        rsbac_target_id.scd = ST_priority;
++        rsbac_attribute_value.dummy = 0;
++
++        if (!rsbac_adf_request(R_GET_STATUS_DATA,
++                                task_pid(current),
++                                T_SCD,
++                                rsbac_target_id,
++                                A_none,
++                                rsbac_attribute_value)) {
++                return -EPERM;
++        }
++#endif
++
+ 	ret = security_task_getioprio(p);
+ 	if (ret)
+ 		goto out;
+diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
+index 8267de5..0745111 100644
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -2171,6 +2171,11 @@ int jbd2_journal_file_inode(handle_t *handle, struct jbd2_inode *jinode)
+ 	if (is_handle_aborted(handle))
+ 		return -EIO;
+ 
++#ifdef CONFIG_RSBAC
++	if (!jinode)
++		return 0;
++#endif
++
+ 	jbd_debug(4, "Adding inode %lu, tid:%d\n", jinode->i_vfs_inode->i_ino,
+ 			transaction->t_tid);
+ 
+diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c
+index a112ad9..bd126870 100644
+--- a/fs/jfs/namei.c
++++ b/fs/jfs/namei.c
+@@ -33,6 +33,8 @@
+ #include "jfs_acl.h"
+ #include "jfs_debug.h"
+ 
++#include <rsbac/hooks.h>
++
+ /*
+  * forward references
+  */
+@@ -495,6 +497,12 @@ static int jfs_unlink(struct inode *dip, struct dentry *dentry)
+ 	if ((rc = get_UCSname(&dname, dentry)))
+ 		goto out;
+ 
++	/* RSBAC jfs_unlink */
++#ifdef CONFIG_RSBAC_SECDEL
++	if(dentry->d_inode->i_nlink == 1)
++		rsbac_sec_del(dentry, TRUE);
++#endif
++
+ 	IWRITE_LOCK(ip, RDWRLOCK_NORMAL);
+ 
+ 	tid = txBegin(dip->i_sb, 0);
+@@ -1144,6 +1152,10 @@ static int jfs_rename(struct inode *old_dir, struct dentry *old_dentry,
+ 			goto out3;
+ 		}
+ 	} else if (new_ip) {
++#ifdef CONFIG_RSBAC_SECDEL
++		if (new_ip->i_nlink == 1)
++			rsbac_sec_del(new_dentry, TRUE);
++#endif
+ 		IWRITE_LOCK(new_ip, RDWRLOCK_NORMAL);
+ 		/* Init inode for quota operations. */
+ 		dquot_initialize(new_ip);
+diff --git a/fs/locks.c b/fs/locks.c
+index 0d68f1f..eddc3d9 100644
+--- a/fs/locks.c
++++ b/fs/locks.c
+@@ -129,6 +129,8 @@
+ 
+ #include <asm/uaccess.h>
+ 
++#include <rsbac/hooks.h>
++
+ #define IS_POSIX(fl)	(fl->fl_flags & FL_POSIX)
+ #define IS_FLOCK(fl)	(fl->fl_flags & FL_FLOCK)
+ #define IS_LEASE(fl)	(fl->fl_flags & FL_LEASE)
+@@ -1640,6 +1642,12 @@ SYSCALL_DEFINE2(flock, unsigned int, fd, unsigned int, cmd)
+ 	int can_sleep, unlock;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	error = -EBADF;
+ 	filp = fget(fd);
+ 	if (!filp)
+@@ -1653,6 +1661,39 @@ SYSCALL_DEFINE2(flock, unsigned int, fd, unsigned int, cmd)
+ 	    !(filp->f_mode & (FMODE_READ|FMODE_WRITE)))
+ 		goto out_putf;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target = T_FILE;
++        rsbac_target_id.file.device = filp->f_dentry->d_sb->s_dev;
++        rsbac_target_id.file.inode  = filp->f_dentry->d_inode->i_ino;
++        rsbac_target_id.file.dentry_p = filp->f_dentry;
++	if (S_ISDIR(filp->f_dentry->d_inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO(filp->f_dentry->d_inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK(filp->f_dentry->d_inode->i_mode))
++		rsbac_target = T_SYMLINK;
++        else if (S_ISSOCK(filp->f_dentry->d_inode->i_mode)) {
++          if(filp->f_dentry->d_sb->s_magic == SOCKFS_MAGIC) {
++            rsbac_target = T_IPC;
++            rsbac_target_id.ipc.type = I_anonunix;
++            rsbac_target_id.ipc.id.id_nr = filp->f_dentry->d_inode->i_ino;
++          } else
++            rsbac_target = T_UNIXSOCK;
++        }
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_LOCK,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		error = -EPERM;
++		goto out_putf;
++	}
++#endif
++
+ 	error = flock_make_lock(filp, &lock, cmd);
+ 	if (error)
+ 		goto out_putf;
+@@ -1738,6 +1779,12 @@ int fcntl_getlk(struct file *filp, struct flock __user *l)
+ 	struct flock flock;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	error = -EFAULT;
+ 	if (copy_from_user(&flock, l, sizeof(flock)))
+ 		goto out;
+@@ -1749,6 +1796,33 @@ int fcntl_getlk(struct file *filp, struct flock __user *l)
+ 	if (error)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_fcntl()]: calling ADF\n");
++	rsbac_target = T_FILE;
++	if (S_ISDIR(filp->f_dentry->d_inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO(filp->f_dentry->d_inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK(filp->f_dentry->d_inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK(filp->f_dentry->d_inode->i_mode))
++		rsbac_target = T_UNIXSOCK;
++	rsbac_target_id.file.device = filp->f_dentry->d_sb->s_dev;
++	rsbac_target_id.file.inode  = filp->f_dentry->d_inode->i_ino;
++	rsbac_target_id.file.dentry_p = filp->f_dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		error = -EPERM;
++		goto out;
++	}
++#endif
++
+ 	error = vfs_test_lock(filp, &file_lock);
+ 	if (error)
+ 		goto out;
+@@ -1844,6 +1918,12 @@ int fcntl_setlk(unsigned int fd, struct file *filp, unsigned int cmd,
+ 	struct file *f;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (file_lock == NULL)
+ 		return -ENOLCK;
+ 
+@@ -1872,6 +1952,39 @@ again:
+ 		file_lock->fl_flags |= FL_SLEEP;
+ 	}
+ 	
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_fcntl()]: calling ADF\n");
++	rsbac_target = T_FILE;
++	rsbac_target_id.file.device = filp->f_dentry->d_sb->s_dev;
++	rsbac_target_id.file.inode  = inode->i_ino;
++	rsbac_target_id.file.dentry_p = filp->f_dentry;
++	if (S_ISDIR(inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO(inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK(inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK(filp->f_dentry->d_inode->i_mode)) {
++		if(filp->f_dentry->d_sb->s_magic == SOCKFS_MAGIC) {
++			rsbac_target = T_IPC;
++			rsbac_target_id.ipc.type = I_anonunix;
++			rsbac_target_id.ipc.id.id_nr = filp->f_dentry->d_inode->i_ino;
++		} else
++			rsbac_target = T_UNIXSOCK;
++	}
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_LOCK,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		error = -EPERM;
++		goto out;
++	}
++#endif
++
+ 	error = -EBADF;
+ 	switch (flock.l_type) {
+ 	case F_RDLCK:
+@@ -1923,6 +2036,12 @@ int fcntl_getlk64(struct file *filp, struct flock64 __user *l)
+ 	struct flock64 flock;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	error = -EFAULT;
+ 	if (copy_from_user(&flock, l, sizeof(flock)))
+ 		goto out;
+@@ -1934,6 +2053,33 @@ int fcntl_getlk64(struct file *filp, struct flock64 __user *l)
+ 	if (error)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_fcntl()]: calling ADF\n");
++	rsbac_target = T_FILE;
++	if (S_ISDIR(filp->f_dentry->d_inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO(filp->f_dentry->d_inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK(filp->f_dentry->d_inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK(filp->f_dentry->d_inode->i_mode))
++		rsbac_target = T_UNIXSOCK;
++	rsbac_target_id.file.device = filp->f_dentry->d_sb->s_dev;
++	rsbac_target_id.file.inode  = filp->f_dentry->d_inode->i_ino;
++	rsbac_target_id.file.dentry_p = filp->f_dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		error = -EPERM;
++		goto out;
++	}
++#endif
++
+ 	error = vfs_test_lock(filp, &file_lock);
+ 	if (error)
+ 		goto out;
+@@ -1962,6 +2108,12 @@ int fcntl_setlk64(unsigned int fd, struct file *filp, unsigned int cmd,
+ 	struct file *f;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (file_lock == NULL)
+ 		return -ENOLCK;
+ 
+@@ -2007,6 +2159,39 @@ again:
+ 		goto out;
+ 	}
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_fcntl()]: calling ADF\n");
++	rsbac_target = T_FILE;
++	rsbac_target_id.file.device = filp->f_dentry->d_sb->s_dev;
++	rsbac_target_id.file.inode  = inode->i_ino;
++	rsbac_target_id.file.dentry_p = filp->f_dentry;
++	if (S_ISDIR(inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO(inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK(inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK(filp->f_dentry->d_inode->i_mode)) {
++		if(filp->f_dentry->d_sb->s_magic == SOCKFS_MAGIC) {
++			rsbac_target = T_IPC;
++			rsbac_target_id.ipc.type = I_anonunix;
++			rsbac_target_id.ipc.id.id_nr = filp->f_dentry->d_inode->i_ino;
++		} else
++			rsbac_target = T_UNIXSOCK;
++	}
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_LOCK,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		error = -EPERM;
++		goto out;
++	}
++#endif
++
+ 	error = do_lock_file_wait(filp, cmd, file_lock);
+ 
+ 	/*
+diff --git a/fs/minix/namei.c b/fs/minix/namei.c
+index 6e6777f..99a755f 100644
+--- a/fs/minix/namei.c
++++ b/fs/minix/namei.c
+@@ -6,6 +6,8 @@
+ 
+ #include "minix.h"
+ 
++#include <rsbac/hooks.h>
++
+ static int add_nondir(struct dentry *dentry, struct inode *inode)
+ {
+ 	int err = minix_add_link(dentry, inode);
+@@ -157,6 +159,11 @@ static int minix_unlink(struct inode * dir, struct dentry *dentry)
+ 	if (err)
+ 		goto end_unlink;
+ 
++#ifdef CONFIG_RSBAC_SECDEL
++	if (inode->i_nlink == 1)
++		rsbac_sec_del(dentry, TRUE);
++#endif
++
+ 	inode->i_ctime = dir->i_ctime;
+ 	inode_dec_link_count(inode);
+ end_unlink:
+@@ -213,6 +220,12 @@ static int minix_rename(struct inode * old_dir, struct dentry *old_dentry,
+ 		new_de = minix_find_entry(new_dentry, &new_page);
+ 		if (!new_de)
+ 			goto out_dir;
++
++#ifdef CONFIG_RSBAC_SECDEL
++		if (new_inode->i_nlink == 1)
++			rsbac_sec_del(new_dentry, TRUE);
++#endif
++
+ 		minix_set_link(new_de, new_page, old_inode);
+ 		new_inode->i_ctime = CURRENT_TIME_SEC;
+ 		if (dir_de)
+diff --git a/fs/namei.c b/fs/namei.c
+index 9680cef..a1cb113 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -34,6 +34,7 @@
+ #include <linux/fs_struct.h>
+ #include <linux/posix_acl.h>
+ #include <asm/uaccess.h>
++#include <rsbac/hooks.h>
+ 
+ #include "internal.h"
+ 
+@@ -344,6 +345,11 @@ int inode_permission(struct inode *inode, int mask)
+ {
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_FULL
++	if (rsbac_dac_disable)
++	  return 0;
++#endif
++
+ 	if (unlikely(mask & MAY_WRITE)) {
+ 		umode_t mode = inode->i_mode;
+ 
+@@ -630,6 +636,11 @@ follow_link(struct path *link, struct nameidata *nd, void **p)
+ 	int error;
+ 	struct dentry *dentry = link->dentry;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	BUG_ON(nd->flags & LOOKUP_RCU);
+ 
+ 	if (link->mnt == nd->path.mnt)
+@@ -653,14 +664,49 @@ follow_link(struct path *link, struct nameidata *nd, void **p)
+ 		return error;
+ 	}
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_target_id.dir.device = link->dentry->d_sb->s_dev;
++	rsbac_target_id.dir.inode  = link->dentry->d_inode->i_ino;
++	rsbac_target_id.dir.dentry_p = link->dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_SEARCH,
++				task_pid(current),
++				T_SYMLINK,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++#ifdef CONFIG_RSBAC_FSOBJ_HIDE
++		error = -ENOENT;
++#else
++		error = -EPERM;
++#endif
++		*p = ERR_PTR(error); /* no ->put_link(), please */
++		path_put(&nd->path);
++		return error;
++	}
++#endif
++
+ 	nd->last_type = LAST_BIND;
+ 	*p = dentry->d_inode->i_op->follow_link(dentry, nd);
+ 	error = PTR_ERR(*p);
+ 	if (!IS_ERR(*p)) {
+ 		char *s = nd_get_link(nd);
+ 		error = 0;
+-		if (s)
++		if (s) {
++#ifdef CONFIG_RSBAC_SYM_REDIR
++			char * rsbac_name;
++
++			rsbac_name = rsbac_symlink_redirect(dentry->d_inode, s, PAGE_SIZE);
++			if (rsbac_name) {
++				error = __vfs_follow_link(nd, rsbac_name);
++				kfree(rsbac_name);
++			}
++			else
++#endif
+ 			error = __vfs_follow_link(nd, s);
++                }
++
+ 		else if (nd->last_type == LAST_BIND) {
+ 			nd->flags |= LOOKUP_JUMPED;
+ 			nd->inode = nd->path.dentry->d_inode;
+@@ -1386,6 +1432,11 @@ static int link_path_walk(const char *name, struct nameidata *nd)
+ 	struct path next;
+ 	int err;
+ 	
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t       rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	while (*name=='/')
+ 		name++;
+ 	if (!*name)
+@@ -1399,9 +1450,35 @@ static int link_path_walk(const char *name, struct nameidata *nd)
+ 		int type;
+ 
+ 		err = may_lookup(nd);
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
++			if (rsbac_dac_part_disabled(nd->path.dentry))
++				err = 0;
++			else
++#endif
+  		if (err)
+ 			break;
+ 
++#ifdef CONFIG_RSBAC
++		rsbac_target_id.dir.device = nd->path.dentry->d_inode->i_sb->s_dev;
++		rsbac_target_id.dir.inode  = nd->path.dentry->d_inode->i_ino;
++		rsbac_target_id.dir.dentry_p = nd->path.dentry;
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_SEARCH,
++					task_pid(current),
++					T_DIR,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value))
++		{
++#ifdef CONFIG_RSBAC_FSOBJ_HIDE
++			err = -ENOENT;
++#else
++			err = -EPERM;
++#endif
++			break;
++		}
++#endif
++
+ 		this.name = name;
+ 		c = *(const unsigned char *)name;
+ 
+@@ -1464,6 +1541,24 @@ last_component:
+ 		return 0;
+ 	}
+ 	terminate_walk(nd);
++
++#ifdef CONFIG_RSBAC_FSOBJ_HIDE
++		rsbac_target_id.dir.device = nd->path.dentry->d_inode->i_sb->s_dev;
++		rsbac_target_id.dir.inode  = nd->path.dentry->d_inode->i_ino;
++		rsbac_target_id.dir.dentry_p = nd->path.dentry;
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_SEARCH,
++					task_pid(current),
++					T_DIR,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value))
++		{
++			path_put(&nd->path);
++			return -ENOENT;
++		}
++#endif
++
+ 	return err;
+ }
+ 
+@@ -1704,10 +1799,38 @@ static struct dentry *__lookup_hash(struct qstr *name,
+ 	struct dentry *dentry;
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
++	if (rsbac_dac_part_disabled(base))
++		err = 0;
++	else
++#endif
++
+ 	err = inode_permission(inode, MAY_EXEC);
+ 	if (err)
+ 		return ERR_PTR(err);
+ 
++#ifdef CONFIG_RSBAC
++	if (inode->i_sb) {
++		rsbac_target_id.dir.device = inode->i_sb->s_dev;
++		rsbac_target_id.dir.inode  = inode->i_ino;
++		rsbac_target_id.dir.dentry_p = base;
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_SEARCH,
++					task_pid(current),
++					T_DIR,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			return ERR_PTR(-EPERM);
++		}
++	}
++#endif
++
+ 	/*
+ 	 * Don't bother with __d_lookup: callers are for creat as
+ 	 * well as unlink, so a lot of the time it would cost
+@@ -1805,6 +1928,97 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
+ 	return __lookup_hash(&this, base, NULL);
+ }
+ 
++/* RSBAC
++ * I hate to put new functions into this file, but even more I hate removing
++ * all statics from all the lookup helpers in here...
++ * Still, I need some form of RSBAC bypass for internal file access.
++ * Amon Ott <ao@...>
++ */
++#ifdef CONFIG_RSBAC
++static struct dentry *__rsbac_lookup_hash(struct qstr *name,
++		struct dentry *base, struct nameidata *nd)
++{
++	struct dentry *dentry;
++
++	/*
++	 * Don't bother with __d_lookup: callers are for creat as
++	 * well as unlink, so a lot of the time it would cost
++	 * a double lookup.
++	 */
++	dentry = d_lookup(base, name);
++
++	if (dentry && d_need_lookup(dentry)) {
++		/*
++		 * __lookup_hash is called with the parent dir's i_mutex already
++		 * held, so we are good to go here.
++		 */
++		dentry = d_inode_lookup(base, dentry, nd);
++		if (IS_ERR(dentry))
++			return dentry;
++	}
++
++	if (dentry && (dentry->d_flags & DCACHE_OP_REVALIDATE)) {
++		int status = d_revalidate(dentry, nd);
++		if (unlikely(status <= 0)) {
++			/*
++			 * The dentry failed validation.
++			 * If d_revalidate returned 0 attempt to invalidate
++			 * the dentry otherwise d_revalidate is asking us
++			 * to return a fail status.
++			 */
++			if (status < 0) {
++				dput(dentry);
++				return ERR_PTR(status);
++			} else if (!d_invalidate(dentry)) {
++				dput(dentry);
++				dentry = NULL;
++			}
++		}
++	}
++
++	if (!dentry)
++		dentry = d_alloc_and_lookup(base, name, nd);
++
++	return dentry;
++}
++
++struct dentry *rsbac_lookup_one_len(const char *name, struct dentry *base, int len)
++{
++	struct qstr this;
++	unsigned long hash;
++	unsigned int c;
++
++	WARN_ON_ONCE(!mutex_is_locked(&base->d_inode->i_mutex));
++
++	this.name = name;
++	this.len = len;
++	if (!len)
++		return ERR_PTR(-EACCES);
++
++	hash = init_name_hash();
++	while (len--) {
++		c = *(const unsigned char *)name++;
++		if (c == '/' || c == '\0')
++			return ERR_PTR(-EACCES);
++		hash = partial_name_hash(c, hash);
++	}
++	this.hash = end_name_hash(hash);
++	/*
++	 * See if the low-level filesystem might want
++	 * to use its own hash..
++	 */
++	if (base->d_flags & DCACHE_OP_HASH) {
++		int err = base->d_op->d_hash(base, base->d_inode, &this);
++		if (err < 0)
++			return ERR_PTR(err);
++	}
++
++	return __rsbac_lookup_hash(&this, base, NULL);
++}
++
++EXPORT_SYMBOL(rsbac_lookup_one_len);
++#endif
++
+ int user_path_at_empty(int dfd, const char __user *name, unsigned flags,
+ 		 struct path *path, int *empty)
+ {
+@@ -1897,6 +2111,11 @@ static int may_delete(struct inode *dir,struct dentry *victim,int isdir)
+ 	BUG_ON(victim->d_parent->d_inode != dir);
+ 	audit_inode_child(victim, dir);
+ 
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
++	if (rsbac_dac_part_disabled(victim))
++		error = 0;
++	else
++#endif
+ 	error = inode_permission(dir, MAY_WRITE | MAY_EXEC);
+ 	if (error)
+ 		return error;
+@@ -1933,6 +2152,12 @@ static inline int may_create(struct inode *dir, struct dentry *child)
+ 		return -EEXIST;
+ 	if (IS_DEADDIR(dir))
+ 		return -ENOENT;
++
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
++	if (rsbac_dac_part_disabled(child->d_parent))
++		return 0;
++	else
++#endif
+ 	return inode_permission(dir, MAY_WRITE | MAY_EXEC);
+ }
+ 
+@@ -1983,6 +2208,14 @@ int vfs_create(struct inode *dir, struct dentry *dentry, int mode,
+ {
+ 	int error = may_create(dir, dentry);
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	enum  rsbac_target_t rsbac_new_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (error)
+ 		return error;
+ 
+@@ -1993,9 +2226,50 @@ int vfs_create(struct inode *dir, struct dentry *dentry, int mode,
+ 	error = security_inode_create(dir, dentry, mode);
+ 	if (error)
+ 		return error;
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[open_namei() [filp_open() [do_open() [sys_open()]]]]: calling ADF\n");
++	rsbac_target = T_DIR;
++	rsbac_target_id.dir.device = dentry->d_sb->s_dev;
++	rsbac_target_id.dir.inode  = dir->i_ino;
++	rsbac_target_id.dir.dentry_p = dentry->d_parent;
++	rsbac_attribute_value.create_data.target = T_FILE;
++	rsbac_attribute_value.create_data.dentry_p = dentry;
++	rsbac_attribute_value.create_data.mode = mode;
++	rsbac_attribute_value.create_data.device = 0;
++	if (!rsbac_adf_request(R_CREATE,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_create_data,
++				rsbac_attribute_value))
++		return -EPERM;
++#endif
++
+ 	error = dir->i_op->create(dir, dentry, mode, nd);
+-	if (!error)
++	if (!error) {
+ 		fsnotify_create(dir, dentry);
++
++		/* RSBAC: notify ADF of new file */
++#ifdef CONFIG_RSBAC
++		rsbac_new_target = T_FILE;
++		rsbac_new_target_id.file.device = dentry->d_sb->s_dev;
++		rsbac_new_target_id.file.inode  = dentry->d_inode->i_ino;
++		rsbac_new_target_id.file.dentry_p = dentry;
++		if (rsbac_adf_set_attr(R_CREATE,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					rsbac_new_target,
++					rsbac_new_target_id,
++					A_create_data,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"vfs_create() [open_namei() [filp_open() [do_open() [sys_open()]]]]: rsbac_adf_set_attr() returned error");
++		}
++#endif
++
++	}
+ 	return error;
+ }
+ 
+@@ -2030,6 +2304,12 @@ static int may_open(struct path *path, int acc_mode, int flag)
+ 		break;
+ 	}
+ 
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
++	if (rsbac_dac_part_disabled(dentry))
++		error = 0;
++	else
++#endif
++
+ 	error = inode_permission(inode, acc_mode);
+ 	if (error)
+ 		return error;
+@@ -2095,6 +2375,14 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+ 	struct file *filp;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_adf_request_t rsbac_adf_req = R_NONE;
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	nd->flags &= ~LOOKUP_PARENT;
+ 	nd->flags |= op->intent;
+ 
+@@ -2256,6 +2544,68 @@ common:
+ 	error = may_open(&nd->path, acc_mode, open_flag);
+ 	if (error)
+ 		goto exit;
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "do_last() [sys_open()]: calling ADF\n");
++	/* get target type and id clear */
++	if (S_ISBLK(nd->path.dentry->d_inode->i_mode) || S_ISCHR(nd->path.dentry->d_inode->i_mode)){
++		rsbac_target = T_DEV;
++		if (S_ISBLK(nd->path.dentry->d_inode->i_mode)) {
++			rsbac_target_id.dev.type = D_block;
++		}
++		else {
++			rsbac_target_id.dev.type = D_char;
++		}
++		rsbac_target_id.dev.major = RSBAC_MAJOR(nd->path.dentry->d_inode->i_rdev);
++		rsbac_target_id.dev.minor = RSBAC_MINOR(nd->path.dentry->d_inode->i_rdev);
++	}
++	else { /* must be file, dir or fifo */
++		if (S_ISDIR(nd->path.dentry->d_inode->i_mode))
++			rsbac_target = T_DIR;
++		else if (S_ISSOCK(nd->path.dentry->d_inode->i_mode))
++			rsbac_target = T_UNIXSOCK;
++		else if (S_ISFIFO(nd->path.dentry->d_inode->i_mode)) {
++			if (nd->path.dentry->d_inode->i_sb->s_magic != PIPEFS_MAGIC)
++				rsbac_target = T_FIFO;
++			else
++				rsbac_target = T_NONE;
++		}
++		else
++			rsbac_target = T_FILE;
++
++		rsbac_target_id.file.device = nd->path.dentry->d_inode->i_sb->s_dev;
++		rsbac_target_id.file.inode  = nd->path.dentry->d_inode->i_ino;
++		rsbac_target_id.file.dentry_p = nd->path.dentry;
++	}
++	/* determine request type */
++	rsbac_adf_req = R_NONE;
++	if (open_flag & O_APPEND)
++		rsbac_adf_req = R_APPEND_OPEN;
++	else
++		if ((open_flag & O_RDWR) || ((open_flag & O_WRONLY) && (open_flag & O_RDONLY)))
++			rsbac_adf_req = R_READ_WRITE_OPEN;
++		else
++			if (open_flag & O_WRONLY)
++				rsbac_adf_req = R_WRITE_OPEN;
++			else
++				if (rsbac_target == T_DIR)
++					rsbac_adf_req = R_READ;
++				else
++					rsbac_adf_req = R_READ_OPEN;
++	if ((rsbac_adf_req != R_NONE) && (rsbac_target != T_NONE)) {
++		rsbac_attribute_value.open_flag = open_flag;
++		if (!rsbac_adf_request(rsbac_adf_req,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					A_open_flag,
++					rsbac_attribute_value)) {
++			error = -EPERM;
++			goto exit;
++		}
++	}
++#endif
++
+ 	filp = nameidata_to_filp(nd);
+ 	if (!IS_ERR(filp)) {
+ 		error = ima_file_check(filp, op->acc_mode);
+@@ -2276,6 +2626,24 @@ common:
+ out:
+ 	if (want_write)
+ 		mnt_drop_write(nd->path.mnt);
++
++#ifdef CONFIG_RSBAC
++	if (!PTR_ERR(filp) && (rsbac_adf_req != R_NONE) && (rsbac_target != T_NONE)) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(rsbac_adf_req,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_open_flag,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"do_last() [sys_open()]: rsbac_adf_set_attr() returned error\n");
++		}
++	}
++#endif
++
+ 	path_put(&nd->path);
+ 	return filp;
+ 
+@@ -2295,6 +2663,10 @@ static struct file *path_openat(int dfd, const char *pathname,
+ 	struct file *filp;
+ 	struct path path;
+ 	int error;
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
+ 
+ 	filp = get_empty_filp();
+ 	if (!filp)
+@@ -2323,6 +2695,25 @@ static struct file *path_openat(int dfd, const char *pathname,
+ 			path_put(&nd->path);
+ 			filp = ERR_PTR(-ELOOP);
+ 			break;
++
++#ifdef CONFIG_RSBAC
++		rsbac_target_id.dir.device = path.dentry->d_sb->s_dev;
++		rsbac_target_id.dir.inode  = path.dentry->d_inode->i_ino;
++		rsbac_target_id.dir.dentry_p = path.dentry;
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_SEARCH,
++					task_pid(current),
++					T_SYMLINK,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			path_put_conditional(&path, nd);
++			path_put(&nd->path);
++			filp = ERR_PTR(-EPERM);
++			break;
++		}
++#endif
++
+ 		}
+ 		nd->flags |= LOOKUP_PARENT;
+ 		nd->flags &= ~(LOOKUP_OPEN|LOOKUP_CREATE|LOOKUP_EXCL);
+@@ -2450,6 +2841,13 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
+ {
+ 	int error = may_create(dir, dentry);
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	enum  rsbac_target_t rsbac_new_target;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (error)
+ 		return error;
+ 
+@@ -2468,9 +2866,56 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
+ 	if (error)
+ 		return error;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_mknod()]: calling ADF\n");
++	rsbac_target_id.dir.device = dentry->d_sb->s_dev;
++	rsbac_target_id.dir.inode  = dir->i_ino;
++	rsbac_target_id.dir.dentry_p = dentry->d_parent;
++	rsbac_attribute_value.create_data.target = T_FILE;
++	rsbac_attribute_value.create_data.dentry_p = dentry;
++	rsbac_attribute_value.create_data.mode = mode;
++	rsbac_attribute_value.create_data.device = dev;
++	if (!rsbac_adf_request(R_CREATE,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_create_data,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	error = dir->i_op->mknod(dir, dentry, mode, dev);
+-	if (!error)
++	if (!error) {
+ 		fsnotify_create(dir, dentry);
++
++#ifdef CONFIG_RSBAC
++		if (S_ISFIFO(dentry->d_inode->i_mode))
++			rsbac_new_target = T_FIFO;
++		else
++			if (S_ISLNK(dentry->d_inode->i_mode))
++				rsbac_new_target = T_SYMLINK;
++			else
++				if (S_ISSOCK(dentry->d_inode->i_mode))
++					rsbac_new_target = T_UNIXSOCK;
++				else
++					rsbac_new_target = T_FILE;
++		rsbac_new_target_id.dir.device = dentry->d_sb->s_dev;
++		rsbac_new_target_id.dir.inode  = dentry->d_inode->i_ino;
++		rsbac_new_target_id.dir.dentry_p = dentry;
++		if (rsbac_adf_set_attr(R_CREATE,
++					task_pid(current),
++					T_DIR,
++					rsbac_target_id,
++					rsbac_new_target,
++					rsbac_new_target_id,
++					A_create_data,
++					rsbac_attribute_value))
++		{
++			rsbac_pr_debug(aef, "[do_mknod(), sys_mknod()]: rsbac_adf_set_attr() returned error");
++		}
++#endif
++	}
+ 	return error;
+ }
+ 
+@@ -2547,6 +2992,12 @@ int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode)
+ {
+ 	int error = may_create(dir, dentry);
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (error)
+ 		return error;
+ 
+@@ -2558,9 +3009,46 @@ int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode)
+ 	if (error)
+ 		return error;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_mkdir()]: calling ADF\n");
++	rsbac_target_id.dir.device = dentry->d_sb->s_dev;
++	rsbac_target_id.dir.inode  = dir->i_ino;
++	rsbac_target_id.dir.dentry_p = dentry->d_parent;
++	rsbac_attribute_value.create_data.target = T_DIR;
++	rsbac_attribute_value.create_data.dentry_p = dentry;
++	rsbac_attribute_value.create_data.mode = mode;
++	rsbac_attribute_value.create_data.device = 0;
++	if (!rsbac_adf_request(R_CREATE,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_create_data,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	error = dir->i_op->mkdir(dir, dentry, mode);
+-	if (!error)
++	if (!error) {
+ 		fsnotify_mkdir(dir, dentry);
++
++#ifdef CONFIG_RSBAC
++		rsbac_new_target_id.dir.device = dentry->d_sb->s_dev;
++		rsbac_new_target_id.dir.inode  = dentry->d_inode->i_ino;
++		rsbac_new_target_id.dir.dentry_p = dentry;
++		if (rsbac_adf_set_attr(R_CREATE,
++					task_pid(current),
++					T_DIR,
++					rsbac_target_id,
++					T_DIR,
++					rsbac_new_target_id,
++					A_create_data,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"vfs_mkdir() [sys_mkdir()]: rsbac_adf_set_attr() returned error");
++		}
++#endif
++	}
+ 	return error;
+ }
+ 
+@@ -2625,6 +3113,12 @@ int vfs_rmdir(struct inode *dir, struct dentry *dentry)
+ {
+ 	int error = may_delete(dir, dentry, 1);
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (error)
+ 		return error;
+ 
+@@ -2632,6 +3126,24 @@ int vfs_rmdir(struct inode *dir, struct dentry *dentry)
+ 		return -EPERM;
+ 
+ 	dget(dentry);
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[do_rmdir() [sys_rmdir()]]: calling ADF\n");
++	rsbac_target_id.dir.device = dentry->d_sb->s_dev;
++	rsbac_target_id.dir.inode  = dentry->d_inode->i_ino;
++	rsbac_target_id.dir.dentry_p = dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_DELETE,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		dput(dentry);
++		return -EPERM;
++	}
++#endif
++
+ 	mutex_lock(&dentry->d_inode->i_mutex);
+ 
+ 	error = -EBUSY;
+@@ -2652,6 +3164,24 @@ int vfs_rmdir(struct inode *dir, struct dentry *dentry)
+ 
+ out:
+ 	mutex_unlock(&dentry->d_inode->i_mutex);
++
++#ifdef CONFIG_RSBAC
++	if (!error) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_DELETE,
++					task_pid(current),
++					T_DIR,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"vfs_rmdir() [do_rmdir() [sys_rmdir()]]: rsbac_adf_set_attr() returned error");
++		}
++	}
++#endif
++
+ 	dput(dentry);
+ 	if (!error)
+ 		d_delete(dentry);
+@@ -2720,6 +3250,13 @@ int vfs_unlink(struct inode *dir, struct dentry *dentry)
+ {
+ 	int error = may_delete(dir, dentry, 0);
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (error)
+ 		return error;
+ 
+@@ -2732,9 +3269,57 @@ int vfs_unlink(struct inode *dir, struct dentry *dentry)
+ 	else {
+ 		error = security_inode_unlink(dir, dentry);
+ 		if (!error) {
++#ifdef CONFIG_RSBAC
++			rsbac_pr_debug(aef, "[do_unlink() [sys_unlink()]]: calling ADF\n");
++			if (S_ISDIR(dentry->d_inode->i_mode))
++				rsbac_target = T_DIR;
++			else
++				if (S_ISFIFO(dentry->d_inode->i_mode))
++					rsbac_target = T_FIFO;
++				else
++					if (S_ISLNK(dentry->d_inode->i_mode))
++						rsbac_target = T_SYMLINK;
++					else
++						if (S_ISSOCK(dentry->d_inode->i_mode))
++							rsbac_target = T_UNIXSOCK;
++					else
++						rsbac_target = T_FILE;
++			rsbac_target_id.file.device = dentry->d_sb->s_dev;
++			rsbac_target_id.file.inode  = dentry->d_inode->i_ino;
++			rsbac_target_id.file.dentry_p = dentry;
++			rsbac_attribute_value.nlink = dentry->d_inode->i_nlink;
++			if (!rsbac_adf_request(R_DELETE,
++						task_pid(current),
++						rsbac_target,
++						rsbac_target_id,
++						A_nlink,
++						rsbac_attribute_value)) {
++				mutex_unlock(&dentry->d_inode->i_mutex);
++				return -EPERM;
++			}
++#endif
++
+ 			error = dir->i_op->unlink(dir, dentry);
+ 			if (!error)
+ 				dont_mount(dentry);
++
++#ifdef CONFIG_RSBAC
++			if (!error) {
++				rsbac_new_target_id.dummy = 0;
++				if (rsbac_adf_set_attr(R_DELETE,
++							task_pid(current),
++							rsbac_target,
++							rsbac_target_id,
++							T_NONE,
++							rsbac_new_target_id,
++							A_nlink,
++							rsbac_attribute_value))
++				{
++					rsbac_printk(KERN_WARNING
++							"vfs_unlink() [do_unlink() [sys_unlink()]]: rsbac_adf_set_attr() returned error\n");
++				}
++			}
++#endif
+ 		}
+ 	}
+ 	mutex_unlock(&dentry->d_inode->i_mutex);
+@@ -2829,6 +3414,12 @@ int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname)
+ {
+ 	int error = may_create(dir, dentry);
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (error)
+ 		return error;
+ 
+@@ -2839,9 +3430,46 @@ int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname)
+ 	if (error)
+ 		return error;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[do_symlink(), sys_symlink()]: calling ADF\n");
++	rsbac_target_id.dir.device = dentry->d_sb->s_dev;
++	rsbac_target_id.dir.inode  = dir->i_ino;
++	rsbac_target_id.dir.dentry_p = dentry->d_parent;
++	rsbac_attribute_value.create_data.target = T_SYMLINK;
++	rsbac_attribute_value.create_data.dentry_p = dentry;
++	rsbac_attribute_value.create_data.mode = 0;
++	rsbac_attribute_value.create_data.device = 0;
++	if (!rsbac_adf_request(R_CREATE,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_create_data,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	error = dir->i_op->symlink(dir, dentry, oldname);
+-	if (!error)
++	if (!error) {
+ 		fsnotify_create(dir, dentry);
++
++#ifdef CONFIG_RSBAC
++		rsbac_new_target_id.file.device = dentry->d_sb->s_dev;
++		rsbac_new_target_id.file.inode  = dentry->d_inode->i_ino;
++		rsbac_new_target_id.file.dentry_p = dentry;
++		if (rsbac_adf_set_attr(R_CREATE,
++					task_pid(current),
++					T_DIR,
++					rsbac_target_id,
++					T_SYMLINK,
++					rsbac_new_target_id,
++					A_create_data,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"vfs_symlink() [do_symlink(), sys_symlink()]: rsbac_adf_set_attr() returned error");
++		}
++#endif
++	}
+ 	return error;
+ }
+ 
+@@ -2890,6 +3518,12 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de
+ 	struct inode *inode = old_dentry->d_inode;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!inode)
+ 		return -ENOENT;
+ 
+@@ -2914,6 +3548,31 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de
+ 	if (error)
+ 		return error;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[do_link() [sys_link()]]: calling ADF\n");
++	rsbac_target = T_FILE;
++	if (S_ISDIR (old_dentry->d_inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO (old_dentry->d_inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK (old_dentry->d_inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK (old_dentry->d_inode->i_mode))
++		rsbac_target = T_UNIXSOCK;
++	rsbac_target_id.dir.device = old_dentry->d_sb->s_dev;
++	rsbac_target_id.dir.inode  = old_dentry->d_inode->i_ino;
++	rsbac_target_id.dir.dentry_p = old_dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_LINK_HARD,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	mutex_lock(&inode->i_mutex);
+ 	/* Make sure we don't allow creating hardlink to an unlinked file */
+ 	if (inode->i_nlink == 0)
+@@ -3028,11 +3687,27 @@ static int vfs_rename_dir(struct inode *old_dir, struct dentry *old_dentry,
+ 	int error = 0;
+ 	struct inode *target = new_dentry->d_inode;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	enum  rsbac_target_t rsbac_target2 = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_target_id2;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++	union rsbac_attribute_value_t rsbac_attribute_value2;
++	rsbac_boolean_t target_exists = FALSE;
++#endif
++
+ 	/*
+ 	 * If we are going to change the parent - check write permissions,
+ 	 * we'll need to flip '..'.
+ 	 */
+ 	if (new_dir != old_dir) {
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
++		if (rsbac_dac_part_disabled(old_dentry))
++			error = 0;
++		else
++#endif
+ 		error = inode_permission(old_dentry->d_inode, MAY_WRITE);
+ 		if (error)
+ 			return error;
+@@ -3042,6 +3717,72 @@ static int vfs_rename_dir(struct inode *old_dir, struct dentry *old_dentry,
+ 	if (error)
+ 		return error;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[vfs_rename_dir()]: calling ADF\n");
++	rsbac_target = T_FILE;
++	if (S_ISDIR(old_dentry->d_inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO (old_dentry->d_inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK (old_dentry->d_inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK (old_dentry->d_inode->i_mode))
++		rsbac_target = T_UNIXSOCK;
++	rsbac_target_id.file.device = old_dentry->d_sb->s_dev;
++	rsbac_target_id.file.inode  = old_dentry->d_inode->i_ino;
++	rsbac_target_id.file.dentry_p = old_dentry;
++	rsbac_attribute_value.new_dir_dentry_p = new_dentry->d_parent;
++	if (!rsbac_adf_request(R_RENAME,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_new_dir_dentry_p,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++	if (new_dir != old_dir) {
++		rsbac_pr_debug(aef, "[vfs_rename_dir()]: calling ADF for WRITE on new_dir\n");
++		rsbac_target_id2.dir.device = new_dentry->d_sb->s_dev;
++		rsbac_target_id2.dir.inode  = new_dir->i_ino;
++		rsbac_target_id2.dir.dentry_p = new_dentry->d_parent;
++		rsbac_attribute_value2.dummy = 0;
++		if (!rsbac_adf_request(R_WRITE,
++					task_pid(current),
++					T_DIR,
++					rsbac_target_id2,
++					A_none,
++					rsbac_attribute_value2)) {
++			return -EPERM;
++		}
++	}
++	if(new_dentry->d_inode)
++	{
++		target_exists = TRUE;
++		rsbac_pr_debug(aef, "[vfs_rename_dir()]: calling ADF for DELETE on existing target\n");
++		rsbac_target2 = T_FILE;
++		if (S_ISDIR(new_dentry->d_inode->i_mode))
++			rsbac_target2 = T_DIR;
++		else if (S_ISFIFO (new_dentry->d_inode->i_mode))
++			rsbac_target2 = T_FIFO;
++		else if (S_ISLNK (new_dentry->d_inode->i_mode))
++			rsbac_target2 = T_SYMLINK;
++		else if (S_ISSOCK (new_dentry->d_inode->i_mode))
++			rsbac_target2 = T_UNIXSOCK;
++		rsbac_target_id2.file.device = new_dentry->d_sb->s_dev;
++		rsbac_target_id2.file.inode  = new_dentry->d_inode->i_ino;
++		rsbac_target_id2.file.dentry_p = new_dentry;
++		rsbac_attribute_value2.nlink = new_dentry->d_inode->i_nlink;
++		if (!rsbac_adf_request(R_DELETE,
++					task_pid(current),
++					rsbac_target2,
++					rsbac_target_id2,
++					A_nlink,
++					rsbac_attribute_value2)) {
++			return -EPERM;
++		}
++	}
++#endif
++
+ 	dget(new_dentry);
+ 	if (target)
+ 		mutex_lock(&target->i_mutex);
+@@ -3063,24 +3804,140 @@ static int vfs_rename_dir(struct inode *old_dir, struct dentry *old_dentry,
+ out:
+ 	if (target)
+ 		mutex_unlock(&target->i_mutex);
++
++#ifdef CONFIG_RSBAC
++	if (!error && target_exists) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_DELETE,
++					task_pid(current),
++					rsbac_target2,
++					rsbac_target_id2,
++					T_NONE,
++					rsbac_new_target_id,
++					A_nlink,
++					rsbac_attribute_value2)) {
++			rsbac_printk(KERN_WARNING
++					"do_rename() [sys_rename()]: rsbac_adf_set_attr() for DELETE returned error\n");
++		}
++	}
++#endif
++
+ 	dput(new_dentry);
+-	if (!error)
++	if (!error) {
+ 		if (!(old_dir->i_sb->s_type->fs_flags & FS_RENAME_DOES_D_MOVE))
+ 			d_move(old_dentry,new_dentry);
++
++#ifdef CONFIG_RSBAC
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_RENAME,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_new_dir_dentry_p,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++				"do_rename() [sys_rename()]: rsbac_adf_set_attr() for RENAME returned error\n");
++		}
++#endif
++
++	}
+ 	return error;
+ }
+ 
+ static int vfs_rename_other(struct inode *old_dir, struct dentry *old_dentry,
+ 			    struct inode *new_dir, struct dentry *new_dentry)
+ {
+-	struct inode *target = new_dentry->d_inode;
++	struct inode *target;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	enum  rsbac_target_t rsbac_target2 = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_target_id2;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++	union rsbac_attribute_value_t rsbac_attribute_value2;
++	rsbac_boolean_t target_exists = FALSE;
++#endif
++
+ 	error = security_inode_rename(old_dir, old_dentry, new_dir, new_dentry);
+ 	if (error)
+ 		return error;
+ 
+ 	dget(new_dentry);
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_rename()]: calling ADF\n");
++	rsbac_target = T_FILE;
++	if (S_ISDIR(old_dentry->d_inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO (old_dentry->d_inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK (old_dentry->d_inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK (old_dentry->d_inode->i_mode))
++		rsbac_target = T_UNIXSOCK;
++	rsbac_target_id.file.device = old_dentry->d_sb->s_dev;
++	rsbac_target_id.file.inode  = old_dentry->d_inode->i_ino;
++	rsbac_target_id.file.dentry_p = old_dentry;
++	rsbac_attribute_value.new_dir_dentry_p = new_dentry->d_parent;
++	if (!rsbac_adf_request(R_RENAME,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_new_dir_dentry_p,
++				rsbac_attribute_value)) {
++		dput(new_dentry);
++		return -EPERM;
++	}
++	if (new_dir != old_dir) {
++		rsbac_pr_debug(aef, "[sys_rename()]: calling ADF for WRITE on new_dir\n");
++		rsbac_target_id2.dir.device = new_dentry->d_sb->s_dev;
++		rsbac_target_id2.dir.inode  = new_dir->i_ino;
++		rsbac_target_id2.dir.dentry_p = new_dentry->d_parent;
++		rsbac_attribute_value2.dummy = 0;
++		if (!rsbac_adf_request(R_WRITE,
++					task_pid(current),
++					T_DIR,
++					rsbac_target_id2,
++					A_none,
++					rsbac_attribute_value2)) {
++			dput(new_dentry);
++			return -EPERM;
++		}
++	}
++	if(new_dentry->d_inode) {
++		target_exists = TRUE;
++		rsbac_pr_debug(aef, "[sys_rename()]: calling ADF for DELETE on existing target\n");
++		rsbac_target2 = T_FILE;
++		if (S_ISDIR(new_dentry->d_inode->i_mode))
++			rsbac_target2 = T_DIR;
++		else if (S_ISFIFO (new_dentry->d_inode->i_mode))
++			rsbac_target2 = T_FIFO;
++		else if (S_ISLNK (new_dentry->d_inode->i_mode))
++			rsbac_target2 = T_SYMLINK;
++		else if (S_ISSOCK (new_dentry->d_inode->i_mode))
++			rsbac_target2 = T_UNIXSOCK;
++		rsbac_target_id2.file.device = new_dentry->d_sb->s_dev;
++		rsbac_target_id2.file.inode  = new_dentry->d_inode->i_ino;
++		rsbac_target_id2.file.dentry_p = new_dentry;
++		rsbac_attribute_value2.nlink = new_dentry->d_inode->i_nlink;
++		if (!rsbac_adf_request(R_DELETE,
++					task_pid(current),
++					rsbac_target2,
++					rsbac_target_id2,
++					A_nlink,
++					rsbac_attribute_value2)) {
++			dput(new_dentry);
++			return -EPERM;
++		}
++	}
++#endif
++
++	target = new_dentry->d_inode;
+ 	if (target)
+ 		mutex_lock(&target->i_mutex);
+ 
+@@ -3096,6 +3953,35 @@ static int vfs_rename_other(struct inode *old_dir, struct dentry *old_dentry,
+ 		dont_mount(new_dentry);
+ 	if (!(old_dir->i_sb->s_type->fs_flags & FS_RENAME_DOES_D_MOVE))
+ 		d_move(old_dentry, new_dentry);
++
++#ifdef CONFIG_RSBAC
++	rsbac_new_target_id.dummy = 0;
++	if (rsbac_adf_set_attr(R_RENAME,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				T_NONE,
++				rsbac_new_target_id,
++				A_new_dir_dentry_p,
++				rsbac_attribute_value)) {
++		rsbac_printk(KERN_WARNING
++				"do_rename() [sys_rename()]: rsbac_adf_set_attr() returned error");
++	}
++	if (target_exists) {
++		if (rsbac_adf_set_attr(R_DELETE,
++					task_pid(current),
++					rsbac_target2,
++					rsbac_target_id2,
++					T_NONE,
++					rsbac_new_target_id,
++					A_nlink,
++					rsbac_attribute_value2)) {
++			rsbac_printk(KERN_WARNING
++					"do_rename() [sys_rename()]: rsbac_adf_set_attr() returned error");
++		}
++	}
++#endif
++
+ out:
+ 	if (target)
+ 		mutex_unlock(&target->i_mutex);
+@@ -3243,6 +4129,9 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
+ {
+ 	int len;
++#ifdef CONFIG_RSBAC_SYM_REDIR
++	char * rsbac_name;
++#endif
+ 
+ 	len = PTR_ERR(link);
+ 	if (IS_ERR(link))
+@@ -3251,6 +4140,17 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+ 	len = strlen(link);
+ 	if (len > (unsigned) buflen)
+ 		len = buflen;
++
++#ifdef CONFIG_RSBAC_SYM_REDIR
++	rsbac_name = rsbac_symlink_redirect(dentry->d_inode, link, buflen);
++	if (rsbac_name) {
++		len = strlen(rsbac_name);
++		if (copy_to_user(buffer, rsbac_name, len))
++			len = -EFAULT;
++		kfree(rsbac_name);
++	}
++	else
++#endif
+ 	if (copy_to_user(buffer, link, len))
+ 		len = -EFAULT;
+ out:
+diff --git a/fs/namespace.c b/fs/namespace.c
+index cfc6d44..d8714b3 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -33,6 +33,7 @@
+ #include <linux/fsnotify.h>
+ #include <asm/uaccess.h>
+ #include <asm/unistd.h>
++#include <rsbac/hooks.h>
+ #include "pnode.h"
+ #include "internal.h"
+ 
+@@ -269,6 +270,13 @@ out_free_cache:
+  */
+ int __mnt_is_readonly(struct vfsmount *mnt)
+ {
++#ifdef CONFIG_RSBAC
++	/* HACK - Remove me when switching to full 2.6, pass over the vfsmount
++	 * in init_private_file() instead
++	 */
++	if(!mnt)
++		return 0;
++#endif
+ 	if (mnt->mnt_flags & MNT_READONLY)
+ 		return 1;
+ 	if (mnt->mnt_sb->s_flags & MS_RDONLY)
+@@ -333,6 +341,14 @@ int mnt_want_write(struct vfsmount *mnt)
+ {
+ 	int ret = 0;
+ 
++#ifdef CONFIG_RSBAC
++	/* HACK - Remove me when switching to full 2.6, pass over the vfsmount
++	 * in init_private_file() instead
++	 */
++	if(!mnt)
++		return 0;
++#endif
++
+ 	preempt_disable();
+ 	mnt_inc_writers(mnt);
+ 	/*
+@@ -411,6 +427,13 @@ EXPORT_SYMBOL_GPL(mnt_want_write_file);
+  */
+ void mnt_drop_write(struct vfsmount *mnt)
+ {
++#ifdef CONFIG_RSBAC
++	/* HACK - Remove me when switching to full 2.6, pass over the vfsmount
++	 * in init_private_file() instead
++	 */
++	if(!mnt)
++		return;
++#endif
+ 	preempt_disable();
+ 	mnt_dec_writers(mnt);
+ 	preempt_enable();
+@@ -696,6 +719,11 @@ vfs_kern_mount(struct file_system_type *type, int flags, const char *name, void
+ 	mnt->mnt_sb = root->d_sb;
+ 	mnt->mnt_mountpoint = mnt->mnt_root;
+ 	mnt->mnt_parent = mnt;
++
++#ifdef CONFIG_RSBAC
++	rsbac_mount(mnt);
++#endif
++
+ 	return mnt;
+ }
+ EXPORT_SYMBOL_GPL(vfs_kern_mount);
+@@ -1264,6 +1292,11 @@ static int do_umount(struct vfsmount *mnt, int flags)
+ 	int retval;
+ 	LIST_HEAD(umount_list);
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	retval = security_sb_umount(mnt, flags);
+ 	if (retval)
+ 		return retval;
+@@ -1294,6 +1327,46 @@ static int do_umount(struct vfsmount *mnt, int flags)
+ 			return -EAGAIN;
+ 	}
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF for DIR\n");
++	rsbac_target_id.dir.device = sb->s_root->d_sb->s_dev;
++	rsbac_target_id.dir.inode  = sb->s_root->d_inode->i_ino;
++	rsbac_target_id.dir.dentry_p = sb->s_root;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_UMOUNT,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++	rsbac_pr_debug(aef, "calling ADF for dev\n");
++	rsbac_target_id.dev.type = D_block;
++	rsbac_target_id.dev.major = RSBAC_MAJOR(sb->s_dev);
++	rsbac_target_id.dev.minor = RSBAC_MINOR(sb->s_dev);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_UMOUNT,
++				task_pid(current),
++				T_DEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
++        /* RSBAC: removing data structures for this fs from memory (not /) */
++#ifdef CONFIG_RSBAC
++	if ((mnt != current->fs->root.mnt) || (flags & MNT_DETACH)) {
++		rsbac_pr_debug(ds, "[sys_umount()]: calling rsbac_umount for Device %02u:%02u\n",
++				MAJOR(sb->s_dev), MINOR(sb->s_dev));
++		rsbac_umount(mnt);
++	}
++#endif
++
+ 	/*
+ 	 * If we may have to abort operations to get out of this
+ 	 * mount, and they will themselves hold resources we must
+@@ -1343,6 +1416,17 @@ static int do_umount(struct vfsmount *mnt, int flags)
+ 		retval = 0;
+ 	}
+ 	br_write_unlock(vfsmount_lock);
++
++#ifdef CONFIG_RSBAC
++	/* RSBAC: umount failed, so reread data structures for this fs from disk */
++	if(retval) {
++		rsbac_printk(KERN_WARNING
++				"do_umount() [sys_umount()]: umount failed -> calling rsbac_mount for Device %02u:%02u\n",
++				MAJOR(mnt->mnt_sb->s_dev),MINOR(mnt->mnt_sb->s_dev));
++		rsbac_mount(mnt);
++	}
++#endif
++
+ 	up_write(&namespace_sem);
+ 	release_mounts(&umount_list);
+ 	return retval;
+@@ -1751,6 +1835,13 @@ static int do_loopback(struct path *path, char *old_name,
+ 	struct path old_path;
+ 	struct vfsmount *mnt = NULL;
+ 	int err = mount_is_safe(path);
++
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (err)
+ 		return err;
+ 	if (!old_name || !*old_name)
+@@ -1763,6 +1854,57 @@ static int do_loopback(struct path *path, char *old_name,
+ 	if (err)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[do_loopback() [sys_mount()]]: calling ADF for DIR\n");
++	rsbac_target_id.dir.device = old_path.dentry->d_sb->s_dev;
++	rsbac_target_id.dir.inode  = old_path.dentry->d_inode->i_ino;
++	rsbac_target_id.dir.dentry_p = old_path.dentry;
++	rsbac_attribute_value.mode = recurse;
++	if (!rsbac_adf_request(R_MOUNT,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_mode,
++				rsbac_attribute_value))
++	{
++		err = -EPERM;
++		goto out2;
++	}
++	rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for DEV\n");
++	if(S_ISBLK(old_path.dentry->d_inode->i_mode))
++	{
++		rsbac_target = T_DEV;
++		rsbac_target_id.dev.type = D_block;
++		rsbac_target_id.dev.major = RSBAC_MAJOR(old_path.dentry->d_sb->s_dev);
++		rsbac_target_id.dev.minor = RSBAC_MINOR(old_path.dentry->d_sb->s_dev);
++	}
++	else
++		if(S_ISDIR(old_path.dentry->d_inode->i_mode))
++		{
++			rsbac_target = T_DIR;
++			rsbac_target_id.dir.device = old_path.dentry->d_sb->s_dev;
++			rsbac_target_id.dir.inode  = old_path.dentry->d_inode->i_ino;
++			rsbac_target_id.dir.dentry_p = old_path.dentry;
++		}
++		else
++		{
++			rsbac_target = T_FILE;
++			rsbac_target_id.file.device = old_path.dentry->d_sb->s_dev;
++			rsbac_target_id.file.inode  = old_path.dentry->d_inode->i_ino;
++			rsbac_target_id.file.dentry_p = old_path.dentry;
++		}
++	if (!rsbac_adf_request(R_MOUNT,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_mode,
++				rsbac_attribute_value))
++	{
++		err = -EPERM;
++		goto out2;
++	}
++#endif
++
+ 	err = -EINVAL;
+ 	if (IS_MNT_UNBINDABLE(old_path.mnt))
+ 		goto out2;
+@@ -1790,6 +1932,12 @@ out2:
+ 	release_mounts(&umount_list);
+ out:
+ 	path_put(&old_path);
++
++#ifdef CONFIG_RSBAC
++	if (!err)
++		rsbac_mount(mnt);
++#endif
++
+ 	return err;
+ }
+ 
+@@ -1821,6 +1969,11 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
+ 	int err;
+ 	struct super_block *sb = path->mnt->mnt_sb;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!capable(CAP_SYS_ADMIN))
+ 		return -EPERM;
+ 
+@@ -1834,6 +1987,34 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
+ 	if (err)
+ 		return err;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for DIR\n");
++	rsbac_target_id.dir.device = path->dentry->d_sb->s_dev;
++	rsbac_target_id.dir.inode  = path->dentry->d_inode->i_ino;
++	rsbac_target_id.dir.dentry_p = path->dentry;
++	rsbac_attribute_value.mode = flags;
++	if (!rsbac_adf_request(R_MOUNT,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_mode,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++	rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for DEV\n");
++	rsbac_target_id.dev.type = D_block;
++	rsbac_target_id.dev.major = RSBAC_MAJOR(sb->s_dev);
++	rsbac_target_id.dev.minor = RSBAC_MINOR(sb->s_dev);
++	if (!rsbac_adf_request(R_MOUNT,
++				task_pid(current),
++				T_DEV,
++				rsbac_target_id,
++				A_mode,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	down_write(&sb->s_umount);
+ 	if (flags & MS_BIND)
+ 		err = change_mount_flags(path->mnt, flags);
+@@ -1869,6 +2050,12 @@ static int do_move_mount(struct path *path, char *old_name)
+ 	struct path old_path, parent_path;
+ 	struct vfsmount *p;
+ 	int err = 0;
++
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!capable(CAP_SYS_ADMIN))
+ 		return -EPERM;
+ 	if (!old_name || !*old_name)
+@@ -1881,6 +2068,61 @@ static int do_move_mount(struct path *path, char *old_name)
+ 	if (err < 0)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for UMOUNT on old DIR\n");
++	rsbac_target_id.dir.device = old_path.dentry->d_sb->s_dev;
++	rsbac_target_id.dir.inode  = old_path.dentry->d_inode->i_ino;
++	rsbac_target_id.dir.dentry_p = old_path.dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_UMOUNT,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))	{
++		err = -EPERM;
++		goto out1;
++	}
++	rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for MOUNT on new DIR\n");
++	rsbac_target_id.dir.device = path->dentry->d_sb->s_dev;
++	rsbac_target_id.dir.inode  = path->dentry->d_inode->i_ino;
++	rsbac_target_id.dir.dentry_p = path->dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MOUNT,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		err = -EPERM;
++		goto out1;
++	}
++	rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for UMOUNT on DEV\n");
++	rsbac_target_id.dev.type = D_block;
++	rsbac_target_id.dev.major = RSBAC_MAJOR(old_path.dentry->d_sb->s_dev);
++	rsbac_target_id.dev.minor = RSBAC_MINOR(old_path.dentry->d_sb->s_dev);
++	if (!rsbac_adf_request(R_UMOUNT,
++				task_pid(current),
++				T_DEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		err = -EPERM;
++		goto out1;
++	}
++	rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for MOUNT on DEV\n");
++	if (!rsbac_adf_request(R_MOUNT,
++				task_pid(current),
++				T_DEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		err = -EPERM;
++		goto out1;
++	}
++#endif
++
++
+ 	err = -EINVAL;
+ 	if (!check_mnt(path->mnt) || !check_mnt(old_path.mnt))
+ 		goto out1;
+@@ -1920,6 +2162,10 @@ static int do_move_mount(struct path *path, char *old_name)
+ 	if (err)
+ 		goto out1;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_mount(path->mnt);
++#endif
++
+ 	/* if the mount is moved, it should no longer be expire
+ 	 * automatically */
+ 	list_del_init(&old_path.mnt->mnt_expire);
+@@ -1978,12 +2224,50 @@ static int do_add_mount(struct vfsmount *newmnt, struct path *path, int mnt_flag
+ {
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	mnt_flags &= ~(MNT_SHARED | MNT_WRITE_HOLD | MNT_INTERNAL);
+ 
+ 	err = lock_mount(path);
+ 	if (err)
+ 		return err;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for DIR\n");
++	rsbac_target_id.dir.device = path->dentry->d_sb->s_dev;
++	rsbac_target_id.dir.inode  = path->dentry->d_inode->i_ino;
++	rsbac_target_id.dir.dentry_p = path->dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MOUNT,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		err = -EPERM;
++		goto unlock;
++	}
++	rsbac_pr_debug(aef, "[do_mount() [sys_mount()]]: calling ADF for DEV\n");
++	rsbac_target_id.dev.type = D_block;
++	rsbac_target_id.dev.major = RSBAC_MAJOR(newmnt->mnt_sb->s_dev);
++	rsbac_target_id.dev.minor = RSBAC_MINOR(newmnt->mnt_sb->s_dev);
++	rsbac_attribute_value.mode = mnt_flags;
++	if (!rsbac_adf_request(R_MOUNT,
++				task_pid(current),
++				T_DEV,
++				rsbac_target_id,
++				A_mode,
++				rsbac_attribute_value))
++	{
++		err = -EPERM;
++		goto unlock;
++	}
++#endif
++
+ 	err = -EINVAL;
+ 	if (!(mnt_flags & MNT_SHRINKABLE) && !check_mnt(path->mnt))
+ 		goto unlock;
+@@ -2590,6 +2874,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
+ 	struct path new, old, parent_path, root_parent, root;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!capable(CAP_SYS_ADMIN))
+ 		return -EPERM;
+ 
+@@ -2610,6 +2899,42 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
+ 	if (error)
+ 		goto out3;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF for MOUNT on put_old\n");
++	rsbac_target_id.dir.device = old.dentry->d_sb->s_dev;
++	rsbac_target_id.dir.inode  = old.dentry->d_inode->i_ino;
++	rsbac_target_id.dir.dentry_p = old.dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MOUNT,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		error = -EPERM;
++		goto out4;
++	}
++	rsbac_pr_debug(aef, "calling ADF for MOUNT on root DIR\n");
++	rsbac_target_id.dir.device = current->fs->root.mnt->mnt_sb->s_dev;
++	rsbac_target_id.dir.inode  = current->fs->root.dentry->d_inode->i_ino;
++	rsbac_target_id.dir.dentry_p = current->fs->root.dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MOUNT,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		error = -EPERM;
++		goto out4;
++	}
++
++	/* Make the new root's cached rsbac.dat dentry be put to free the old root's dcache */
++	rsbac_free_dat_dentries();
++#endif
++
+ 	error = -EINVAL;
+ 	if (IS_MNT_SHARED(old.mnt) ||
+ 		IS_MNT_SHARED(new.mnt->mnt_parent) ||
+@@ -2686,6 +3011,10 @@ static void __init init_mount_tree(void)
+ 	if (IS_ERR(mnt))
+ 		panic("Can't create rootfs");
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_mount(mnt);
++#endif
++
+ 	ns = create_mnt_ns(mnt);
+ 	if (IS_ERR(ns))
+ 		panic("Can't allocate initial namespace");
+diff --git a/fs/open.c b/fs/open.c
+index 22c41b5..130c7ea 100644
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -33,16 +33,51 @@
+ 
+ #include "internal.h"
+ 
++#ifdef CONFIG_RSBAC
++#include <net/sock.h>
++#endif
++#include <rsbac/hooks.h>
++
+ int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
+ 	struct file *filp)
+ {
+ 	int ret;
+ 	struct iattr newattrs;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#ifdef CONFIG_RSBAC_SECDEL
++	loff_t old_len = dentry->d_inode->i_size;
++#endif
++#endif
++
+ 	/* Not pretty: "inode->i_size" shouldn't really be signed. But it is. */
+ 	if (length < 0)
+ 		return -EINVAL;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[open_namei(), do_sys_truncate() [sys_truncate()]]: calling ADF\n");
++	rsbac_target_id.file.device = dentry->d_inode->i_sb->s_dev;
++	rsbac_target_id.file.inode  = dentry->d_inode->i_ino;
++	rsbac_target_id.file.dentry_p = dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_TRUNCATE,
++				task_pid(current),
++				T_FILE,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
++	/* RSBAC: Overwrite truncated part, if asked by flag */
++#ifdef CONFIG_RSBAC_SECDEL
++	rsbac_sec_trunc(dentry, length, old_len);
++#endif
++
+ 	newattrs.ia_size = length;
+ 	newattrs.ia_valid = ATTR_SIZE | time_attrs;
+ 	if (filp) {
+@@ -58,6 +93,25 @@ int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
+ 	mutex_lock(&dentry->d_inode->i_mutex);
+ 	ret = notify_change(dentry, &newattrs);
+ 	mutex_unlock(&dentry->d_inode->i_mutex);
++
++#ifdef CONFIG_RSBAC
++	if (!ret) {
++		rsbac_pr_debug(aef, "[open_namei(), do_sys_truncate() [sys_truncate()]]: notifying ADF\n");
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_TRUNCATE,
++					task_pid(current),
++					T_FILE,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"do_truncate() [open_namei(), do_sys_truncate() [sys_truncate()]]: rsbac_adf_set_attr() returned error\n");
++		}
++	}
++#endif
++
+ 	return ret;
+ }
+ 
+@@ -85,6 +139,11 @@ static long do_sys_truncate(const char __user *pathname, loff_t length)
+ 	if (!S_ISREG(inode->i_mode))
+ 		goto dput_and_out;
+ 
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
++        if (rsbac_dac_part_disabled(path.dentry))
++		error = 0;
++	else
++#endif
+ 	error = mnt_want_write(path.mnt);
+ 	if (error)
+ 		goto dput_and_out;
+@@ -218,6 +277,10 @@ int do_fallocate(struct file *file, int mode, loff_t offset, loff_t len)
+ {
+ 	struct inode *inode = file->f_path.dentry->d_inode;
+ 	long ret;
++#ifdef CONFIG_RSBAC_RW
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
+ 
+ 	if (offset < 0 || len <= 0)
+ 		return -EINVAL;
+@@ -249,6 +312,21 @@ int do_fallocate(struct file *file, int mode, loff_t offset, loff_t len)
+ 	if (ret)
+ 		return ret;
+ 
++#ifdef CONFIG_RSBAC_RW
++	rsbac_pr_debug(aef, "sys_fallocate(): calling ADF\n");
++	rsbac_target_id.file.device = inode->i_sb->s_dev;
++	rsbac_target_id.file.inode = inode->i_ino;
++	rsbac_target_id.file.dentry_p = file->f_path.dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_WRITE,
++			task_pid(current),
++			T_FILE,
++			rsbac_target_id,
++			A_none,
++			rsbac_attribute_value))
++		return -EPERM;
++#endif
++
+ 	if (S_ISFIFO(inode->i_mode))
+ 		return -ESPIPE;
+ 
+@@ -304,6 +382,12 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
+ 	struct inode *inode;
+ 	int res;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (mode & ~S_IRWXO)	/* where's F_OK, X_OK, W_OK, R_OK? */
+ 		return -EINVAL;
+ 
+@@ -316,7 +400,11 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
+ 
+ 	if (!issecure(SECURE_NO_SETUID_FIXUP)) {
+ 		/* Clear the capabilities if we switch to a non-root user */
+-		if (override_cred->uid)
++		if (override_cred->uid
++#ifdef CONFIG_RSBAC_FAKE_ROOT_UID
++			&& !rsbac_uid_faked()
++#endif
++		)
+ 			cap_clear(override_cred->cap_effective);
+ 		else
+ 			override_cred->cap_effective =
+@@ -329,6 +417,32 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
+ 	if (res)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target = T_FILE;
++	if (S_ISDIR(path.dentry->d_inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO(path.dentry->d_inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK(path.dentry->d_inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK(path.dentry->d_inode->i_mode))
++		rsbac_target = T_UNIXSOCK;
++	rsbac_target_id.file.device = path.dentry->d_inode->i_sb->s_dev;
++	rsbac_target_id.file.inode  = path.dentry->d_inode->i_ino;
++	rsbac_target_id.file.dentry_p = path.dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_PERMISSIONS_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		res = -EPERM;
++		goto out_path_release;
++	}
++#endif
++
+ 	inode = path.dentry->d_inode;
+ 
+ 	if ((mode & MAY_EXEC) && S_ISREG(inode->i_mode)) {
+@@ -376,14 +490,41 @@ SYSCALL_DEFINE1(chdir, const char __user *, filename)
+ 	struct path path;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	error = user_path_dir(filename, &path);
+ 	if (error)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
++	if (rsbac_dac_part_disabled(path.dentry))
++		error = 0;
++	else
++#endif
+ 	error = inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR);
+ 	if (error)
+ 		goto dput_and_out;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.dir.device = path.dentry->d_inode->i_sb->s_dev;
++	rsbac_target_id.dir.inode  = path.dentry->d_inode->i_ino;
++	rsbac_target_id.dir.dentry_p = path.dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_CHDIR,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		error = -EPERM;
++		goto dput_and_out;
++	}
++#endif
++
+ 	set_fs_pwd(current->fs, &path);
+ 
+ dput_and_out:
+@@ -398,6 +539,11 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd)
+ 	struct inode *inode;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	error = -EBADF;
+ 	file = fget(fd);
+ 	if (!file)
+@@ -409,7 +555,32 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd)
+ 	if (!S_ISDIR(inode->i_mode))
+ 		goto out_putf;
+ 
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
++	if (rsbac_dac_part_disabled(file->f_path.dentry))
++		error = 0;
++	else
++#endif
++
+ 	error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
++
++#ifdef CONFIG_RSBAC
++	if (!error) {
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.dir.device = inode->i_sb->s_dev;
++		rsbac_target_id.dir.inode  = inode->i_ino;
++		rsbac_target_id.dir.dentry_p = file->f_path.dentry;
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_CHDIR,
++					task_pid(current),
++					T_DIR,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			error = -EPERM;
++		}
++	}
++#endif
++
+ 	if (!error)
+ 		set_fs_pwd(current->fs, &file->f_path);
+ out_putf:
+@@ -423,10 +594,21 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename)
+ 	struct path path;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	error = user_path_dir(filename, &path);
+ 	if (error)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
++	if (rsbac_dac_part_disabled(path.dentry))
++		error = 0;
++	else
++#endif
++
+ 	error = inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR);
+ 	if (error)
+ 		goto dput_and_out;
+@@ -438,6 +620,23 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename)
+ 	if (error)
+ 		goto dput_and_out;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.dir.device = path.dentry->d_inode->i_sb->s_dev;
++	rsbac_target_id.dir.inode  = path.dentry->d_inode->i_ino;
++	rsbac_target_id.dir.dentry_p = path.dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_CHDIR,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		error = -EPERM;
++		goto dput_and_out;
++	}
++#endif
++
+ 	set_fs_root(current->fs, &path);
+ 	error = 0;
+ dput_and_out:
+@@ -452,9 +651,50 @@ static int chmod_common(struct path *path, umode_t mode)
+ 	struct iattr newattrs;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	error = mnt_want_write(path->mnt);
+ 	if (error)
+ 		return error;
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target = T_FILE;
++	rsbac_target_id.file.device = inode->i_sb->s_dev;
++	rsbac_target_id.file.inode  = inode->i_ino;
++	rsbac_target_id.file.dentry_p = path->dentry;
++	if (S_ISDIR(inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO(inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK(inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK(inode->i_mode)) {
++		if(inode->i_sb->s_magic == SOCKFS_MAGIC) {
++			rsbac_target = T_IPC;
++			rsbac_target_id.ipc.type = I_anonunix;
++			rsbac_target_id.ipc.id.id_nr = inode->i_ino;
++		} else {
++			rsbac_target = T_UNIXSOCK;
++		}
++	}
++	rsbac_attribute_value.mode = mode;
++	if (!rsbac_adf_request(R_MODIFY_PERMISSIONS_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_mode,
++				rsbac_attribute_value))
++	{
++		mnt_drop_write(path->mnt);
++		return -EPERM;
++	}
++#endif
++
+ 	mutex_lock(&inode->i_mutex);
+ 	error = security_path_chmod(path->dentry, path->mnt, mode);
+ 	if (error)
+@@ -506,6 +746,37 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
+ 	int error;
+ 	struct iattr newattrs;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_*chown]: calling ADF\n");
++	rsbac_target = T_FILE;
++	if (S_ISDIR(inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO(inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK(inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK(inode->i_mode))
++		rsbac_target = T_UNIXSOCK;
++	rsbac_target_id.file.device = inode->i_sb->s_dev;
++	rsbac_target_id.file.inode  = inode->i_ino;
++	rsbac_target_id.file.dentry_p = path->dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_CHANGE_OWNER,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	newattrs.ia_valid =  ATTR_CTIME;
+ 	if (user != (uid_t) -1) {
+ 		newattrs.ia_valid |= ATTR_UID;
+@@ -1042,11 +1313,92 @@ int filp_close(struct file *filp, fl_owner_t id)
+ {
+ 	int retval = 0;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	enum  rsbac_attribute_t       rsbac_attribute = A_none;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!file_count(filp)) {
+ 		printk(KERN_ERR "VFS: Close: file count is 0\n");
+ 		return 0;
+ 	}
+ 
++#ifdef CONFIG_RSBAC
++	if (filp && filp->f_dentry && filp->f_dentry->d_inode) {
++		rsbac_pr_debug(aef, "[sys_close]: calling ADF\n");
++		rsbac_target = T_NONE;
++		if (S_ISBLK(filp->f_dentry->d_inode->i_mode)
++			|| S_ISCHR(filp->f_dentry->d_inode->i_mode)) {
++			rsbac_target = T_DEV;
++			if (S_ISBLK(filp->f_dentry->d_inode->i_mode)) {
++				rsbac_target_id.dev.type = D_block;
++			}
++			else {
++				rsbac_target_id.dev.type = D_char;
++			}
++			rsbac_target_id.dev.major = RSBAC_MAJOR(filp->f_dentry->d_inode->i_sb->s_dev);
++			rsbac_target_id.dev.minor = RSBAC_MINOR(filp->f_dentry->d_inode->i_sb->s_dev);
++			rsbac_attribute = A_f_mode;
++			rsbac_attribute_value.f_mode = filp->f_mode;
++		} else
++			if (S_ISSOCK(filp->f_dentry->d_inode->i_mode)) {
++				if (SOCKET_I(filp->f_dentry->d_inode)->ops
++					&& (SOCKET_I(filp->f_dentry->d_inode)->ops->family == AF_UNIX)) {
++					if (filp->f_dentry->d_sb->s_magic == SOCKFS_MAGIC) {
++						rsbac_target = T_IPC;
++						rsbac_target_id.ipc.type = I_anonunix;
++						rsbac_target_id.ipc.id.id_nr = filp->f_dentry->d_inode->i_ino;
++						rsbac_attribute = A_nlink;
++						rsbac_attribute_value.nlink = filp->f_dentry->d_inode->i_nlink;
++					} else {
++						rsbac_target = T_UNIXSOCK;
++						rsbac_target_id.unixsock.device = filp->f_dentry->d_sb->s_dev;
++						rsbac_target_id.unixsock.inode  = filp->f_dentry->d_inode->i_ino;
++						rsbac_target_id.unixsock.dentry_p = filp->f_dentry;
++						rsbac_attribute = A_f_mode;
++						rsbac_attribute_value.f_mode = filp->f_mode;
++					}
++				} else {
++					rsbac_target = T_NETOBJ;
++					rsbac_target_id.netobj.sock_p
++						= SOCKET_I(filp->f_dentry->d_inode);
++					rsbac_target_id.netobj.local_addr = NULL;
++					rsbac_target_id.netobj.local_len = 0;
++					rsbac_target_id.netobj.remote_addr = NULL;
++					rsbac_target_id.netobj.remote_len = 0;
++					rsbac_attribute = A_f_mode;
++					rsbac_attribute_value.f_mode = filp->f_mode;
++				}
++			} else { /* must be file, fifo or dir */
++				if (S_ISDIR(filp->f_dentry->d_inode->i_mode))
++					rsbac_target = T_DIR;
++				else if (S_ISFIFO(filp->f_dentry->d_inode->i_mode))
++					rsbac_target = T_FIFO;
++				else
++					rsbac_target = T_FILE;
++				rsbac_target_id.file.device = filp->f_dentry->d_inode->i_sb->s_dev;
++				rsbac_target_id.file.inode  = filp->f_dentry->d_inode->i_ino;
++				rsbac_target_id.file.dentry_p = filp->f_dentry;
++				rsbac_attribute = A_f_mode;
++				rsbac_attribute_value.f_mode = filp->f_mode;
++			}
++		if ((rsbac_target != T_NONE) && !rsbac_adf_request(R_CLOSE,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value))
++		{
++#ifdef CONFIG_RSBAC_ENFORCE_CLOSE
++			return -EPERM;
++#endif
++		}
++	}
++#endif
++
+ 	if (filp->f_op && filp->f_op->flush)
+ 		retval = filp->f_op->flush(filp, id);
+ 
+@@ -1054,6 +1406,26 @@ int filp_close(struct file *filp, fl_owner_t id)
+ 		dnotify_flush(filp, id);
+ 		locks_remove_posix(filp, id);
+ 	}
++
++#ifdef CONFIG_RSBAC
++	if (rsbac_target != T_NONE) {
++		rsbac_pr_debug(aef, "[sys_close]: notifying ADF\n");
++		rsbac_new_target_id.dummy = 0;
++		rsbac_attribute_value.f_mode = filp->f_mode;
++		if (rsbac_adf_set_attr(R_CLOSE,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value))	{
++			rsbac_printk(KERN_WARNING
++					"filp_close() [sys_close]: rsbac_adf_set_attr() returned error\n");
++		}
++	}
++#endif
++
+ 	fput(filp);
+ 	return retval;
+ }
+diff --git a/fs/pipe.c b/fs/pipe.c
+index 05ed5ca..ec9c835 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -24,6 +24,8 @@
+ #include <asm/uaccess.h>
+ #include <asm/ioctls.h>
+ 
++#include <rsbac/hooks.h>
++
+ /*
+  * The max size that a non-root user is allowed to grow the pipe. Can
+  * be set by root in /proc/sys/fs/pipe-max-size
+@@ -367,11 +369,33 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ 	struct iovec *iov = (struct iovec *)_iov;
+ 	size_t total_len;
+ 
++#ifdef CONFIG_RSBAC_RW
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	total_len = iov_length(iov, nr_segs);
+ 	/* Null read succeeds. */
+ 	if (unlikely(total_len == 0))
+ 		return 0;
+ 
++#ifdef CONFIG_RSBAC_RW
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.ipc.type = I_anonpipe;
++	rsbac_target_id.ipc.id.id_nr = inode->i_ino;
++	rsbac_attribute_value.dummy = 0;
++
++	if (!rsbac_adf_request(R_READ,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	do_wakeup = 0;
+ 	ret = 0;
+ 	mutex_lock(&inode->i_mutex);
+@@ -470,8 +494,26 @@ redo:
+ 		wake_up_interruptible_sync_poll(&pipe->wait, POLLOUT | POLLWRNORM);
+ 		kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
+ 	}
+-	if (ret > 0)
++	if (ret > 0) {
+ 		file_accessed(filp);
++
++#ifdef CONFIG_RSBAC_RW
++		rsbac_new_target_id.dummy = 0;
++
++		if (rsbac_adf_set_attr(R_READ,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"pipe_readv(): rsbac_adf_set_attr() returned error\n");
++		}
++#endif
++
++	}
+ 	return ret;
+ }
+ 
+@@ -493,11 +535,33 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+ 	size_t total_len;
+ 	ssize_t chars;
+ 
++#ifdef CONFIG_RSBAC_RW
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	total_len = iov_length(iov, nr_segs);
+ 	/* Null write succeeds. */
+ 	if (unlikely(total_len == 0))
+ 		return 0;
+ 
++#ifdef CONFIG_RSBAC_RW
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.ipc.type = I_anonpipe;
++	rsbac_target_id.ipc.id.id_nr = inode->i_ino;
++	rsbac_attribute_value.dummy = 0;
++
++	if (!rsbac_adf_request(R_WRITE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	do_wakeup = 0;
+ 	ret = 0;
+ 	mutex_lock(&inode->i_mutex);
+@@ -653,8 +717,26 @@ out:
+ 		wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLRDNORM);
+ 		kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
+ 	}
+-	if (ret > 0)
++	if (ret > 0) {
+ 		file_update_time(filp);
++
++#ifdef CONFIG_RSBAC_RW
++		rsbac_new_target_id.dummy = 0;
++
++		if (rsbac_adf_set_attr(R_WRITE,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"pipe_writev(): rsbac_adf_set_attr() returned error\n");
++		}
++#endif
++	}
++
+ 	return ret;
+ }
+ 
+@@ -740,7 +822,20 @@ pipe_release(struct inode *inode, int decr, int decw)
+ 	pipe->writers -= decw;
+ 
+ 	if (!pipe->readers && !pipe->writers) {
++
++#ifdef CONFIG_RSBAC
++		union rsbac_target_id_t rsbac_target_id;
++#endif
++
+ 		free_pipe_info(inode);
++
++#ifdef CONFIG_RSBAC
++		rsbac_pr_debug(aef, "calling ACI remove_target()\n");
++		rsbac_target_id.ipc.type = I_anonpipe;
++		rsbac_target_id.ipc.id.id_nr  = inode->i_ino;
++		rsbac_remove_target(T_IPC, rsbac_target_id);
++#endif
++
+ 	} else {
+ 		wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
+ 		kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
+@@ -757,10 +852,47 @@ pipe_read_fasync(int fd, struct file *filp, int on)
+ 	struct inode *inode = filp->f_path.dentry->d_inode;
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC_RW
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC_RW
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.ipc.type = I_anonpipe;
++	rsbac_target_id.ipc.id.id_nr = inode->i_ino;
++	rsbac_attribute_value.dummy = 0;
++
++	if (!rsbac_adf_request(R_READ,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	mutex_lock(&inode->i_mutex);
+ 	retval = fasync_helper(fd, filp, on, &inode->i_pipe->fasync_readers);
+ 	mutex_unlock(&inode->i_mutex);
+ 
++#ifdef CONFIG_RSBAC_RW
++	rsbac_new_target_id.dummy = 0;
++
++	if ((retval >= 0) && rsbac_adf_set_attr(R_READ,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				T_NONE,
++				rsbac_new_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rsbac_printk(KERN_WARNING "pipe_read_fasync(): rsbac_adf_set_attr() returned error\n");
++	}
++#endif
++
+ 	return retval;
+ }
+ 
+@@ -771,10 +903,47 @@ pipe_write_fasync(int fd, struct file *filp, int on)
+ 	struct inode *inode = filp->f_path.dentry->d_inode;
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC_RW
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC_RW
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.ipc.type = I_anonpipe;
++	rsbac_target_id.ipc.id.id_nr = inode->i_ino;
++	rsbac_attribute_value.dummy = 0;
++
++	if (!rsbac_adf_request(R_WRITE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	mutex_lock(&inode->i_mutex);
+ 	retval = fasync_helper(fd, filp, on, &inode->i_pipe->fasync_writers);
+ 	mutex_unlock(&inode->i_mutex);
+ 
++#ifdef CONFIG_RSBAC_RW
++	rsbac_new_target_id.dummy = 0;
++
++	if ((retval >= 0) && rsbac_adf_set_attr(R_WRITE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				T_NONE,
++				rsbac_new_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rsbac_printk(KERN_WARNING "pipe_write_fasync(): rsbac_adf_set_attr() returned error\n");
++	}
++#endif
++
+ 	return retval;
+ }
+ 
+@@ -786,6 +955,43 @@ pipe_rdwr_fasync(int fd, struct file *filp, int on)
+ 	struct pipe_inode_info *pipe = inode->i_pipe;
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC_RW
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC_RW
++	rsbac_pr_debug(aef, "calling ADF for READ\n");
++	rsbac_target_id.ipc.type = I_anonpipe;
++	rsbac_target_id.ipc.id.id_nr = inode->i_ino;
++	rsbac_attribute_value.dummy = 0;
++
++	if (!rsbac_adf_request(R_READ,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++
++	rsbac_pr_debug(aef, "calling ADF for WRITE\n");
++	rsbac_target_id.ipc.type = I_anonpipe;
++	rsbac_target_id.ipc.id.id_nr = inode->i_ino;
++	rsbac_attribute_value.dummy = 0;
++
++	if (!rsbac_adf_request(R_WRITE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
++
+ 	mutex_lock(&inode->i_mutex);
+ 	retval = fasync_helper(fd, filp, on, &pipe->fasync_readers);
+ 	if (retval >= 0) {
+@@ -794,6 +1000,36 @@ pipe_rdwr_fasync(int fd, struct file *filp, int on)
+ 			fasync_helper(-1, filp, 0, &pipe->fasync_readers);
+ 	}
+ 	mutex_unlock(&inode->i_mutex);
++
++#ifdef CONFIG_RSBAC_RW
++	if (retval >= 0) {
++		rsbac_new_target_id.dummy = 0;
++
++		if (rsbac_adf_set_attr(R_READ,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"pipe_rwdr_fasync(): rsbac_adf_set_attr() for READ returned error\n");
++		}
++		if (rsbac_adf_set_attr(R_WRITE,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"pipe_rwdr_fasync(): rsbac_adf_set_attr() for WRITE returned error\n");
++		}
++	}
++#endif
++
+ 	return retval;
+ }
+ 
+@@ -825,6 +1061,28 @@ pipe_read_open(struct inode *inode, struct file *filp)
+ {
+ 	int ret = -ENOENT;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.ipc.type = I_anonpipe;
++	rsbac_target_id.ipc.id.id_nr = inode->i_ino;
++	rsbac_attribute_value.dummy = 0;
++
++	if (!rsbac_adf_request(R_READ_OPEN,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	mutex_lock(&inode->i_mutex);
+ 
+ 	if (inode->i_pipe) {
+@@ -834,6 +1092,21 @@ pipe_read_open(struct inode *inode, struct file *filp)
+ 
+ 	mutex_unlock(&inode->i_mutex);
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_new_target_id.dummy = 0;
++
++	if (!ret && rsbac_adf_set_attr(R_READ_OPEN,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				T_NONE,
++				rsbac_new_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rsbac_printk(KERN_WARNING "pipe_read_open(): rsbac_adf_set_attr() returned error\n");
++	}
++#endif
++
+ 	return ret;
+ }
+ 
+@@ -842,6 +1115,28 @@ pipe_write_open(struct inode *inode, struct file *filp)
+ {
+ 	int ret = -ENOENT;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.ipc.type = I_anonpipe;
++	rsbac_target_id.ipc.id.id_nr = inode->i_ino;
++	rsbac_attribute_value.dummy = 0;
++
++	if (!rsbac_adf_request(R_WRITE_OPEN,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	mutex_lock(&inode->i_mutex);
+ 
+ 	if (inode->i_pipe) {
+@@ -851,6 +1146,21 @@ pipe_write_open(struct inode *inode, struct file *filp)
+ 
+ 	mutex_unlock(&inode->i_mutex);
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_new_target_id.dummy = 0;
++
++	if (!ret && rsbac_adf_set_attr(R_WRITE_OPEN,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				T_NONE,
++				rsbac_new_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rsbac_printk(KERN_WARNING "pipe_write_open(): rsbac_adf_set_attr() returned error\n");
++	}
++#endif
++
+ 	return ret;
+ }
+ 
+@@ -859,6 +1169,29 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
+ {
+ 	int ret = -ENOENT;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.ipc.type = I_anonpipe;
++	rsbac_target_id.ipc.id.id_nr = inode->i_ino;
++	rsbac_attribute_value.dummy = 0;
++
++	if (!rsbac_adf_request(R_READ_WRITE_OPEN,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++
++#endif
++
+ 	mutex_lock(&inode->i_mutex);
+ 
+ 	if (inode->i_pipe) {
+@@ -871,6 +1204,22 @@ pipe_rdwr_open(struct inode *inode, struct file *filp)
+ 
+ 	mutex_unlock(&inode->i_mutex);
+ 
++#ifdef CONFIG_RSBAC
++	/* RSBAC: notify adf of read_write_open on pipe */
++	rsbac_new_target_id.dummy = 0;
++
++	if (!ret && rsbac_adf_set_attr(R_READ_WRITE_OPEN,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				T_NONE,
++				rsbac_new_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rsbac_printk(KERN_WARNING "pipe_rdwr_open(): rsbac_adf_set_attr() returned error\n");
++	}
++#endif
++
+ 	return ret;
+ }
+ 
+@@ -1020,6 +1369,12 @@ struct file *create_write_pipe(int flags)
+ 	struct path path;
+ 	struct qstr name = { .name = "" };
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	err = -ENFILE;
+ 	inode = get_pipe_inode();
+ 	if (!inode)
+@@ -1042,6 +1397,23 @@ struct file *create_write_pipe(int flags)
+ 	f->f_flags = O_WRONLY | (flags & (O_NONBLOCK | O_DIRECT));
+ 	f->f_version = 0;
+ 
++#ifdef CONFIG_RSBAC
++        rsbac_target_id.ipc.type = I_anonpipe;
++	rsbac_target_id.ipc.id.id_nr = inode->i_ino;
++	rsbac_new_target_id.dummy = 0;
++	rsbac_attribute_value.dummy = 0;
++	if (rsbac_adf_set_attr(R_CREATE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				T_NONE,
++				rsbac_new_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rsbac_printk(KERN_WARNING
++				"do_pipe() [sys_pipe()]: rsbac_adf_set_attr() returned error");
++	}
++#endif
+ 	return f;
+ 
+  err_dentry:
+@@ -1083,9 +1455,29 @@ int do_pipe_flags(int *fd, int flags)
+ 	int error;
+ 	int fdw, fdr;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (flags & ~(O_CLOEXEC | O_NONBLOCK | O_DIRECT))
+ 		return -EINVAL;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_pipe()]: calling ADF\n");
++	rsbac_target_id.ipc.type = I_anonpipe;
++	rsbac_target_id.ipc.id.id_nr = 0;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_CREATE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	fw = create_write_pipe(flags);
+ 	if (IS_ERR(fw))
+ 		return PTR_ERR(fw);
+diff --git a/fs/proc/array.c b/fs/proc/array.c
+index 3a1dafd..d0c628b 100644
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -85,6 +85,7 @@
+ #include <asm/pgtable.h>
+ #include <asm/processor.h>
+ #include "internal.h"
++#include <rsbac/hooks.h>
+ 
+ static inline void task_name(struct seq_file *m, struct task_struct *p)
+ {
+@@ -340,7 +341,31 @@ static void task_cpus_allowed(struct seq_file *m, struct task_struct *task)
+ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
+ 			struct pid *pid, struct task_struct *task)
+ {
+-	struct mm_struct *mm = get_task_mm(task);
++	struct mm_struct *mm;
++
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
++
++	mm = get_task_mm(task);
+ 
+ 	task_name(m, task);
+ 	task_state(m, ns, pid, task);
+@@ -378,6 +403,28 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
+ 	char tcomm[sizeof(task->comm)];
+ 	unsigned long flags;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))	{
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
++
+ 	state = *get_task_state(task);
+ 	vsize = eip = esp = 0;
+ 	permitted = ptrace_may_access(task, PTRACE_MODE_READ);
+@@ -532,9 +579,32 @@ int proc_tgid_stat(struct seq_file *m, struct pid_namespace *ns,
+ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
+ 			struct pid *pid, struct task_struct *task)
+ {
++
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
+ 	unsigned long size = 0, resident = 0, shared = 0, text = 0, data = 0;
+-	struct mm_struct *mm = get_task_mm(task);
++	struct mm_struct *mm;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
++
++	mm = get_task_mm(task);
+ 	if (mm) {
+ 		size = task_statm(mm, &shared, &text, &data, &resident);
+ 		mmput(mm);
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 1ace83d..a7d05a2 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -87,6 +87,7 @@
+ #include <asm/hardwall.h>
+ #endif
+ #include "internal.h"
++#include <rsbac/hooks.h>
+ 
+ /* NOTE:
+  *	Implementing inode permission operations in /proc is almost
+@@ -170,6 +171,29 @@ static int proc_cwd_link(struct inode *inode, struct path *path)
+ 	struct task_struct *task = get_proc_task(inode);
+ 	int result = -ENOENT;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++
++	if(!task)
++		return result;
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = proc_pid(inode);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		put_task_struct(task);
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
++
+ 	if (task) {
+ 		task_lock(task);
+ 		if (task->fs) {
+@@ -187,6 +211,31 @@ static int proc_root_link(struct inode *inode, struct path *path)
+ 	struct task_struct *task = get_proc_task(inode);
+ 	int result = -ENOENT;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	if(!task)
++		return result;
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		put_task_struct(task);
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
++
+ 	if (task) {
+ 		result = get_task_root(task, path);
+ 		put_task_struct(task);
+@@ -199,6 +248,11 @@ static struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
+ 	struct mm_struct *mm;
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	err =  mutex_lock_killable(&task->signal->cred_guard_mutex);
+ 	if (err)
+ 		return ERR_PTR(err);
+@@ -211,6 +265,25 @@ static struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
+ 	}
+ 	mutex_unlock(&task->signal->cred_guard_mutex);
+ 
++#ifdef CONFIG_RSBAC
++	if (mm && !IS_ERR(mm)) {
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rcu_read_lock();
++		rsbac_target_id.process = task_pid(task);
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_GET_STATUS_DATA,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			mmput(mm);
++			mm = ERR_PTR(-EPERM);
++		}
++		rcu_read_unlock();
++	}
++#endif
++
+ 	return mm;
+ }
+ 
+@@ -224,11 +297,35 @@ static int proc_pid_cmdline(struct task_struct *task, char * buffer)
+ 	int res = 0;
+ 	unsigned int len;
+ 	struct mm_struct *mm = get_task_mm(task);
++
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!mm)
+ 		goto out;
+ 	if (!mm->arg_end)
+ 		goto out_mm;	/* Shh! No looking before we're done */
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		res = -EPERM;
++		rcu_read_unlock();
++		goto out_mm;
++	}
++	rcu_read_unlock();
++#endif
++
+  	len = mm->arg_end - mm->arg_start;
+  
+ 	if (len > PAGE_SIZE)
+@@ -260,6 +357,31 @@ static int proc_pid_auxv(struct task_struct *task, char *buffer)
+ {
+ 	struct mm_struct *mm = mm_for_maps(task);
+ 	int res = PTR_ERR(mm);
++
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		if (mm && !IS_ERR(mm))
++			mmput(mm);
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
++
+ 	if (mm && !IS_ERR(mm)) {
+ 		unsigned int nwords = 0;
+ 		do {
+@@ -285,6 +407,28 @@ static int proc_pid_wchan(struct task_struct *task, char *buffer)
+ 	unsigned long wchan;
+ 	char symname[KSYM_NAME_LEN];
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
++
+ 	wchan = get_wchan(task);
+ 
+ 	if (lookup_symbol_name(wchan, symname) < 0)
+@@ -357,6 +501,28 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns,
+  */
+ static int proc_pid_schedstat(struct task_struct *task, char *buffer)
+ {
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
++
+ 	return sprintf(buffer, "%llu %llu %lu\n",
+ 			(unsigned long long)task->se.sum_exec_runtime,
+ 			(unsigned long long)task->sched_info.run_delay,
+@@ -428,6 +594,26 @@ static int proc_oom_score(struct task_struct *task, char *buffer)
+ {
+ 	unsigned long points = 0;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if(!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
++
+ 	read_lock(&tasklist_lock);
+ 	if (pid_alive(task))
+ 		points = oom_badness(task, NULL, NULL,
+@@ -588,6 +774,31 @@ static int mounts_open_common(struct inode *inode, struct file *file,
+ 	struct proc_mounts *p;
+ 	int ret = -EINVAL;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	if(!task)
++		return -EINVAL;
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		put_task_struct(task);
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
++
+ 	if (task) {
+ 		rcu_read_lock();
+ 		nsp = task_nsproxy(task);
+@@ -797,9 +1008,39 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
+ 	ssize_t copied;
+ 	char *page;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_adf_request_t rsbac_adf_req = R_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++	struct task_struct *rsbac_task;
++#endif
++
+ 	if (!mm)
+ 		return 0;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_task = get_proc_task(file->f_path.dentry->d_inode);
++	if (!rsbac_task)
++	        return -ESRCH;
++        if (write)
++                rsbac_adf_req = R_MODIFY_SYSTEM_DATA;
++        else
++                rsbac_adf_req = R_GET_STATUS_DATA;
++	rsbac_target_id.process = task_pid(rsbac_task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(rsbac_adf_req,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++                put_task_struct(rsbac_task);
++		return -EPERM;
++	}
++	put_task_struct(rsbac_task);
++#endif
++
+ 	page = (char *)__get_free_page(GFP_TEMPORARY);
+ 	if (!page)
+ 		return -ENOMEM;
+@@ -894,9 +1135,29 @@ static ssize_t environ_read(struct file *file, char __user *buf,
+ 	int ret = -ESRCH;
+ 	struct mm_struct *mm;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!task)
+ 		goto out_no_task;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		ret = -EPERM;
++		goto out;
++	}
++#endif
++
+ 	ret = -ENOMEM;
+ 	page = (char *)__get_free_page(GFP_TEMPORARY);
+ 	if (!page)
+@@ -963,9 +1224,30 @@ static ssize_t oom_adjust_read(struct file *file, char __user *buf,
+ 	int oom_adjust = OOM_DISABLE;
+ 	unsigned long flags;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!task)
+ 		return -ESRCH;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		put_task_struct(task);
++		return -EPERM;
++	}
++#endif
++
++
+ 	if (lock_task_sighand(task, &flags)) {
+ 		oom_adjust = task->signal->oom_adj;
+ 		unlock_task_sighand(task, &flags);
+@@ -987,6 +1269,11 @@ static ssize_t oom_adjust_write(struct file *file, const char __user *buf,
+ 	unsigned long flags;
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	memset(buffer, 0, sizeof(buffer));
+ 	if (count > sizeof(buffer) - 1)
+ 		count = sizeof(buffer) - 1;
+@@ -1011,6 +1298,22 @@ static ssize_t oom_adjust_write(struct file *file, const char __user *buf,
+ 	}
+ 
+ 	task_lock(task);
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		err = -EPERM;
++		goto err_task_lock;
++	}
++#endif
++
+ 	if (!task->mm) {
+ 		err = -EINVAL;
+ 		goto err_task_lock;
+@@ -1164,8 +1467,29 @@ static ssize_t proc_loginuid_read(struct file * file, char __user * buf,
+ 	ssize_t length;
+ 	char tmpbuf[TMPBUFLEN];
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!task)
+ 		return -ESRCH;
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		put_task_struct(task);
++		return -EPERM;
++	}
++#endif
++
+ 	length = scnprintf(tmpbuf, TMPBUFLEN, "%u",
+ 				audit_get_loginuid(task));
+ 	put_task_struct(task);
+@@ -1180,6 +1504,11 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf,
+ 	ssize_t length;
+ 	uid_t loginuid;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!capable(CAP_AUDIT_CONTROL))
+ 		return -EPERM;
+ 
+@@ -1197,6 +1526,24 @@ static ssize_t proc_loginuid_write(struct file * file, const char __user * buf,
+ 		/* No partial writes. */
+ 		return -EINVAL;
+ 	}
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process =  proc_pid(inode);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
++
+ 	page = (char*)__get_free_page(GFP_TEMPORARY);
+ 	if (!page)
+ 		return -ENOMEM;
+@@ -1491,10 +1838,29 @@ static int proc_exe_link(struct inode *inode, struct path *exe_path)
+ 	struct task_struct *task;
+ 	struct mm_struct *mm;
+ 	struct file *exe_file;
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
+ 
+ 	task = get_proc_task(inode);
+ 	if (!task)
+ 		return -ENOENT;
++
++#ifdef CONFIG_RSBAC
++        rsbac_pr_debug(aef, "calling ADF\n");
++        rsbac_target_id.process = task_pid(task);
++        rsbac_attribute_value.dummy = 0;
++        if (!rsbac_adf_request(R_GET_STATUS_DATA,
++                                task_pid(current),
++                                T_PROCESS,
++                                rsbac_target_id,
++                                A_none,
++                                rsbac_attribute_value)) {
++		put_task_struct(task);
++                return -EPERM;
++        }
++#endif
+ 	mm = get_task_mm(task);
+ 	put_task_struct(task);
+ 	if (!mm)
+@@ -1813,6 +2179,30 @@ static int proc_fd_info(struct inode *inode, struct path *path, char *info)
+ 	struct file *file;
+ 	int fd = proc_fd(inode);
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rcu_read_lock();
++	rsbac_target_id.process = proc_pid(inode);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		if (task)
++			put_task_struct(task);
++		rcu_read_unlock();
++		return -EPERM;
++	}
++	rcu_read_unlock();
++#endif
++
+ 	if (task) {
+ 		files = get_files_struct(task);
+ 		put_task_struct(task);
+@@ -2920,6 +3310,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct
+ 	unsigned tgid;
+ 	struct pid_namespace *ns;
+ 
++#ifdef CONFIG_RSBAC_PROC_HIDE
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	result = proc_base_lookup(dir, dentry);
+ 	if (!IS_ERR(result) || PTR_ERR(result) != -ENOENT)
+ 		goto out;
+@@ -2937,6 +3332,21 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, struct
+ 	if (!task)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC_PROC_HIDE
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		result = ERR_PTR(-ENOENT);
++		put_task_struct(task);
++		goto out;
++	}
++#endif
++
+ 	result = proc_pid_instantiate(dir, dentry, task, NULL);
+ 	put_task_struct(task);
+ out:
+@@ -3004,6 +3414,10 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
+ 	struct task_struct *reaper;
+ 	struct tgid_iter iter;
+ 	struct pid_namespace *ns;
++#ifdef CONFIG_RSBAC_PROC_HIDE
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
+ 
+ 	if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET)
+ 		goto out_no_task;
+@@ -3025,6 +3439,22 @@ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
+ 	for (iter = next_tgid(ns, iter);
+ 	     iter.task;
+ 	     iter.tgid += 1, iter = next_tgid(ns, iter)) {
++#ifdef CONFIG_RSBAC_PROC_HIDE
++		rcu_read_lock();
++		rsbac_target_id.process = task_pid(iter.task);
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_GET_STATUS_DATA,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			rcu_read_unlock();
++			continue;
++		}
++		rcu_read_unlock();
++#endif
++
+ 		filp->f_pos = iter.tgid + TGID_OFFSET;
+ 		if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
+ 			put_task_struct(iter.task);
+@@ -3172,6 +3602,10 @@ static struct dentry *proc_task_lookup(struct inode *dir, struct dentry * dentry
+ 	struct task_struct *leader = get_proc_task(dir);
+ 	unsigned tid;
+ 	struct pid_namespace *ns;
++#ifdef CONFIG_RSBAC_PROC_HIDE
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
+ 
+ 	if (!leader)
+ 		goto out_no_task;
+@@ -3191,6 +3625,19 @@ static struct dentry *proc_task_lookup(struct inode *dir, struct dentry * dentry
+ 	if (!same_thread_group(leader, task))
+ 		goto out_drop_task;
+ 
++#ifdef CONFIG_RSBAC_PROC_HIDE
++	rsbac_target_id.process = task_pid(task);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		goto out_drop_task;
++	}
++#endif
++
+ 	result = proc_task_instantiate(dir, dentry, task, NULL);
+ out_drop_task:
+ 	put_task_struct(task);
+diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
+index d245cb2..6de900e 100644
+--- a/fs/proc/kcore.c
++++ b/fs/proc/kcore.c
+@@ -27,6 +27,8 @@
+ #include <linux/memory.h>
+ #include <asm/sections.h>
+ 
++#include <rsbac/hooks.h>
++
+ #define CORE_STR "CORE"
+ 
+ #ifndef ELF_CORE_EFLAGS
+@@ -542,8 +544,27 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
+ 
+ static int open_kcore(struct inode *inode, struct file *filp)
+ {
++#ifdef CONFIG_RSBAC
++        union rsbac_target_id_t rsbac_target_id;
++        union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!capable(CAP_SYS_RAWIO))
+ 		return -EPERM;
++
++#ifdef CONFIG_RSBAC
++        rsbac_target_id.scd = ST_kmem;
++        rsbac_attribute_value.dummy = 0;
++        rsbac_pr_debug(aef, "calling ADF\n");
++        if (!rsbac_adf_request(R_GET_STATUS_DATA,
++                              task_pid(current),
++                              T_SCD,
++                              rsbac_target_id,
++                              A_none,
++                              rsbac_attribute_value))
++          return -EPERM;
++#endif
++
+ 	if (kcore_need_update)
+ 		kcore_update_ram();
+ 	if (i_size_read(inode) != proc_root_kcore->size) {
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 3efa725..1bf12a0 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -16,6 +16,7 @@
+ #include <asm/uaccess.h>
+ #include <asm/tlbflush.h>
+ #include "internal.h"
++#include <rsbac/hooks.h>
+ 
+ void task_mem(struct seq_file *m, struct mm_struct *mm)
+ {
+@@ -195,9 +196,28 @@ static int do_maps_open(struct inode *inode, struct file *file,
+ {
+ 	struct proc_maps_private *priv;
+ 	int ret = -ENOMEM;
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
+ 	priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ 	if (priv) {
+ 		priv->pid = proc_pid(inode);
++#ifdef CONFIG_RSBAC
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.process = priv->pid;
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_GET_STATUS_DATA,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value))
++		{
++			kfree(priv);
++			return -EPERM;
++		}
++#endif
+ 		ret = seq_open(file, ops);
+ 		if (!ret) {
+ 			struct seq_file *m = file->private_data;
+diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
+index 980de54..21a94bb 100644
+--- a/fs/proc/task_nommu.c
++++ b/fs/proc/task_nommu.c
+@@ -8,6 +8,7 @@
+ #include <linux/slab.h>
+ #include <linux/seq_file.h>
+ #include "internal.h"
++#include <rsbac/hooks.h>
+ 
+ /*
+  * Logic: we've got two memory sums for each process, "shared", and
+@@ -248,6 +249,26 @@ static int maps_open(struct inode *inode, struct file *file)
+ 	struct proc_maps_private *priv;
+ 	int ret = -ENOMEM;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.process = pid_task(proc_pid(inode), PIDTYPE_PID)->pid;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
++
+ 	priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ 	if (priv) {
+ 		priv->pid = proc_pid(inode);
+diff --git a/fs/quota/quota.c b/fs/quota/quota.c
+index 35f4b0e..5d14cc2 100644
+--- a/fs/quota/quota.c
++++ b/fs/quota/quota.c
+@@ -16,12 +16,18 @@
+ #include <linux/buffer_head.h>
+ #include <linux/capability.h>
+ #include <linux/quotaops.h>
++#include <rsbac/hooks.h>
+ #include <linux/types.h>
+ #include <linux/writeback.h>
+ 
+ static int check_quotactl_permission(struct super_block *sb, int type, int cmd,
+ 				     qid_t id)
+ {
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	switch (cmd) {
+ 	/* these commands do not require any special privilegues */
+ 	case Q_GETFMT:
+@@ -29,17 +35,60 @@ static int check_quotactl_permission(struct super_block *sb, int type, int cmd,
+ 	case Q_GETINFO:
+ 	case Q_XGETQSTAT:
+ 	case Q_XQUOTASYNC:
++#ifdef CONFIG_RSBAC
++		rsbac_target_id.scd = ST_quota;
++		rsbac_attribute_value.dummy = 0;
++		rsbac_pr_debug(aef, "[sys_quotactl()]: calling ADF\n");
++		if (!rsbac_adf_request(R_GET_STATUS_DATA,
++					task_pid(current),
++					T_SCD,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value))
++		{
++			return -EPERM;
++		}
++#endif
+ 		break;
+ 	/* allow to query information for dquots we "own" */
+ 	case Q_GETQUOTA:
+ 	case Q_XGETQUOTA:
+ 		if ((type == USRQUOTA && current_euid() == id) ||
+-		    (type == GRPQUOTA && in_egroup_p(id)))
++		    (type == GRPQUOTA && in_egroup_p(id))) {
++#ifdef CONFIG_RSBAC
++			rsbac_target_id.scd = ST_quota;
++			rsbac_attribute_value.dummy = 0;
++			rsbac_pr_debug(aef, "[sys_quotactl()]: calling ADF\n");
++			if (!rsbac_adf_request(R_GET_STATUS_DATA,
++						task_pid(current),
++						T_SCD,
++						rsbac_target_id,
++						A_none,
++						rsbac_attribute_value)) {
++				return -EPERM;
++			}
++#endif
+ 			break;
++		}
+ 		/*FALLTHROUGH*/
+ 	default:
+ 		if (!capable(CAP_SYS_ADMIN))
+ 			return -EPERM;
++
++#ifdef CONFIG_RSBAC
++		rsbac_target_id.scd = ST_quota;
++		rsbac_attribute_value.dummy = 0;
++		rsbac_pr_debug(aef, "[sys_quotactl()]: calling ADF\n");
++		if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++					task_pid(current),
++					T_SCD,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value))
++		{
++			return -EPERM;
++		}
++#endif
+ 	}
+ 
+ 	return security_quotactl(cmd, type, id, sb);
+diff --git a/fs/read_write.c b/fs/read_write.c
+index 5ad4248..176cd5f 100644
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -17,6 +17,12 @@
+ #include <linux/splice.h>
+ #include "read_write.h"
+ 
++#ifdef CONFIG_RSBAC_RW
++#include <net/sock.h>
++#include <net/af_unix.h>
++#endif
++#include <rsbac/hooks.h>
++
+ #include <asm/uaccess.h>
+ #include <asm/unistd.h>
+ 
+@@ -325,7 +331,7 @@ int rw_verify_area(int read_write, struct file *file, loff_t *ppos, size_t count
+ 	return count > MAX_RW_COUNT ? MAX_RW_COUNT : count;
+ }
+ 
+-static void wait_on_retry_sync_kiocb(struct kiocb *iocb)
++void wait_on_retry_sync_kiocb(struct kiocb *iocb)
+ {
+ 	set_current_state(TASK_UNINTERRUPTIBLE);
+ 	if (!kiocbIsKicked(iocb))
+@@ -365,6 +371,10 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)
+ {
+ 	ssize_t ret;
+ 
++#ifdef CONFIG_RSBAC_RW
++	struct rsbac_rw_req rsbac_rw_req_obj;
++#endif
++
+ 	if (!(file->f_mode & FMODE_READ))
+ 		return -EBADF;
+ 	if (!file->f_op || (!file->f_op->read && !file->f_op->aio_read))
+@@ -375,6 +385,12 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)
+ 	ret = rw_verify_area(READ, file, pos, count);
+ 	if (ret >= 0) {
+ 		count = ret;
++#ifdef CONFIG_RSBAC_RW
++		rsbac_rw_req_obj.rsbac_target = T_NONE;
++		rsbac_rw_req_obj.rsbac_request = R_READ;
++		if (!rsbac_handle_rw_req(file, &rsbac_rw_req_obj))
++			return -EPERM;
++#endif
+ 		if (file->f_op->read)
+ 			ret = file->f_op->read(file, buf, count, pos);
+ 		else
+@@ -382,6 +398,9 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)
+ 		if (ret > 0) {
+ 			fsnotify_access(file);
+ 			add_rchar(current, ret);
++#ifdef CONFIG_RSBAC_RW
++		rsbac_handle_rw_up(&rsbac_rw_req_obj);
++#endif
+ 		}
+ 		inc_syscr(current);
+ 	}
+@@ -421,6 +440,10 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_
+ {
+ 	ssize_t ret;
+ 
++#ifdef CONFIG_RSBAC_RW
++	struct rsbac_rw_req rsbac_rw_req_obj;
++#endif
++
+ 	if (!(file->f_mode & FMODE_WRITE))
+ 		return -EBADF;
+ 	if (!file->f_op || (!file->f_op->write && !file->f_op->aio_write))
+@@ -431,6 +454,12 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_
+ 	ret = rw_verify_area(WRITE, file, pos, count);
+ 	if (ret >= 0) {
+ 		count = ret;
++#ifdef CONFIG_RSBAC_RW
++		rsbac_rw_req_obj.rsbac_target = T_NONE;
++		rsbac_rw_req_obj.rsbac_request = R_WRITE;
++		if (!rsbac_handle_rw_req(file, &rsbac_rw_req_obj))
++			return -EPERM;
++#endif
+ 		if (file->f_op->write)
+ 			ret = file->f_op->write(file, buf, count, pos);
+ 		else
+@@ -438,6 +467,10 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_
+ 		if (ret > 0) {
+ 			fsnotify_modify(file);
+ 			add_wchar(current, ret);
++
++#ifdef CONFIG_RSBAC_RW
++		rsbac_handle_rw_up(&rsbac_rw_req_obj);
++#endif
+ 		}
+ 		inc_syscw(current);
+ 	}
+@@ -717,6 +750,11 @@ static ssize_t do_readv_writev(int type, struct file *file,
+ 	io_fn_t fn;
+ 	iov_fn_t fnv;
+ 
++#ifdef CONFIG_RSBAC_RW
++	struct rsbac_rw_req rsbac_rw_req_obj;
++	rsbac_rw_req_obj.rsbac_target = T_NONE;
++#endif
++
+ 	if (!file->f_op) {
+ 		ret = -EINVAL;
+ 		goto out;
+@@ -732,6 +770,19 @@ static ssize_t do_readv_writev(int type, struct file *file,
+ 	if (ret < 0)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC_RW
++	if (type == READ)
++		rsbac_rw_req_obj.rsbac_request = R_READ;
++	else
++/* if type wouldn't be WRITE here it's going to be funny ;)
++   kernel itself does NOT check on it. */
++		rsbac_rw_req_obj.rsbac_request = R_WRITE;
++        if(!rsbac_handle_rw_req(file, &rsbac_rw_req_obj)) {
++		ret = -EPERM;
++		goto out;
++	}
++#endif
++
+ 	fnv = NULL;
+ 	if (type == READ) {
+ 		fn = file->f_op->read;
+@@ -756,6 +807,12 @@ out:
+ 		else
+ 			fsnotify_modify(file);
+ 	}
++
++#ifdef CONFIG_RSBAC_RW
++	if (ret > 0)
++		rsbac_handle_rw_up(&rsbac_rw_req_obj);
++#endif
++
+ 	return ret;
+ }
+ 
+@@ -892,6 +949,15 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
+ 	ssize_t retval;
+ 	int fput_needed_in, fput_needed_out, fl;
+ 
++#ifdef CONFIG_RSBAC_RW
++	struct rsbac_rw_req rsbac_rw_req_obj1;
++	struct rsbac_rw_req rsbac_rw_req_obj2;
++	struct socket * sock1;
++	struct socket * sock2;
++	rsbac_rw_req_obj1.rsbac_target = T_NONE;
++	rsbac_rw_req_obj2.rsbac_target = T_NONE;
++#endif
++
+ 	/*
+ 	 * Get input file, and verify that it is ok..
+ 	 */
+@@ -912,6 +978,29 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
+ 		goto fput_in;
+ 	count = retval;
+ 
++#ifdef CONFIG_RSBAC_RW
++/* i could have done it in few lines of code, but that's way it is MUCH faster and sendfile is mostly beeing used with network sockets */
++	if (S_ISSOCK(in_file->f_dentry->d_inode->i_mode)) {
++		sock1 = SOCKET_I(in_file->f_dentry->d_inode);
++		if ((sock1->ops) && (sock1->ops->family != AF_UNIX)) {
++			rsbac_rw_req_obj1.rsbac_target = T_NETOBJ;
++                        rsbac_rw_req_obj1.rsbac_target_id.netobj.sock_p = sock1;
++                        rsbac_rw_req_obj1.rsbac_target_id.netobj.local_addr = NULL;
++                        rsbac_rw_req_obj1.rsbac_target_id.netobj.local_len = 0;
++                        rsbac_rw_req_obj1.rsbac_target_id.netobj.remote_addr = NULL;
++                        rsbac_rw_req_obj1.rsbac_target_id.netobj.remote_len = 0;
++                        rsbac_rw_req_obj1.rsbac_attribute = A_sock_type;
++                        rsbac_rw_req_obj1.rsbac_attribute_value.sock_type = sock1->type;
++                }
++	}
++	rsbac_rw_req_obj1.rsbac_request = R_READ;
++	if(!rsbac_handle_rw_req(in_file, &rsbac_rw_req_obj1))
++	{
++		retval = -EPERM;
++		goto fput_in;
++	}
++#endif
++
+ 	/*
+ 	 * Get output file, and verify that it is ok..
+ 	 */
+@@ -929,6 +1018,28 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
+ 		goto fput_out;
+ 	count = retval;
+ 
++#ifdef CONFIG_RSBAC_RW
++	if (S_ISSOCK(out_file->f_dentry->d_inode->i_mode)) {
++		sock2 = SOCKET_I(out_file->f_dentry->d_inode);
++		if ((sock2->ops) && (sock2->ops->family != AF_UNIX)) {
++                        rsbac_rw_req_obj2.rsbac_target = T_NETOBJ;
++                        rsbac_rw_req_obj2.rsbac_target_id.netobj.sock_p = sock2;
++                        rsbac_rw_req_obj2.rsbac_target_id.netobj.local_addr = NULL;
++                        rsbac_rw_req_obj2.rsbac_target_id.netobj.local_len = 0;
++                        rsbac_rw_req_obj2.rsbac_target_id.netobj.remote_addr = NULL;
++                        rsbac_rw_req_obj2.rsbac_target_id.netobj.remote_len = 0;
++                        rsbac_rw_req_obj2.rsbac_attribute = A_sock_type;
++                        rsbac_rw_req_obj2.rsbac_attribute_value.sock_type = sock2->type;
++                }
++	}
++	rsbac_rw_req_obj2.rsbac_request = R_WRITE;
++	if(!rsbac_handle_rw_req(out_file, &rsbac_rw_req_obj2))
++	{
++		retval = -EPERM;
++		goto fput_out;
++	}
++#endif
++
+ 	if (!max)
+ 		max = min(in_inode->i_sb->s_maxbytes, out_inode->i_sb->s_maxbytes);
+ 
+@@ -963,6 +1074,11 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
+ 	if (*ppos > max)
+ 		retval = -EOVERFLOW;
+ 
++#ifdef CONFIG_RSBAC_RW
++	rsbac_handle_rw_up(&rsbac_rw_req_obj1);
++	rsbac_handle_rw_up(&rsbac_rw_req_obj2);
++#endif
++
+ fput_out:
+ 	fput_light(out_file, fput_needed_out);
+ fput_in:
+diff --git a/fs/readdir.c b/fs/readdir.c
+index 356f715..62bf4f4 100644
+--- a/fs/readdir.c
++++ b/fs/readdir.c
+@@ -20,10 +20,27 @@
+ 
+ #include <asm/uaccess.h>
+ 
++#ifdef CONFIG_RSBAC
++#include <net/sock.h>
++#ifdef CONFIG_RSBAC_FSOBJ_HIDE
++#include "hfsplus/hfsplus_fs.h"
++#include "hfsplus/hfsplus_raw.h"
++#endif
++#endif
++
++#include <rsbac/hooks.h>
++#include <linux/namei.h>
++
+ int vfs_readdir(struct file *file, filldir_t filler, void *buf)
+ {
+ 	struct inode *inode = file->f_path.dentry->d_inode;
+ 	int res = -ENOTDIR;
++
++#ifdef CONFIG_RSBAC
++        union rsbac_target_id_t rsbac_target_id;
++        union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!file->f_op || !file->f_op->readdir)
+ 		goto out;
+ 
+@@ -31,6 +48,23 @@ int vfs_readdir(struct file *file, filldir_t filler, void *buf)
+ 	if (res)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[old_readdir(), sys_getdents()]: calling ADF\n");
++	rsbac_target_id.dir.device = inode->i_sb->s_dev;
++	rsbac_target_id.dir.inode = inode->i_ino;
++	rsbac_target_id.dir.dentry_p = file->f_dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_READ,
++				task_pid(current),
++				T_DIR,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))	{
++		res = -EPERM;
++		goto out;
++	}
++#endif
++
+ 	res = mutex_lock_killable(&inode->i_mutex);
+ 	if (res)
+ 		goto out;
+@@ -67,6 +101,9 @@ struct old_linux_dirent {
+ 
+ struct readdir_callback {
+ 	struct old_linux_dirent __user * dirent;
++#ifdef CONFIG_RSBAC_FSOBJ_HIDE
++	struct file * file;
++#endif
+ 	int result;
+ };
+ 
+@@ -79,6 +116,11 @@ static int fillonedir(void * __buf, const char * name, int namlen, loff_t offset
+ 
+ 	if (buf->result)
+ 		return -EINVAL;
++#ifdef CONFIG_RSBAC_FSOBJ_HIDE
++	if (!rsbac_handle_filldir(buf->file, name, namlen, ino))
++		return 0;
++#endif
++
+ 	d_ino = ino;
+ 	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
+ 		buf->result = -EOVERFLOW;
+@@ -116,6 +158,9 @@ SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
+ 
+ 	buf.result = 0;
+ 	buf.dirent = dirent;
++#ifdef CONFIG_RSBAC_FSOBJ_HIDE
++	buf.file = file;
++#endif
+ 
+ 	error = vfs_readdir(file, fillonedir, &buf);
+ 	if (buf.result)
+@@ -142,6 +187,9 @@ struct linux_dirent {
+ struct getdents_callback {
+ 	struct linux_dirent __user * current_dir;
+ 	struct linux_dirent __user * previous;
++#ifdef CONFIG_RSBAC_FSOBJ_HIDE
++	struct file * file;
++#endif
+ 	int count;
+ 	int error;
+ };
+@@ -158,6 +206,10 @@ static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
+ 	buf->error = -EINVAL;	/* only used if we fail.. */
+ 	if (reclen > buf->count)
+ 		return -EINVAL;
++#ifdef CONFIG_RSBAC_FSOBJ_HIDE
++	if (!rsbac_handle_filldir(buf->file, name, namlen, ino))
++		return 0;
++#endif
+ 	d_ino = ino;
+ 	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
+ 		buf->error = -EOVERFLOW;
+@@ -208,6 +260,9 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd,
+ 
+ 	buf.current_dir = dirent;
+ 	buf.previous = NULL;
++#ifdef CONFIG_RSBAC_FSOBJ_HIDE
++	buf.file = file;
++#endif
+ 	buf.count = count;
+ 	buf.error = 0;
+ 
+@@ -231,6 +286,9 @@ struct getdents_callback64 {
+ 	struct linux_dirent64 __user * previous;
+ 	int count;
+ 	int error;
++#ifdef CONFIG_RSBAC_FSOBJ_HIDE
++	struct file * file;
++#endif
+ };
+ 
+ static int filldir64(void * __buf, const char * name, int namlen, loff_t offset,
+@@ -244,6 +302,12 @@ static int filldir64(void * __buf, const char * name, int namlen, loff_t offset,
+ 	buf->error = -EINVAL;	/* only used if we fail.. */
+ 	if (reclen > buf->count)
+ 		return -EINVAL;
++
++#ifdef CONFIG_RSBAC_FSOBJ_HIDE
++	if (!rsbac_handle_filldir(buf->file, name, namlen, ino))
++		return 0;
++#endif
++
+ 	dirent = buf->previous;
+ 	if (dirent) {
+ 		if (__put_user(offset, &dirent->d_off))
+@@ -291,6 +355,9 @@ SYSCALL_DEFINE3(getdents64, unsigned int, fd,
+ 
+ 	buf.current_dir = dirent;
+ 	buf.previous = NULL;
++#ifdef CONFIG_RSBAC_FSOBJ_HIDE
++	buf.file = file;
++#endif
+ 	buf.count = count;
+ 	buf.error = 0;
+ 
+diff --git a/fs/reiserfs/namei.c b/fs/reiserfs/namei.c
+index 80058e8..a300cf6 100644
+--- a/fs/reiserfs/namei.c
++++ b/fs/reiserfs/namei.c
+@@ -18,6 +18,7 @@
+ #include <linux/reiserfs_acl.h>
+ #include <linux/reiserfs_xattr.h>
+ #include <linux/quotaops.h>
++#include <rsbac/hooks.h>
+ 
+ #define INC_DIR_INODE_NLINK(i) if (i->i_nlink != 1) { inc_nlink(i); if (i->i_nlink >= REISERFS_LINK_MAX) set_nlink(i, 1); }
+ #define DEC_DIR_INODE_NLINK(i) if (i->i_nlink != 1) drop_nlink(i);
+@@ -975,6 +976,11 @@ static int reiserfs_unlink(struct inode *dir, struct dentry *dentry)
+ 	 */
+ 	savelink = inode->i_nlink;
+ 
++#ifdef CONFIG_RSBAC_SECDEL
++	if (inode->i_nlink == 1)
++		rsbac_sec_del(dentry, TRUE);
++#endif
++
+ 	retval =
+ 	    reiserfs_cut_from_item(&th, &path, &(de.de_entry_key), dir, NULL,
+ 				   0);
+@@ -1357,6 +1363,11 @@ static int reiserfs_rename(struct inode *old_dir, struct dentry *old_dentry,
+ 			journal_end(&th, old_dir->i_sb, jbegin_count);
+ 			reiserfs_write_unlock(old_dir->i_sb);
+ 			return -EIO;
++#ifdef CONFIG_RSBAC_SECDEL
++		} else {
++			if (new_dentry_inode && (new_dentry_inode->i_nlink == 1))
++				rsbac_sec_del(new_dentry, TRUE);
++#endif
+ 		}
+ 
+ 		copy_item_head(&new_entry_ih, get_ih(&new_entry_path));
+diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c
+index 6bc346c..ac9382c 100644
+--- a/fs/reiserfs/xattr.c
++++ b/fs/reiserfs/xattr.c
+@@ -951,6 +951,10 @@ static const struct dentry_operations xattr_lookup_poison_ops = {
+ 	.d_revalidate = xattr_hide_revalidate,
+ };
+ 
++#ifdef CONFIG_RSBAC
++struct dentry * rsbac_lookup_one_len(const char * name, struct dentry * base, int len);
++#endif
++
+ int reiserfs_lookup_privroot(struct super_block *s)
+ {
+ 	struct dentry *dentry;
+@@ -995,8 +999,13 @@ int reiserfs_xattr_init(struct super_block *s, int mount_flags)
+ 		reiserfs_mutex_lock_safe(&privroot->d_inode->i_mutex, s);
+ 		if (!REISERFS_SB(s)->xattr_root) {
+ 			struct dentry *dentry;
++#ifdef CONFIG_RSBAC
++			dentry = rsbac_lookup_one_len(XAROOT_NAME, s->s_root,
++						strlen(XAROOT_NAME));
++#else
+ 			dentry = lookup_one_len(XAROOT_NAME, privroot,
+ 						strlen(XAROOT_NAME));
++#endif
+ 			if (!IS_ERR(dentry))
+ 				REISERFS_SB(s)->xattr_root = dentry;
+ 			else
+diff --git a/fs/stat.c b/fs/stat.c
+index 8806b89..77f8c9b 100644
+--- a/fs/stat.c
++++ b/fs/stat.c
+@@ -18,8 +18,19 @@
+ #include <asm/uaccess.h>
+ #include <asm/unistd.h>
+ 
++#ifdef CONFIG_RSBAC
++#include <net/sock.h>
++#include <rsbac/hooks.h>
++#endif
++
+ void generic_fillattr(struct inode *inode, struct kstat *stat)
+ {
++
++#ifdef CONFIG_RSBAC_SYM_REDIR
++	char *rsbac_name;
++	int len = 0;
++#endif
++
+ 	stat->dev = inode->i_sb->s_dev;
+ 	stat->ino = inode->i_ino;
+ 	stat->mode = inode->i_mode;
+@@ -27,6 +38,19 @@ void generic_fillattr(struct inode *inode, struct kstat *stat)
+ 	stat->uid = inode->i_uid;
+ 	stat->gid = inode->i_gid;
+ 	stat->rdev = inode->i_rdev;
++
++#ifdef CONFIG_RSBAC_SYM_REDIR
++	if (S_ISLNK(inode->i_mode)) {
++		rsbac_name = rsbac_symlink_redirect(inode, "", 0);
++		if (rsbac_name) {
++			len = strlen(rsbac_name);
++			kfree(rsbac_name);
++		}
++		stat->size = i_size_read(inode) + len;
++	}
++	else
++#endif
++
+ 	stat->size = i_size_read(inode);
+ 	stat->atime = inode->i_atime;
+ 	stat->mtime = inode->i_mtime;
+@@ -42,10 +66,51 @@ int vfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
+ 	struct inode *inode = dentry->d_inode;
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	retval = security_inode_getattr(mnt, dentry);
+ 	if (retval)
+ 		return retval;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_stat() etc.]: calling ADF\n");
++	rsbac_target_id.file.device = inode->i_sb->s_dev;
++	rsbac_target_id.file.inode  = inode->i_ino;
++	rsbac_target_id.file.dentry_p = dentry;
++	if (S_ISDIR(inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO(inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK(inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK(inode->i_mode)) {
++		if (inode->i_sb->s_magic == SOCKFS_MAGIC) {
++			rsbac_target = T_IPC;
++			rsbac_target_id.ipc.type = I_anonunix;
++			rsbac_target_id.ipc.id.id_nr = inode->i_ino;
++		} else {
++			rsbac_target = T_UNIXSOCK;
++			rsbac_target_id.unixsock.device = inode->i_sb->s_dev;
++			rsbac_target_id.unixsock.inode  = inode->i_ino;
++			rsbac_target_id.unixsock.dentry_p = dentry;
++		}
++	} else
++		rsbac_target = T_FILE;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	if (inode->i_op->getattr)
+ 		return inode->i_op->getattr(mnt, dentry, stat);
+ 
+@@ -296,6 +361,11 @@ SYSCALL_DEFINE4(readlinkat, int, dfd, const char __user *, pathname,
+ 	int error;
+ 	int empty = 0;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (bufsiz <= 0)
+ 		return -EINVAL;
+ 
+@@ -307,6 +377,24 @@ SYSCALL_DEFINE4(readlinkat, int, dfd, const char __user *, pathname,
+ 		if (inode->i_op->readlink) {
+ 			error = security_inode_readlink(path.dentry);
+ 			if (!error) {
++
++#ifdef CONFIG_RSBAC
++				rsbac_pr_debug(aef, "calling ADF\n");
++				rsbac_target_id.file.device = path.dentry->d_sb->s_dev;
++				rsbac_target_id.file.inode  = inode->i_ino;
++				rsbac_target_id.file.dentry_p = path.dentry;
++				rsbac_attribute_value.dummy = 0;
++				if (!rsbac_adf_request(R_GET_STATUS_DATA,
++							task_pid(current),
++							T_SYMLINK,
++							rsbac_target_id,
++							A_none,
++							rsbac_attribute_value)) {
++					path_put(&path);
++					return -EPERM;
++				}
++#endif
++
+ 				touch_atime(path.mnt, path.dentry);
+ 				error = inode->i_op->readlink(path.dentry,
+ 							      buf, bufsiz);
+diff --git a/fs/statfs.c b/fs/statfs.c
+index 9cf04a1..d978425 100644
+--- a/fs/statfs.c
++++ b/fs/statfs.c
+@@ -8,6 +8,8 @@
+ #include <linux/security.h>
+ #include <linux/uaccess.h>
+ 
++#include <rsbac/hooks.h>
++
+ static int flags_by_mnt(int mnt_flags)
+ {
+ 	int flags = 0;
+@@ -49,9 +51,30 @@ int statfs_by_dentry(struct dentry *dentry, struct kstatfs *buf)
+ {
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!dentry->d_sb->s_op->statfs)
+ 		return -ENOSYS;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.dev.type = D_block;
++	rsbac_target_id.dev.major = RSBAC_MAJOR(dentry->d_sb->s_dev);
++	rsbac_target_id.dev.minor = RSBAC_MINOR(dentry->d_sb->s_dev);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_DEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	memset(buf, 0, sizeof(*buf));
+ 	retval = security_sb_statfs(dentry);
+ 	if (retval)
+diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c
+index 779789a..1129fca 100644
+--- a/fs/sysfs/file.c
++++ b/fs/sysfs/file.c
+@@ -24,6 +24,8 @@
+ 
+ #include "sysfs.h"
+ 
++#include <rsbac/hooks.h>
++
+ /*
+  * There's one sysfs_buffer for each open file and one
+  * sysfs_open_dirent for each sysfs_dirent with one or more open
+@@ -330,6 +332,11 @@ static int sysfs_open_file(struct inode *inode, struct file *file)
+ 	struct sysfs_buffer *buffer;
+ 	const struct sysfs_ops *ops;
+ 	int error = -EACCES;
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 
+ 	/* need attr_sd for attr and ops, its parent for kobj */
+ 	if (!sysfs_get_active(attr_sd))
+@@ -351,6 +358,21 @@ static int sysfs_open_file(struct inode *inode, struct file *file)
+ 	if (file->f_mode & FMODE_WRITE) {
+ 		if (!(inode->i_mode & S_IWUGO) || !ops->store)
+ 			goto err_out;
++#ifdef CONFIG_RSBAC
++		rsbac_pr_debug(aef, "[sysfs_open_file()]: calling ADF\n");
++		rsbac_target_id.scd = ST_sysfs;
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++					task_pid(current),
++					T_SCD,
++					rsbac_target_id,
++					A_owner,
++					rsbac_attribute_value))
++		{
++			error = -EPERM;
++			goto err_out;
++		}
++#endif
+ 	}
+ 
+ 	/* File needs read support.
+@@ -360,6 +382,22 @@ static int sysfs_open_file(struct inode *inode, struct file *file)
+ 	if (file->f_mode & FMODE_READ) {
+ 		if (!(inode->i_mode & S_IRUGO) || !ops->show)
+ 			goto err_out;
++
++#ifdef CONFIG_RSBAC
++		rsbac_pr_debug(aef, "[sysfs_open_file()]: calling ADF\n");
++		rsbac_target_id.scd = ST_sysfs;
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_GET_STATUS_DATA,
++					task_pid(current),
++					T_SCD,
++					rsbac_target_id,
++					A_owner,
++					rsbac_attribute_value))
++		{
++			error = -EPERM;
++			goto err_out;
++		}
++#endif
+ 	}
+ 
+ 	/* No error? Great, allocate a buffer for the file, and store it
+diff --git a/fs/utimes.c b/fs/utimes.c
+index ba653f3..0c8e4d7 100644
+--- a/fs/utimes.c
++++ b/fs/utimes.c
+@@ -10,6 +10,7 @@
+ #include <linux/syscalls.h>
+ #include <asm/uaccess.h>
+ #include <asm/unistd.h>
++#include <rsbac/hooks.h>
+ 
+ #ifdef __ARCH_WANT_SYS_UTIME
+ 
+@@ -54,6 +55,12 @@ static int utimes_common(struct path *path, struct timespec *times)
+ 	struct iattr newattrs;
+ 	struct inode *inode = path->dentry->d_inode;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	error = mnt_want_write(path->mnt);
+ 	if (error)
+ 		goto out;
+@@ -95,12 +102,43 @@ static int utimes_common(struct path *path, struct timespec *times)
+                 if (IS_IMMUTABLE(inode))
+ 			goto mnt_drop_write_and_out;
+ 
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
++		if (!rsbac_dac_part_disabled(path->dentry))
++#endif
+ 		if (!inode_owner_or_capable(inode)) {
+ 			error = inode_permission(inode, MAY_WRITE);
+ 			if (error)
+ 				goto mnt_drop_write_and_out;
+ 		}
+ 	}
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target = T_FILE;
++	if (S_ISDIR(inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO(inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK(inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK(inode->i_mode))
++		rsbac_target = T_UNIXSOCK;
++	rsbac_target_id.file.device = inode->i_sb->s_dev;
++	rsbac_target_id.file.inode  = inode->i_ino;
++	rsbac_target_id.file.dentry_p = path->dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_ACCESS_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		error = -EPERM;
++		goto mnt_drop_write_and_out;
++	}
++#endif
++
+ 	mutex_lock(&inode->i_mutex);
+ 	error = notify_change(path->dentry, &newattrs);
+ 	mutex_unlock(&inode->i_mutex);
+diff --git a/fs/xattr.c b/fs/xattr.c
+index 67583de..c1cecc5 100644
+--- a/fs/xattr.c
++++ b/fs/xattr.c
+@@ -21,6 +21,7 @@
+ #include <linux/audit.h>
+ #include <asm/uaccess.h>
+ 
++#include <rsbac/hooks.h>
+ 
+ /*
+  * Check permissions for extended attribute access.  This is a bit complicated
+@@ -122,6 +123,36 @@ vfs_setxattr(struct dentry *dentry, const char *name, const void *value,
+ {
+ 	struct inode *inode = dentry->d_inode;
+ 	int error;
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_*setxattr()]: calling ADF\n");
++	rsbac_target = T_FILE;
++	if (S_ISDIR(inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO(inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK(inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK(inode->i_mode))
++		rsbac_target = T_UNIXSOCK;
++	rsbac_target_id.file.device = dentry->d_sb->s_dev;
++	rsbac_target_id.file.inode  = inode->i_ino;
++	rsbac_target_id.file.dentry_p = dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_PERMISSIONS_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
+ 
+ 	error = xattr_permission(inode, name, MAY_WRITE);
+ 	if (error)
+@@ -231,6 +262,12 @@ vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size)
+ 	struct inode *inode = dentry->d_inode;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	error = xattr_permission(inode, name, MAY_READ);
+ 	if (error)
+ 		return error;
+@@ -239,6 +276,31 @@ vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size)
+ 	if (error)
+ 		return error;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_*getxattr()]: calling ADF\n");
++	rsbac_target = T_FILE;
++	if (S_ISDIR(inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO(inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK(inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK(inode->i_mode))
++		rsbac_target = T_UNIXSOCK;
++	rsbac_target_id.file.device = dentry->d_sb->s_dev;
++	rsbac_target_id.file.inode  = inode->i_ino;
++	rsbac_target_id.file.dentry_p = dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_PERMISSIONS_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	if (!strncmp(name, XATTR_SECURITY_PREFIX,
+ 				XATTR_SECURITY_PREFIX_LEN)) {
+ 		const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
+@@ -265,10 +327,41 @@ ssize_t
+ vfs_listxattr(struct dentry *d, char *list, size_t size)
+ {
+ 	ssize_t error;
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
+ 
+ 	error = security_inode_listxattr(d);
+ 	if (error)
+ 		return error;
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_*listxattr()]: calling ADF\n");
++	rsbac_target = T_FILE;
++	if (S_ISDIR(d->d_inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO(d->d_inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK(d->d_inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK(d->d_inode->i_mode))
++		rsbac_target = T_UNIXSOCK;
++	rsbac_target_id.file.device = d->d_sb->s_dev;
++	rsbac_target_id.file.inode  = d->d_inode->i_ino;
++	rsbac_target_id.file.dentry_p = d;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_PERMISSIONS_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))	{
++		return -EPERM;
++	}
++#endif
++
+ 	error = -EOPNOTSUPP;
+ 	if (d->d_inode->i_op->listxattr) {
+ 		error = d->d_inode->i_op->listxattr(d, list, size);
+@@ -287,6 +380,12 @@ vfs_removexattr(struct dentry *dentry, const char *name)
+ 	struct inode *inode = dentry->d_inode;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!inode->i_op->removexattr)
+ 		return -EOPNOTSUPP;
+ 
+@@ -298,6 +397,31 @@ vfs_removexattr(struct dentry *dentry, const char *name)
+ 	if (error)
+ 		return error;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_*removexattr()]: calling ADF\n");
++	rsbac_target = T_FILE;
++	if (S_ISDIR(inode->i_mode))
++		rsbac_target = T_DIR;
++	else if (S_ISFIFO(inode->i_mode))
++		rsbac_target = T_FIFO;
++	else if (S_ISLNK(inode->i_mode))
++		rsbac_target = T_SYMLINK;
++	else if (S_ISSOCK(inode->i_mode))
++		rsbac_target = T_UNIXSOCK;
++	rsbac_target_id.file.device = dentry->d_sb->s_dev;
++	rsbac_target_id.file.inode  = inode->i_ino;
++	rsbac_target_id.file.dentry_p = dentry;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_PERMISSIONS_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	mutex_lock(&inode->i_mutex);
+ 	error = inode->i_op->removexattr(dentry, name);
+ 	mutex_unlock(&inode->i_mutex);
+diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
+index 23ce927..e536ef0 100644
+--- a/fs/xfs/xfs_iops.c
++++ b/fs/xfs/xfs_iops.c
+@@ -50,6 +50,8 @@
+ #include <linux/fiemap.h>
+ #include <linux/slab.h>
+ 
++#include <rsbac/hooks.h>
++
+ /*
+  * Bring the timestamps in the XFS inode uptodate.
+  *
+@@ -340,6 +342,10 @@ xfs_vn_unlink(
+ 	struct xfs_name	name;
+ 	int		error;
+ 
++#ifdef CONFIG_RSBAC_SECDEL
++	if (dentry->d_inode->i_nlink == 1)
++		rsbac_sec_del(dentry, FALSE);
++#endif
+ 	xfs_dentry_to_name(&name, dentry);
+ 
+ 	error = -xfs_remove(XFS_I(dir), &name, XFS_I(dentry->d_inode));
+@@ -401,10 +407,34 @@ xfs_vn_rename(
+ 	struct inode	*new_inode = ndentry->d_inode;
+ 	struct xfs_name	oname;
+ 	struct xfs_name	nname;
++#ifdef CONFIG_RSBAC_SECDEL
++	struct xfs_inode *cip;
++#endif
+ 
+ 	xfs_dentry_to_name(&oname, odentry);
+ 	xfs_dentry_to_name(&nname, ndentry);
+ 
++#ifdef CONFIG_RSBAC_SECDEL
++	/* RSBAC secure delete code. in the event of overwritting existing
++	 * file with sec_del flag set, its blocks will be deallocated so we
++	 * have to overwrite their content. since XFS does all the necessary
++	 * checks on the layer below linux VFS, operating on vnodes
++	 * i decided to implement my own set of checks here, so we can see
++	 * if the existing file is being overwritten.
++	 * inspired by ext2/3/4 and jfs code. michal@...
++	 */
++
++	if (new_inode) {
++		if (new_inode->i_nlink == 1) {
++			if (!xfs_lookup(XFS_I(ndir), &nname, &cip, NULL)) {
++				IRELE(cip);
++				if(!S_ISDIR(new_inode->i_mode))
++					rsbac_sec_del(ndentry, TRUE);
++			}
++		}
++	}
++#endif
++
+ 	return -xfs_rename(XFS_I(odir), &oname, XFS_I(odentry->d_inode),
+ 			   XFS_I(ndir), &nname, new_inode ?
+ 			   			XFS_I(new_inode) : NULL);
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index 1c4f3e9..f3c9446 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -29,6 +29,9 @@
+ #define CLONE_NEWPID		0x20000000	/* New pid namespace */
+ #define CLONE_NEWNET		0x40000000	/* New network namespace */
+ #define CLONE_IO		0x80000000	/* Clone io context */
++#ifdef CONFIG_RSBAC
++#define CLONE_KTHREAD           0x100000000ULL  /* clone a kernel thread */
++#endif
+ 
+ /*
+  * Scheduling policies
+@@ -94,6 +97,10 @@ struct sched_param {
+ 
+ #include <asm/processor.h>
+ 
++#if defined(CONFIG_RSBAC_CAP_LOG_MISSING) || defined(CONFIG_RSBAC_JAIL_LOG_MISSING)
++#include <rsbac/log_cap.h>
++#endif
++
+ struct exec_domain;
+ struct futex_pi_state;
+ struct robust_list_head;
+@@ -106,7 +113,11 @@ struct blk_plug;
+  * List of flags we want to share for kernel threads,
+  * if only because they are not used by them anyway.
+  */
++#ifdef CONFIG_RSBAC
++#define CLONE_KERNEL	(CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_KTHREAD)
++#else
+ #define CLONE_KERNEL	(CLONE_FS | CLONE_FILES | CLONE_SIGHAND)
++#endif
+ 
+ /*
+  * These are the constant used to fake the fixed-point load-average
+@@ -2233,6 +2244,13 @@ static inline void mmdrop(struct mm_struct * mm)
+ 
+ /* mmput gets rid of the mappings and all user-space */
+ extern void mmput(struct mm_struct *);
++#ifdef CONFIG_RSBAC
++/* mmput gets rid of the mappings and all user-space
++ * not sleeping version. feeling like we have something in common ;)
++ * michal.
++ * */
++extern void mmput_nosleep(struct mm_struct *);
++#endif
+ /* Grab a reference to a task's mm, if it is not already going away */
+ extern struct mm_struct *get_task_mm(struct task_struct *task);
+ /* Remove the current tasks stale references to the old mm_struct */
+@@ -2260,7 +2278,12 @@ extern int disallow_signal(int);
+ extern int do_execve(const char *,
+ 		     const char __user * const __user *,
+ 		     const char __user * const __user *, struct pt_regs *);
++
++#ifdef CONFIG_RSBAC
++extern long do_fork(unsigned long long, unsigned long, struct pt_regs *, unsigned long, int __user *, int __user *);
++#else
+ extern long do_fork(unsigned long, unsigned long, struct pt_regs *, unsigned long, int __user *, int __user *);
++#endif
+ struct task_struct *fork_idle(int);
+ 
+ extern void set_task_comm(struct task_struct *tsk, char *from);
+diff --git a/include/rsbac/aci.h b/include/rsbac/aci.h
+new file mode 100644
+index 0000000..1bbeec5
+--- /dev/null
++++ b/include/rsbac/aci.h
+@@ -0,0 +1,149 @@
++/******************************* */
++/* Rule Set Based Access Control */
++/* Author and (c) 1999-2008:     */
++/*   Amon Ott <ao@...>     */
++/* API: Data structures          */
++/* and functions for Access      */
++/* Control Information           */
++/* Last modified: 23/Sep/2008    */
++/******************************* */
++
++#ifndef __RSBAC_ACI_H
++#define __RSBAC_ACI_H
++
++#include <rsbac/types.h>
++#include <linux/init.h>
++
++/***************************************************/
++/*                   Prototypes                    */
++/***************************************************/
++
++/* All functions return 0, if no error occurred, and a negative error code  */
++/* otherwise. The error codes are defined in rsbac_error.h.                 */
++
++/****************************************************************************/
++/* Initialization, including ACI restoration for all mounted devices from   */
++/* disk. After this call, all ACI is kept in memory for performance reasons,*/
++/* but user and file/dir object ACI are written to disk on every change.    */
++
++#ifdef CONFIG_RSBAC_INIT_DELAY
++extern int rsbac_init(kdev_t root_dev);
++#else
++extern int rsbac_init(kdev_t root_dev) __init;
++#endif
++
++/* Notify RSBAC of new kernel thread */
++int rsbac_kthread_notify(rsbac_pid_t pid);
++
++/* To turn RSBAC off on umount of root device */
++extern void rsbac_off(void);
++
++/* For other kernel parts to check, whether RSBAC was initialized correctly */
++extern rsbac_boolean_t rsbac_initialized;
++
++static inline rsbac_boolean_t rsbac_is_initialized(void)
++{
++  return rsbac_initialized;
++}
++
++/* Check if the device exists */
++int rsbac_check_device(kdev_t kdev);
++
++/* Is device writable? */
++rsbac_boolean_t rsbac_writable(struct super_block * sb_p);
++
++/* When mounting a device, its ACI must be read and added to the ACI lists. */
++extern int rsbac_mount(struct vfsmount * mnt_p);
++
++/* When umounting a device, its ACI must be removed from the ACI lists. */
++extern int rsbac_umount(struct vfsmount * mnt_p);
++
++/* On pivot_root, we must unblock the dentry tree of the old root */
++/* by putting all cached rsbac.dat dentries */
++int rsbac_free_dat_dentries(void);
++
++/* Some information about the current status is also available */
++extern int rsbac_stats(void);
++
++/* Trigger internal consistency check (int: if != 0: correct errors) */
++extern int rsbac_check(int correct, int check_inode);
++
++/* RSBAC attribute saving to disk can be triggered from outside
++ * param: call lock_kernel() before disk access?
++ */
++#if defined(CONFIG_RSBAC_MAINT) || defined(CONFIG_RSBAC_AUTO_WRITE)
++extern int rsbac_write(void);
++#endif
++
++/* get the parent of a target
++ * returns -RSBAC_EINVALIDTARGET for non-fs targets
++ * and -RSBAC_ENOTFOUND, if no parent available
++ * In kernels >= 2.4.0, device_p->d_covers is used and the item is properly
++ * locked for reading, so never call with a write lock held on device_p!
++ */
++int rsbac_get_parent(enum rsbac_target_t target,
++                     union rsbac_target_id_t tid,
++                     enum rsbac_target_t * parent_target_p,
++                     union rsbac_target_id_t * parent_tid_p);
++
++/* Invalidate cached attribute values for one or all filesystem objects */
++
++#ifdef CONFIG_RSBAC_FD_CACHE
++int rsbac_fd_cache_invalidate(struct rsbac_fs_file_t * file_p);
++
++int rsbac_fd_cache_invalidate_all(void);
++#endif
++
++/****************************************************************************/
++/* For objects, users and processes all manipulation is encapsulated by the */
++/* function calls rsbac_set_attr, rsbac_get_attr and rsbac_remove_target.   */
++                          
++int rsbac_ta_get_attr(
++  rsbac_list_ta_number_t ta_number,
++  enum rsbac_switch_target_t module,
++  enum rsbac_target_t target,
++  union rsbac_target_id_t tid,
++  enum rsbac_attribute_t attr,
++  union rsbac_attribute_value_t * value,
++  rsbac_boolean_t inherit);
++
++#define rsbac_get_attr(module, target, tid, attr, value, inherit) \
++  rsbac_ta_get_attr(0, module, target, tid, attr, value, inherit)
++
++int rsbac_ta_set_attr(
++  rsbac_list_ta_number_t ta_number,
++  enum rsbac_switch_target_t module,
++  enum rsbac_target_t target,
++  union rsbac_target_id_t tid,
++  enum rsbac_attribute_t attr,
++  union rsbac_attribute_value_t value);
++
++#define rsbac_set_attr(module, target, tid, attr, value) \
++  rsbac_ta_set_attr(0, module, target, tid, attr, value)
++
++/* All RSBAC targets should be removed, if no longer needed, to prevent     */
++/* memory wasting.                                                          */
++
++int rsbac_ta_remove_target(
++  rsbac_list_ta_number_t ta_number,
++  enum rsbac_target_t target,
++  union rsbac_target_id_t tid);
++
++#define rsbac_remove_target(target, tid) \
++  rsbac_ta_remove_target(0, target, tid)
++
++int rsbac_ta_list_all_dev(rsbac_list_ta_number_t ta_number,
++                          struct rsbac_dev_desc_t ** id_pp);
++
++int rsbac_ta_list_all_user(rsbac_list_ta_number_t ta_number,
++                           rsbac_uid_t ** id_pp);
++
++int rsbac_ta_list_all_ipc(rsbac_list_ta_number_t ta_number,
++			  struct rsbac_ipc_t ** id_pp);
++	
++int rsbac_ta_list_all_group(rsbac_list_ta_number_t ta_number,
++                            rsbac_gid_t ** id_pp);
++
++int rsbac_mark_kthread(rsbac_pid_t pid);
++int rsbac_kthreads_init(void);
++#endif
+diff --git a/include/rsbac/aci_data_structures.h b/include/rsbac/aci_data_structures.h
+new file mode 100644
+index 0000000..8531227
+--- /dev/null
++++ b/include/rsbac/aci_data_structures.h
+@@ -0,0 +1,1852 @@
++/**************************************/
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2008: Amon Ott */
++/* Data structures                    */
++/* Last modified: 11/Sep/2008         */
++/**************************************/
++
++#ifndef __RSBAC_DATA_STRUC_H
++#define __RSBAC_DATA_STRUC_H
++
++#ifdef __KERNEL__		/* only include in kernel code */
++#include <linux/types.h>
++#include <linux/fs.h>
++#include <linux/wait.h>
++#include <linux/interrupt.h>
++#include <linux/semaphore.h>
++#include <linux/sched.h>
++#include <rsbac/types.h>
++#include <linux/spinlock.h>
++#include <rsbac/pm_types.h>
++#include <rsbac/rc_types.h>
++#include <rsbac/aci.h>
++#include <rsbac/debug.h>
++#include <rsbac/lists.h>
++#endif				/* __KERNEL__ */
++
++#ifdef __KERNEL__
++
++/* List to keep mounts before init, so that we can rsbac_mount them at init */
++
++struct rsbac_mount_list_t {
++	struct vfsmount * mnt_p;
++	struct rsbac_mount_list_t * next;
++};
++
++/* First of all we define dirname and filenames for saving the ACIs to disk. */
++/* The path must be a valid single dir name! Each mounted device gets its    */
++/* own file set, residing in 'DEVICE_ROOT/RSBAC_ACI_PATH/'.                  */
++/* The dynamic data structures for PM, RC and ACL are kept in their own files.*/
++/* All user access to these files will be denied.                            */
++/* Backups are kept in FILENAMEb.                                            */
++
++#define RSBAC_LOG_BUF_LEN (16384)
++
++#define RSBAC_ACI_PATH          "rsbac.dat"
++
++#define RSBAC_GEN_FD_NAME       "fd_gen"
++#define RSBAC_GEN_OLD_FD_NAME   "fd_gen."
++#define RSBAC_MAC_FD_NAME       "fd_mac"
++#define RSBAC_MAC_OLD_FD_NAME   "fd_mac."
++#define RSBAC_PM_FD_NAME        "fd_pm"
++#define RSBAC_PM_OLD_FD_NAME    "fd_pm."
++#define RSBAC_DAZ_FD_NAME       "fd_dazt"
++#define RSBAC_DAZ_OLD_FD_NAME   "fd_dazt."
++#define RSBAC_DAZ_SCANNED_FD_NAME "fd_dazs"
++#define RSBAC_DAZ_SCANNED_OLD_FD_NAME "fd_dazs."
++#define RSBAC_FF_FD_NAME        "fd_ff"
++#define RSBAC_FF_OLD_FD_NAME    "fd_ff."
++#define RSBAC_RC_FD_NAME        "fd_rc"
++#define RSBAC_RC_OLD_FD_NAME    "fd_rc."
++#define RSBAC_AUTH_FD_NAME      "fd_auth"
++#define RSBAC_AUTH_OLD_FD_NAME  "fd_auth."
++#define RSBAC_CAP_FD_NAME       "fd_cap"
++#define RSBAC_CAP_OLD_FD_NAME   "fd_cap."
++#define RSBAC_PAX_FD_NAME       "fd_pax"
++#define RSBAC_PAX_OLD_FD_NAME   "fd_pax."
++#define RSBAC_RES_FD_NAME       "fd_res"
++#define RSBAC_RES_OLD_FD_NAME   "fd_res."
++
++#define RSBAC_ACI_USER_NAME     "useraci"
++/* dir creation mode for discretionary access control: no rights*/
++#define RSBAC_ACI_DIR_MODE       (S_IFDIR)
++/* file creation mode for discretionary access control: rw for user only*/
++#define RSBAC_ACI_FILE_MODE      (S_IFREG | S_IRUSR | S_IWUSR)
++/* minimal mem chunk size available to try write_partial_fd_list, else defer */
++#define RSBAC_MIN_WRITE_FD_BUF_LEN 32768
++/* max size for write_chunks */
++#define RSBAC_MAX_WRITE_CHUNK ((1 << 15) - 1)
++
++#define RSBAC_GEN_NR_FD_LISTS  2
++#define RSBAC_MAC_NR_FD_LISTS  4
++#define RSBAC_PM_NR_FD_LISTS   2
++#define RSBAC_DAZ_NR_FD_LISTS   2
++#define RSBAC_DAZ_SCANNED_NR_FD_LISTS 4
++#define RSBAC_FF_NR_FD_LISTS   4
++#define RSBAC_RC_NR_FD_LISTS   4
++#define RSBAC_AUTH_NR_FD_LISTS 2
++#define RSBAC_CAP_NR_FD_LISTS  2
++#define RSBAC_PAX_NR_FD_LISTS  2
++#define RSBAC_RES_NR_FD_LISTS  2
++
++#ifdef CONFIG_RSBAC_INIT_THREAD
++/* Check and set init timeout */
++#if CONFIG_RSBAC_MAX_INIT_TIME >= 5
++#define RSBAC_MAX_INIT_TIME CONFIG_RSBAC_MAX_INIT_TIME
++#else
++#define RSBAC_MAX_INIT_TIME 5
++#endif
++#endif				/* INIT_THREAD */
++
++#endif				/* __KERNEL__ */
++
++/* The following structures privide attributes for all possible targets.  */
++/* The data structures are kept in double linked lists, and are optimized */
++/* by hash functions.                                                     */
++
++/* Only ATTRIBUTES are saved in those structures, that are saved to disk, */
++/* because saving sublists means breaking up the structures for every     */
++/* single list.                                                           */
++/* If a list of policy dependant items is to be stored, this is done in   */
++/* the policy dependant data structures. Here only an ID as a handle is   */
++/* supported.                                                             */
++
++/* OK, first we define the file/dir ACI, holding all file/dir information */
++/* the ADF needs for decisions.                                           */
++
++/* Caution: whenever ACI changes, version and old_version should be increased!            */
++
++// #define CONFIG_RSBAC_FD_CACHE 1
++
++#ifdef CONFIG_RSBAC_FD_CACHE
++#define RSBAC_FD_CACHE_NAME       "fd_cache."
++#define RSBAC_FD_CACHE_VERSION 1
++#define RSBAC_FD_CACHE_KEY 3626114
++//#define RSBAC_FD_CACHE_TTL 3600
++struct rsbac_fd_cache_desc_t {
++	__u32            device;
++	rsbac_inode_nr_t inode;
++};
++#endif
++
++#define RSBAC_GEN_FD_ACI_VERSION 8
++#define RSBAC_GEN_FD_ACI_KEY 1001
++struct rsbac_gen_fd_aci_t {
++	rsbac_log_array_t log_array_low;	/* file/dir based logging, */
++	rsbac_log_array_t log_array_high;	/* high and low bits */
++	rsbac_request_vector_t log_program_based;	/* Program based logging */
++	rsbac_enum_t symlink_add_remote_ip;
++	rsbac_enum_t symlink_add_uid;
++	rsbac_enum_t symlink_add_mac_level;
++	rsbac_enum_t symlink_add_rc_role;
++	rsbac_enum_t linux_dac_disable;
++	rsbac_fake_root_uid_int_t fake_root_uid;
++	rsbac_uid_t auid_exempt;
++	rsbac_um_set_t vset;
++};
++#define DEFAULT_GEN_FD_ACI \
++    { \
++      .log_array_low = -1, \
++      .log_array_high = -1, \
++      .log_program_based = 0, \
++      .symlink_add_uid = FALSE, \
++      .symlink_add_mac_level = FALSE, \
++      .symlink_add_rc_role = FALSE, \
++      .linux_dac_disable = LDD_inherit, \
++      .fake_root_uid = FR_off, \
++      .auid_exempt = RSBAC_NO_USER, \
++      .vset = RSBAC_UM_VIRTUAL_KEEP, \
++    }
++
++#define DEFAULT_GEN_ROOT_DIR_ACI \
++    { \
++      .log_array_low = -1, \
++      .log_array_high = -1, \
++      .log_program_based = 0, \
++      .symlink_add_uid = FALSE, \
++      .symlink_add_mac_level = FALSE, \
++      .symlink_add_rc_role = FALSE, \
++      .linux_dac_disable = LDD_false, \
++      .fake_root_uid = FR_off, \
++      .auid_exempt = RSBAC_NO_USER, \
++      .vset = RSBAC_UM_VIRTUAL_KEEP, \
++    }
++
++#define RSBAC_GEN_FD_OLD_ACI_VERSION 7
++struct rsbac_gen_fd_old_aci_t {
++	rsbac_log_array_t log_array_low;	/* file/dir based logging, */
++	rsbac_log_array_t log_array_high;	/* high and low bits */
++	rsbac_request_vector_t log_program_based;	/* Program based logging */
++	rsbac_enum_t symlink_add_remote_ip;
++	rsbac_enum_t symlink_add_uid;
++	rsbac_enum_t symlink_add_mac_level;
++	rsbac_enum_t symlink_add_rc_role;
++	rsbac_enum_t linux_dac_disable;
++	rsbac_fake_root_uid_int_t fake_root_uid;
++	rsbac_old_uid_t auid_exempt;
++};
++#define RSBAC_GEN_FD_OLD_OLD_ACI_VERSION 6
++struct rsbac_gen_fd_old_old_aci_t {
++	rsbac_log_array_t log_array_low;	/* file/dir based logging, */
++	rsbac_log_array_t log_array_high;	/* high and low bits */
++	rsbac_request_vector_t log_program_based;	/* Program based logging */
++	rsbac_enum_t symlink_add_uid;
++	rsbac_enum_t symlink_add_mac_level;
++	rsbac_enum_t symlink_add_rc_role;
++	rsbac_enum_t linux_dac_disable;
++	rsbac_fake_root_uid_int_t fake_root_uid;
++	rsbac_old_uid_t auid_exempt;
++};
++
++#define RSBAC_GEN_FD_OLD_OLD_OLD_ACI_VERSION 5
++struct rsbac_gen_fd_old_old_old_aci_t {
++	rsbac_log_array_t log_array_low;	/* file/dir based logging, */
++	rsbac_log_array_t log_array_high;	/* high and low bits */
++	rsbac_request_vector_t log_program_based;	/* Program based logging */
++	rsbac_enum_t symlink_add_uid;
++	rsbac_enum_t symlink_add_mac_level;
++	rsbac_enum_t symlink_add_rc_role;
++	rsbac_enum_t linux_dac_disable;
++	rsbac_fake_root_uid_int_t fake_root_uid;
++};
++
++#if defined(CONFIG_RSBAC_MAC)
++#define RSBAC_MAC_FD_ACI_VERSION 5
++#define RSBAC_MAC_FD_ACI_KEY 1001
++struct rsbac_mac_fd_aci_t {
++	rsbac_security_level_t sec_level;	/* MAC */
++	rsbac_mac_category_vector_t mac_categories;	/* MAC category set */
++	rsbac_mac_auto_int_t mac_auto;	/* auto-adjust current level */
++	rsbac_boolean_int_t mac_prop_trusted;	/* Keep trusted flag when executing this file */
++	rsbac_mac_file_flags_t mac_file_flags;	/* allow write_up, read_up etc. to it */
++};
++
++#define RSBAC_MAC_FD_OLD_ACI_VERSION 4
++struct rsbac_mac_fd_old_aci_t {
++	rsbac_security_level_t sec_level;	/* MAC */
++	rsbac_uid_t mac_trusted_for_user;	/* MAC (for FILE only) */
++	rsbac_mac_category_vector_t mac_categories;	/* MAC category set */
++	rsbac_mac_auto_int_t mac_auto;	/* auto-adjust current level */
++	rsbac_boolean_int_t mac_prop_trusted;	/* Keep trusted flag when executing this file */
++	rsbac_mac_file_flags_t mac_file_flags;	/* allow write_up, read_up etc. to it */
++};
++
++#define RSBAC_MAC_FD_OLD_OLD_ACI_VERSION 3
++struct rsbac_mac_fd_old_old_aci_t {
++	rsbac_security_level_t sec_level;	/* MAC */
++	rsbac_uid_t mac_trusted_for_user;	/* MAC (for FILE only) */
++	rsbac_mac_category_vector_t mac_categories;	/* MAC category set */
++	rsbac_mac_auto_int_t mac_auto;	/* auto-adjust current level */
++	rsbac_boolean_int_t mac_prop_trusted;	/* Keep trusted flag when executing this file */
++	rsbac_boolean_int_t mac_shared;	/* Shared dir, i.e., allow write_up to it */
++};
++
++#define RSBAC_MAC_FD_OLD_OLD_OLD_ACI_VERSION 2
++struct rsbac_mac_fd_old_old_old_aci_t {
++	rsbac_security_level_t sec_level;	/* MAC */
++	rsbac_uid_t mac_trusted_for_user;	/* MAC (for FILE only) */
++	rsbac_mac_category_vector_t mac_categories;	/* MAC category set */
++	rsbac_mac_auto_int_t mac_auto;	/* auto-adjust current level */
++};
++
++#define DEFAULT_MAC_FD_ACI_INH \
++    { \
++      .sec_level = SL_inherit, \
++      .mac_categories = RSBAC_MAC_INHERIT_CAT_VECTOR, \
++      .mac_auto = MA_inherit, \
++      .mac_prop_trusted = FALSE, \
++      .mac_file_flags = 0, \
++    }
++#define DEFAULT_MAC_FD_ACI_NO_INH \
++    { \
++      .sec_level = SL_unclassified, \
++      .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_auto = MA_yes, \
++      .mac_prop_trusted = FALSE, \
++      .mac_file_flags = 0, \
++    }
++
++#ifdef CONFIG_RSBAC_MAC_DEF_INHERIT
++#define DEFAULT_MAC_FD_ACI DEFAULT_MAC_FD_ACI_INH
++#else
++#define DEFAULT_MAC_FD_ACI DEFAULT_MAC_FD_ACI_NO_INH
++#endif				/* MAC_DEF_INHERIT */
++
++#define DEFAULT_MAC_ROOT_DIR_ACI \
++    { \
++      .sec_level = SL_unclassified, \
++      .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_auto = MA_yes, \
++      .mac_prop_trusted = FALSE, \
++      .mac_file_flags = 0, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_PM)
++#define RSBAC_PM_FD_ACI_VERSION 1
++#define RSBAC_PM_FD_ACI_KEY 1001
++struct rsbac_pm_fd_aci_t {
++	rsbac_pm_object_class_id_t pm_object_class;	/* PM  */
++	rsbac_pm_tp_id_t pm_tp;	/* PM (for FILE only) */
++	rsbac_pm_object_type_int_t pm_object_type;	/* PM (enum rsbac_pm_object_type_t -> __u8) */
++};
++
++#define DEFAULT_PM_FD_ACI \
++    { \
++      .pm_object_class = 0, \
++      .pm_tp = 0, \
++      .pm_object_type = PO_none, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_DAZ)
++#define RSBAC_DAZ_FD_ACI_VERSION 2
++#define RSBAC_DAZ_FD_OLD_ACI_VERSION 1
++#define RSBAC_DAZ_FD_ACI_KEY 10535
++#define RSBAC_DAZ_CACHE_CLEANUP_INTERVAL 86400
++#define RSBAC_DAZ_SCANNED_FD_ACI_VERSION 1
++struct rsbac_daz_fd_aci_t            
++  {
++    rsbac_daz_scanner_t daz_scanner;       /* DAZ (for FILE only) */
++    rsbac_daz_do_scan_t daz_do_scan;
++  };
++
++struct rsbac_daz_fd_old_aci_t            
++  {
++    rsbac_daz_scanner_t   daz_scanner;       /* DAZ (for FILE only) (boolean) */
++  };
++
++#define DEFAULT_DAZ_FD_ACI \
++    { \
++      .daz_scanner = FALSE, \
++      .daz_do_scan = DEFAULT_DAZ_FD_DO_SCAN \
++    }
++
++#define DEFAULT_DAZ_ROOT_DIR_ACI \
++    { \
++      .daz_scanner = FALSE, \
++      .daz_do_scan = DEFAULT_DAZ_FD_ROOT_DO_SCAN \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_FF)
++#define RSBAC_FF_FD_ACI_VERSION 1
++#define RSBAC_FF_FD_ACI_KEY 1001
++#endif
++
++#if defined(CONFIG_RSBAC_RC)
++#define RSBAC_RC_FD_ACI_VERSION 1
++#define RSBAC_RC_FD_ACI_KEY 1001
++struct rsbac_rc_fd_aci_t {
++	rsbac_rc_type_id_t rc_type_fd;	/* RC */
++	rsbac_rc_role_id_t rc_force_role;	/* RC */
++	rsbac_rc_role_id_t rc_initial_role;	/* RC */
++};
++
++#define DEFAULT_RC_FD_ACI \
++    { \
++      .rc_type_fd = RC_type_inherit_parent, \
++      .rc_force_role = RC_default_force_role, \
++      .rc_initial_role = RC_default_initial_role, \
++    }
++#define DEFAULT_RC_ROOT_DIR_ACI \
++    { \
++      .rc_type_fd = RSBAC_RC_GENERAL_TYPE, \
++      .rc_force_role = RC_default_root_dir_force_role, \
++      .rc_initial_role = RC_default_root_dir_initial_role, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_AUTH)
++#define RSBAC_AUTH_FD_ACI_VERSION 2
++#define RSBAC_AUTH_FD_OLD_ACI_VERSION 1
++#define RSBAC_AUTH_FD_ACI_KEY 1001
++struct rsbac_auth_fd_aci_t {
++	__u8 auth_may_setuid;	/* AUTH (enum) */
++	__u8 auth_may_set_cap;	/* AUTH (boolean) */
++	__u8 auth_learn;	/* AUTH (boolean) */
++};
++
++struct rsbac_auth_fd_old_aci_t {
++	__u8 auth_may_setuid;	/* AUTH (boolean) */
++	__u8 auth_may_set_cap;	/* AUTH (boolean) */
++};
++
++#define DEFAULT_AUTH_FD_ACI \
++    { \
++      .auth_may_setuid = FALSE, \
++      .auth_may_set_cap = FALSE, \
++      .auth_learn = FALSE, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_CAP)
++#define RSBAC_CAP_FD_ACI_VERSION 3
++#define RSBAC_CAP_FD_OLD_ACI_VERSION 2
++#define RSBAC_CAP_FD_OLD_OLD_ACI_VERSION 1
++#define RSBAC_CAP_FD_ACI_KEY 1001
++struct rsbac_cap_fd_aci_t {
++	rsbac_cap_vector_t min_caps;	/* Program forced minimum Linux capabilities */
++	rsbac_cap_vector_t max_caps;	/* Program max Linux capabilities */
++	rsbac_cap_ld_env_int_t cap_ld_env;
++};
++
++struct rsbac_cap_fd_old_aci_t {
++        rsbac_cap_old_vector_t min_caps;    /* Program forced minimum Linux capabilities */
++        rsbac_cap_old_vector_t max_caps;    /* Program max Linux capabilities */
++        rsbac_cap_ld_env_int_t cap_ld_env;
++};
++
++struct rsbac_cap_fd_old_old_aci_t {
++	rsbac_cap_old_vector_t min_caps;
++	rsbac_cap_old_vector_t max_caps;
++};
++
++#define DEFAULT_CAP_FD_ACI \
++    { \
++      .min_caps.cap[0] = RSBAC_CAP_DEFAULT_MIN, \
++      .max_caps.cap[0] = RSBAC_CAP_DEFAULT_MAX, \
++      .min_caps.cap[1] = RSBAC_CAP_DEFAULT_MIN, \
++      .max_caps.cap[1] = RSBAC_CAP_DEFAULT_MAX, \
++      .cap_ld_env = LD_keep, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_PAX)
++#define RSBAC_PAX_FD_ACI_VERSION 1
++#define RSBAC_PAX_FD_ACI_KEY 100112
++#endif
++
++#if defined(CONFIG_RSBAC_RES)
++#define RSBAC_RES_FD_ACI_VERSION 1
++#define RSBAC_RES_FD_ACI_KEY 1002
++struct rsbac_res_fd_aci_t {
++	rsbac_res_array_t res_min;
++	rsbac_res_array_t res_max;
++};
++#define DEFAULT_RES_FD_ACI \
++    { \
++      .res_min = { \
++        RSBAC_RES_UNSET,           /* cpu time */ \
++        RSBAC_RES_UNSET,           /* file size */ \
++        RSBAC_RES_UNSET,           /* process data segment size */ \
++        RSBAC_RES_UNSET,           /* stack size */ \
++        RSBAC_RES_UNSET,           /* core dump size */ \
++        RSBAC_RES_UNSET,           /* resident memory set size */ \
++        RSBAC_RES_UNSET,           /* number of processes for this user */ \
++        RSBAC_RES_UNSET,           /* number of files */ \
++        RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
++        RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
++        RSBAC_RES_UNSET            /* maximum file locks */ \
++      }, \
++      .res_max = { \
++        RSBAC_RES_UNSET,           /* cpu time */ \
++        RSBAC_RES_UNSET,           /* file size */ \
++        RSBAC_RES_UNSET,           /* process data segment size */ \
++        RSBAC_RES_UNSET,           /* stack size */ \
++        RSBAC_RES_UNSET,           /* core dump size */ \
++        RSBAC_RES_UNSET,           /* resident memory set size */ \
++        RSBAC_RES_UNSET,           /* number of processes for this user */ \
++        RSBAC_RES_UNSET,           /* number of files */ \
++        RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
++        RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
++        RSBAC_RES_UNSET            /* maximum file locks */ \
++      } \
++    }
++#endif
++
++#define RSBAC_FD_NR_ATTRIBUTES 34
++#define RSBAC_FD_ATTR_LIST { \
++      A_security_level, \
++      A_mac_categories, \
++      A_mac_auto, \
++      A_mac_prop_trusted, \
++      A_mac_file_flags, \
++      A_pm_object_class, \
++      A_pm_tp, \
++      A_pm_object_type, \
++      A_daz_scanner, \
++      A_ff_flags, \
++      A_rc_type_fd, \
++      A_rc_force_role, \
++      A_rc_initial_role, \
++      A_auth_may_setuid, \
++      A_auth_may_set_cap, \
++      A_auth_learn, \
++      A_log_array_low, \
++      A_log_array_high, \
++      A_log_program_based, \
++      A_symlink_add_remote_ip, \
++      A_symlink_add_uid, \
++      A_symlink_add_mac_level, \
++      A_symlink_add_rc_role, \
++      A_linux_dac_disable, \
++      A_min_caps, \
++      A_max_caps, \
++      A_cap_ld_env, \
++      A_res_min, \
++      A_res_max, \
++      A_pax_flags, \
++      A_fake_root_uid, \
++      A_auid_exempt, \
++      A_daz_do_scan, \
++      A_vset \
++      }
++
++#ifdef __KERNEL__
++struct rsbac_fd_list_handles_t {
++	rsbac_list_handle_t gen;
++#if defined(CONFIG_RSBAC_MAC)
++	rsbac_list_handle_t mac;
++#endif
++#if defined(CONFIG_RSBAC_PM)
++	rsbac_list_handle_t pm;
++#endif
++#if defined(CONFIG_RSBAC_DAZ)
++	rsbac_list_handle_t daz;
++#if defined(CONFIG_RSBAC_DAZ_CACHE)
++	rsbac_list_handle_t dazs;
++#endif
++#endif
++#if defined(CONFIG_RSBAC_FF)
++	rsbac_list_handle_t ff;
++#endif
++#if defined(CONFIG_RSBAC_RC)
++	rsbac_list_handle_t rc;
++#endif
++#if defined(CONFIG_RSBAC_AUTH)
++	rsbac_list_handle_t auth;
++#endif
++#if defined(CONFIG_RSBAC_CAP)
++	rsbac_list_handle_t cap;
++#endif
++#if defined(CONFIG_RSBAC_PAX)
++	rsbac_list_handle_t pax;
++#endif
++#if defined(CONFIG_RSBAC_RES)
++	rsbac_list_handle_t res;
++#endif
++};
++
++/* The list of devices is also a double linked list, so we define list    */
++/* items and a list head.                                                 */
++
++/* Hash size. Must be power of 2. */
++
++#define RSBAC_NR_DEVICE_LISTS 8
++
++struct rsbac_device_list_item_t {
++	kdev_t id;
++	u_int mount_count;
++	struct rsbac_fd_list_handles_t handles;
++	struct dentry *rsbac_dir_dentry_p;
++	struct vfsmount *mnt_p;
++	rsbac_inode_nr_t rsbac_dir_inode;
++	struct rsbac_device_list_item_t *prev;
++	struct rsbac_device_list_item_t *next;
++};
++
++/* To provide consistency we use spinlocks for all list accesses. The     */
++/* 'curr' entry is used to avoid repeated lookups for the same item.       */
++
++struct rsbac_device_list_head_t {
++	struct rsbac_device_list_item_t *head;
++	struct rsbac_device_list_item_t *tail;
++	struct rsbac_device_list_item_t *curr;
++	u_int count;
++};
++
++#endif				/* __KERNEL__ */
++
++/******************************/
++/* OK, now we define the block/char device ACI, holding all dev information */
++/* the ADF needs for decisions.                                           */
++
++#define RSBAC_GEN_ACI_DEV_NAME       "dev_gen"
++#define RSBAC_MAC_ACI_DEV_NAME       "dev_mac"
++#define RSBAC_PM_ACI_DEV_NAME        "dev_pm"
++#define RSBAC_RC_ACI_DEV_MAJOR_NAME  "devm_rc"
++#define RSBAC_RC_ACI_DEV_NAME        "dev_rc"
++
++/* Caution: whenever ACI changes, version should be increased!            */
++
++#define RSBAC_GEN_DEV_ACI_VERSION 2
++#define RSBAC_GEN_DEV_OLD_ACI_VERSION 1
++#define RSBAC_GEN_DEV_ACI_KEY 1001
++
++struct rsbac_gen_dev_aci_t {
++	rsbac_log_array_t log_array_low;	/* dev based logging, */
++	rsbac_log_array_t log_array_high;	/* high and low bits */
++};
++#define DEFAULT_GEN_DEV_ACI \
++    { \
++      .log_array_low = -1, \
++      .log_array_high = -1, \
++    }
++
++#if defined(CONFIG_RSBAC_MAC)
++#define RSBAC_MAC_DEV_ACI_VERSION 2
++#define RSBAC_MAC_DEV_OLD_ACI_VERSION 1
++#define RSBAC_MAC_DEV_ACI_KEY 1001
++struct rsbac_mac_dev_aci_t {
++	rsbac_security_level_t sec_level;	/* MAC */
++	rsbac_mac_category_vector_t mac_categories;	/* MAC category set */
++	__u8 mac_check;		/* MAC (boolean) */
++};
++#define DEFAULT_MAC_DEV_ACI \
++    { \
++      .sec_level = SL_unclassified, \
++      .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_check = FALSE, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_PM)
++#define RSBAC_PM_DEV_ACI_VERSION 2
++#define RSBAC_PM_DEV_OLD_ACI_VERSION 1
++#define RSBAC_PM_DEV_ACI_KEY 1001
++struct rsbac_pm_dev_aci_t {
++	rsbac_pm_object_type_int_t pm_object_type;	/* PM (enum rsbac_pm_object_type_t) */
++	rsbac_pm_object_class_id_t pm_object_class;	/* dev only */
++};
++
++#define DEFAULT_PM_DEV_ACI \
++    { \
++      .pm_object_type = PO_none, \
++      .pm_object_class = 0, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_RC)
++#define RSBAC_RC_DEV_ACI_VERSION 2
++#define RSBAC_RC_DEV_OLD_ACI_VERSION 1
++#define RSBAC_RC_DEV_ACI_KEY 1001
++#endif
++
++#define RSBAC_DEV_NR_ATTRIBUTES 8
++#define RSBAC_DEV_ATTR_LIST { \
++      A_security_level, \
++      A_mac_categories, \
++      A_mac_check, \
++      A_pm_object_type, \
++      A_pm_object_class, \
++      A_rc_type, \
++      A_log_array_low, \
++      A_log_array_high \
++      }
++
++#ifdef __KERNEL__
++struct rsbac_dev_handles_t {
++	rsbac_list_handle_t gen;
++#if defined(CONFIG_RSBAC_MAC)
++	rsbac_list_handle_t mac;
++#endif
++#if defined(CONFIG_RSBAC_PM)
++	rsbac_list_handle_t pm;
++#endif
++#if defined(CONFIG_RSBAC_RC)
++	rsbac_list_handle_t rc;
++#endif
++};
++#endif				/* __KERNEL__ */
++
++/**************************************************************************/
++/* Next we define the ipc ACI, holding all ipc information                */
++/* the ADF needs for decisions.                                           */
++
++#define RSBAC_MAC_ACI_IPC_NAME   "ipc_mac"
++#define RSBAC_PM_ACI_IPC_NAME    "ipc_pm"
++#define RSBAC_RC_ACI_IPC_NAME    "ipc_rc"
++#define RSBAC_JAIL_ACI_IPC_NAME  "ipc_jai"
++
++#if defined(CONFIG_RSBAC_MAC)
++#define RSBAC_MAC_IPC_ACI_VERSION 1
++#define RSBAC_MAC_IPC_ACI_KEY 1001
++struct rsbac_mac_ipc_aci_t {
++	rsbac_security_level_t sec_level;	/* enum old_rsbac_security_level_t / __u8 */
++	rsbac_mac_category_vector_t mac_categories;	/* MAC category set */
++};
++#define DEFAULT_MAC_IPC_ACI \
++    { \
++      .sec_level = SL_unclassified, \
++      .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_PM)
++#define RSBAC_PM_IPC_ACI_VERSION 1
++#define RSBAC_PM_IPC_ACI_KEY 1001
++struct rsbac_pm_ipc_aci_t {
++	rsbac_pm_object_class_id_t pm_object_class;	/* ipc only */
++	rsbac_pm_purpose_id_t pm_ipc_purpose;
++	rsbac_pm_object_type_int_t pm_object_type;	/* enum rsbac_pm_object_type_t */
++};
++#define DEFAULT_PM_IPC_ACI \
++    { \
++      .pm_object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID, \
++      .pm_ipc_purpose = 0, \
++      .pm_object_type = PO_ipc, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_RC)
++#define RSBAC_RC_IPC_ACI_VERSION 1
++#define RSBAC_RC_IPC_ACI_KEY 1001
++#endif
++
++#if defined(CONFIG_RSBAC_JAIL)
++#define RSBAC_JAIL_IPC_ACI_VERSION 1
++#define RSBAC_JAIL_IPC_ACI_KEY 1001
++#endif
++
++#define RSBAC_IPC_NR_ATTRIBUTES 7
++#define RSBAC_IPC_ATTR_LIST { \
++      A_security_level, \
++      A_mac_categories, \
++      A_pm_object_class, \
++      A_pm_ipc_purpose, \
++      A_pm_object_type, \
++      A_rc_type, \
++      A_jail_id \
++      }
++
++#ifdef __KERNEL__
++struct rsbac_ipc_handles_t {
++#if defined(CONFIG_RSBAC_MAC)
++	rsbac_list_handle_t mac;
++#endif
++#if defined(CONFIG_RSBAC_PM)
++	rsbac_list_handle_t pm;
++#endif
++#if defined(CONFIG_RSBAC_RC)
++	rsbac_list_handle_t rc;
++#endif
++#if defined(CONFIG_RSBAC_JAIL)
++	rsbac_list_handle_t jail;
++#endif
++};
++#endif				/* __KERNEL__ */
++
++/*************************************/
++/* The user ACI holds all user information the ADF needs. */
++
++#define RSBAC_GEN_ACI_USER_NAME   "u_gen"
++#define RSBAC_MAC_ACI_USER_NAME   "u_mac"
++#define RSBAC_PM_ACI_USER_NAME    "u_pm"
++#define RSBAC_DAZ_ACI_USER_NAME    "u_daz"
++#define RSBAC_FF_ACI_USER_NAME    "u_ff"
++#define RSBAC_RC_ACI_USER_NAME    "u_rc"
++#define RSBAC_AUTH_ACI_USER_NAME  "u_auth"
++#define RSBAC_CAP_ACI_USER_NAME   "u_cap"
++#define RSBAC_JAIL_ACI_USER_NAME  "u_jail"
++#define RSBAC_PAX_ACI_USER_NAME   "u_pax"
++#define RSBAC_RES_ACI_USER_NAME   "u_res"
++
++#define RSBAC_GEN_USER_ACI_VERSION 2
++#define RSBAC_GEN_USER_OLD_ACI_VERSION 1
++#define RSBAC_GEN_USER_ACI_KEY 1001
++struct rsbac_gen_user_aci_t {
++	rsbac_pseudo_t pseudo;
++	rsbac_request_vector_t log_user_based;	/* User based logging */
++};
++#define DEFAULT_GEN_U_ACI \
++    { \
++      .pseudo = (rsbac_pseudo_t) 0, \
++      .log_user_based = 0, \
++    }
++
++#if defined(CONFIG_RSBAC_MAC)
++#define RSBAC_MAC_USER_ACI_VERSION 5
++#define RSBAC_MAC_USER_OLD_ACI_VERSION 4
++#define RSBAC_MAC_USER_OLD_OLD_ACI_VERSION 3
++#define RSBAC_MAC_USER_OLD_OLD_OLD_ACI_VERSION 2
++#define RSBAC_MAC_USER_OLD_OLD_OLD_OLD_ACI_VERSION 1
++#define RSBAC_MAC_USER_ACI_KEY 1001
++struct rsbac_mac_user_aci_t {
++	rsbac_security_level_t security_level;	/* maximum level */
++	rsbac_security_level_t initial_security_level;	/* maximum level */
++	rsbac_security_level_t min_security_level;	/* minimum level / __u8 */
++	rsbac_mac_category_vector_t mac_categories;	/* MAC max category set */
++	rsbac_mac_category_vector_t mac_initial_categories;	/* MAC max category set */
++	rsbac_mac_category_vector_t mac_min_categories;	/* MAC min category set */
++	rsbac_system_role_int_t system_role;	/* enum rsbac_system_role_t */
++	rsbac_mac_user_flags_t mac_user_flags;	/* flags (override, trusted, allow_auto etc.) */
++};
++struct rsbac_mac_user_old_aci_t {
++	rsbac_security_level_t access_appr;	/* maximum level */
++	rsbac_security_level_t min_access_appr;	/* minimum level / __u8 */
++	rsbac_mac_category_vector_t mac_categories;	/* MAC max category set */
++	rsbac_mac_category_vector_t mac_min_categories;	/* MAC min category set */
++	rsbac_system_role_int_t system_role;	/* enum rsbac_system_role_t */
++	rsbac_boolean_int_t mac_allow_auto;	/* allow to auto-adjust current level */
++};
++struct rsbac_mac_user_old_old_aci_t {
++	rsbac_security_level_t access_appr;	/* maximum level */
++	rsbac_security_level_t min_access_appr;	/* minimum level / __u8 */
++	rsbac_mac_category_vector_t mac_categories;	/* MAC max category set */
++	rsbac_mac_category_vector_t mac_min_categories;	/* MAC min category set */
++	rsbac_system_role_int_t system_role;	/* enum rsbac_system_role_t */
++};
++struct rsbac_mac_user_old_old_old_aci_t {
++	rsbac_security_level_t access_appr;	/* enum old_rsbac_security_level_t / __u8 */
++	rsbac_mac_category_vector_t mac_categories;	/* MAC category set */
++	rsbac_system_role_int_t system_role;	/* enum rsbac_system_role_t */
++};
++#define DEFAULT_MAC_U_ACI \
++    { \
++      .security_level = SL_unclassified, \
++      .initial_security_level = SL_unclassified, \
++      .min_security_level = SL_unclassified, \
++      .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
++      .system_role = SR_user, \
++      .mac_user_flags = RSBAC_MAC_DEF_U_FLAGS, \
++    }
++#define DEFAULT_MAC_U_SYSADM_ACI \
++    { \
++      .security_level = SL_unclassified, \
++      .initial_security_level = SL_unclassified, \
++      .min_security_level = SL_unclassified, \
++      .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
++      .system_role = SR_administrator, \
++      .mac_user_flags = RSBAC_MAC_DEF_SYSADM_U_FLAGS, \
++    }
++#define DEFAULT_MAC_U_SECOFF_ACI \
++    { \
++      .security_level = SL_unclassified, \
++      .initial_security_level = SL_unclassified, \
++      .min_security_level = SL_unclassified, \
++      .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
++      .system_role = SR_security_officer, \
++      .mac_user_flags = RSBAC_MAC_DEF_SECOFF_U_FLAGS, \
++    }
++#define DEFAULT_MAC_U_AUDITOR_ACI \
++    { \
++      .security_level = SL_unclassified, \
++      .initial_security_level = SL_unclassified, \
++      .min_security_level = SL_unclassified, \
++      .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
++      .system_role = SR_auditor, \
++      .mac_user_flags = RSBAC_MAC_DEF_U_FLAGS, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_PM)
++#define RSBAC_PM_USER_ACI_VERSION 2
++#define RSBAC_PM_USER_OLD_ACI_VERSION 1
++#define RSBAC_PM_USER_ACI_KEY 1001
++struct rsbac_pm_user_aci_t {
++	rsbac_pm_task_set_id_t pm_task_set;
++	rsbac_pm_role_int_t pm_role;	/* enum rsbac_pm_role_t */
++};
++#define DEFAULT_PM_U_ACI \
++    { \
++      .pm_task_set = 0, \
++      .pm_role = PR_user, \
++    }
++#define DEFAULT_PM_U_SYSADM_ACI \
++    { \
++      .pm_task_set = 0, \
++      .pm_role = PR_system_admin, \
++    }
++#define DEFAULT_PM_U_SECOFF_ACI \
++    { \
++      .pm_task_set = 0, \
++      .pm_role = PR_security_officer, \
++    }
++#define DEFAULT_PM_U_DATAPROT_ACI \
++    { \
++      .pm_task_set = 0, \
++      .pm_role = PR_data_protection_officer, \
++    }
++#define DEFAULT_PM_U_TPMAN_ACI \
++    { \
++      .pm_task_set = 0, \
++      .pm_role = PR_tp_manager, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_DAZ)
++#define RSBAC_DAZ_USER_ACI_VERSION 2
++#define RSBAC_DAZ_USER_OLD_ACI_VERSION 1
++#define RSBAC_DAZ_USER_ACI_KEY 1001
++#endif
++
++#if defined(CONFIG_RSBAC_FF)
++#define RSBAC_FF_USER_ACI_VERSION 2
++#define RSBAC_FF_USER_OLD_ACI_VERSION 1
++#define RSBAC_FF_USER_ACI_KEY 1001
++#endif
++
++#if defined(CONFIG_RSBAC_RC)
++#define RSBAC_RC_USER_ACI_VERSION 3
++#define RSBAC_RC_USER_OLD_ACI_VERSION 2
++#define RSBAC_RC_USER_OLD_OLD_ACI_VERSION 1
++#define RSBAC_RC_USER_ACI_KEY 1001
++struct rsbac_rc_user_aci_t {
++	rsbac_rc_role_id_t rc_role;
++	rsbac_rc_type_id_t rc_type;
++};
++#define DEFAULT_RC_U_ACI \
++    { \
++      .rc_role = RSBAC_RC_GENERAL_ROLE, \
++      .rc_type = RSBAC_RC_GENERAL_TYPE, \
++    }
++#define DEFAULT_RC_U_SYSADM_ACI \
++    { \
++      .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, /* rc_role (RC) */ \
++      .rc_type = RSBAC_RC_SYS_TYPE, \
++    }
++#define DEFAULT_RC_U_SECOFF_ACI \
++    { \
++      .rc_role = RSBAC_RC_ROLE_ADMIN_ROLE, /* rc_role (RC) */ \
++      .rc_type = RSBAC_RC_SEC_TYPE, \
++    }
++#define DEFAULT_RC_U_AUDITOR_ACI \
++    { \
++      .rc_role = RSBAC_RC_AUDITOR_ROLE, /* rc_role (RC) */ \
++      .rc_type = RSBAC_RC_SEC_TYPE, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_AUTH)
++#define RSBAC_AUTH_USER_ACI_VERSION 2
++#define RSBAC_AUTH_USER_OLD_ACI_VERSION 1
++#define RSBAC_AUTH_USER_ACI_KEY 1001
++
++#endif				/* AUTH */
++
++#if defined(CONFIG_RSBAC_CAP)
++#define RSBAC_CAP_USER_ACI_VERSION 4
++#define RSBAC_CAP_USER_OLD_ACI_VERSION 3
++#define RSBAC_CAP_USER_OLD_OLD_ACI_VERSION 2
++#define RSBAC_CAP_USER_OLD_OLD_OLD_ACI_VERSION 1
++#define RSBAC_CAP_USER_ACI_KEY 1001
++struct rsbac_cap_user_aci_t {
++	rsbac_system_role_int_t cap_role;	/* System role for CAP administration */
++	rsbac_cap_vector_t min_caps;	        /* User forced minimum Linux capabilities */
++	rsbac_cap_vector_t max_caps;	        /* User max Linux capabilities */
++        rsbac_cap_ld_env_int_t cap_ld_env;
++};
++
++struct rsbac_cap_user_old_aci_t {
++	rsbac_system_role_int_t cap_role;       /* System role for CAP administration */
++	rsbac_cap_old_vector_t min_caps;            /* User forced minimum Linux capabilities */
++	rsbac_cap_old_vector_t max_caps;            /* User max Linux capabilities */
++	rsbac_cap_ld_env_int_t cap_ld_env;
++};
++
++struct rsbac_cap_user_old_old_aci_t {
++	rsbac_system_role_int_t cap_role;	/* System role for CAP administration */
++	rsbac_cap_old_vector_t min_caps;	        /* User forced minimum Linux capabilities */
++	rsbac_cap_old_vector_t max_caps;	        /* User max Linux capabilities */
++        rsbac_cap_ld_env_int_t cap_ld_env;
++};
++
++struct rsbac_cap_user_old_old_old_aci_t {
++	rsbac_system_role_int_t cap_role;       /* System role for CAP administration */
++	rsbac_cap_old_vector_t min_caps;        /* User forced minimum Linux capabilities */
++	rsbac_cap_old_vector_t max_caps;        /* User max Linux capabilities */
++};
++
++#define DEFAULT_CAP_U_ACI \
++    { \
++      .cap_role = SR_user, \
++      .min_caps.cap[0] = RSBAC_CAP_DEFAULT_MIN, \
++      .max_caps.cap[0] = RSBAC_CAP_DEFAULT_MAX, \
++      .min_caps.cap[1] = RSBAC_CAP_DEFAULT_MIN, \
++      .max_caps.cap[1] = RSBAC_CAP_DEFAULT_MAX, \
++      .cap_ld_env = LD_keep, \
++    }
++#define DEFAULT_CAP_U_SYSADM_ACI \
++    { \
++      .cap_role = SR_administrator, \
++      .min_caps.cap[0] = RSBAC_CAP_DEFAULT_MIN, \
++      .max_caps.cap[0] = RSBAC_CAP_DEFAULT_MAX, \
++      .min_caps.cap[1] = RSBAC_CAP_DEFAULT_MIN, \
++      .max_caps.cap[1] = RSBAC_CAP_DEFAULT_MAX, \
++      .cap_ld_env = LD_keep, \
++    }
++#define DEFAULT_CAP_U_SECOFF_ACI \
++    { \
++      .cap_role = SR_security_officer, \
++      .min_caps.cap[0] = RSBAC_CAP_DEFAULT_MIN, \
++      .max_caps.cap[0] = RSBAC_CAP_DEFAULT_MAX, \
++      .min_caps.cap[1] = RSBAC_CAP_DEFAULT_MIN, \
++      .max_caps.cap[1] = RSBAC_CAP_DEFAULT_MAX, \
++      .cap_ld_env = LD_keep, \
++    }
++#define DEFAULT_CAP_U_AUDITOR_ACI \
++    { \
++      .cap_role = SR_auditor, \
++      .min_caps.cap[0] = RSBAC_CAP_DEFAULT_MIN, \
++      .max_caps.cap[0] = RSBAC_CAP_DEFAULT_MAX, \
++      .min_caps.cap[1] = RSBAC_CAP_DEFAULT_MIN, \
++      .max_caps.cap[1] = RSBAC_CAP_DEFAULT_MAX, \
++      .cap_ld_env = LD_keep, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_JAIL)
++#define RSBAC_JAIL_USER_ACI_VERSION 2
++#define RSBAC_JAIL_USER_OLD_ACI_VERSION 1
++#define RSBAC_JAIL_USER_ACI_KEY 1001
++#endif
++
++#if defined(CONFIG_RSBAC_PAX)
++#define RSBAC_PAX_USER_ACI_VERSION 2
++#define RSBAC_PAX_USER_OLD_ACI_VERSION 1
++#define RSBAC_PAX_USER_ACI_KEY 1001221
++#endif
++
++#if defined(CONFIG_RSBAC_RES)
++#define RSBAC_RES_USER_ACI_VERSION 2
++#define RSBAC_RES_USER_OLD_ACI_VERSION 1
++#define RSBAC_RES_USER_ACI_KEY 1002
++struct rsbac_res_user_aci_t {
++	rsbac_system_role_int_t res_role;	/* System role for RES administration */
++	rsbac_res_array_t res_min;
++	rsbac_res_array_t res_max;
++};
++#define DEFAULT_RES_U_ACI \
++    { \
++      .res_role = SR_user, \
++      .res_min = { \
++        RSBAC_RES_UNSET,           /* cpu time */ \
++        RSBAC_RES_UNSET,           /* file size */ \
++        RSBAC_RES_UNSET,           /* process data segment size */ \
++        RSBAC_RES_UNSET,           /* stack size */ \
++        RSBAC_RES_UNSET,           /* core dump size */ \
++        RSBAC_RES_UNSET,           /* resident memory set size */ \
++        RSBAC_RES_UNSET,           /* number of processes for this user */ \
++        RSBAC_RES_UNSET,           /* number of files */ \
++        RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
++        RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
++        RSBAC_RES_UNSET            /* maximum file locks */ \
++      }, \
++      .res_max = { \
++        RSBAC_RES_UNSET,           /* cpu time */ \
++        RSBAC_RES_UNSET,           /* file size */ \
++        RSBAC_RES_UNSET,           /* process data segment size */ \
++        RSBAC_RES_UNSET,           /* stack size */ \
++        RSBAC_RES_UNSET,           /* core dump size */ \
++        RSBAC_RES_UNSET,           /* resident memory set size */ \
++        RSBAC_RES_UNSET,           /* number of processes for this user */ \
++        RSBAC_RES_UNSET,           /* number of files */ \
++        RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
++        RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
++        RSBAC_RES_UNSET            /* maximum file locks */ \
++      }, \
++    }
++#define DEFAULT_RES_U_SYSADM_ACI \
++    { \
++      .res_role = SR_administrator, \
++      .res_min = { \
++        RSBAC_RES_UNSET,           /* cpu time */ \
++        RSBAC_RES_UNSET,           /* file size */ \
++        RSBAC_RES_UNSET,           /* process data segment size */ \
++        RSBAC_RES_UNSET,           /* stack size */ \
++        RSBAC_RES_UNSET,           /* core dump size */ \
++        RSBAC_RES_UNSET,           /* resident memory set size */ \
++        RSBAC_RES_UNSET,           /* number of processes for this user */ \
++        RSBAC_RES_UNSET,           /* number of files */ \
++        RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
++        RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
++        RSBAC_RES_UNSET            /* maximum file locks */ \
++      }, \
++      .res_max = { \
++        RSBAC_RES_UNSET,           /* cpu time */ \
++        RSBAC_RES_UNSET,           /* file size */ \
++        RSBAC_RES_UNSET,           /* process data segment size */ \
++        RSBAC_RES_UNSET,           /* stack size */ \
++        RSBAC_RES_UNSET,           /* core dump size */ \
++        RSBAC_RES_UNSET,           /* resident memory set size */ \
++        RSBAC_RES_UNSET,           /* number of processes for this user */ \
++        RSBAC_RES_UNSET,           /* number of files */ \
++        RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
++        RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
++        RSBAC_RES_UNSET            /* maximum file locks */ \
++      } \
++    }
++#define DEFAULT_RES_U_SECOFF_ACI \
++    { \
++      .res_role = SR_security_officer, \
++      .res_min = { \
++        RSBAC_RES_UNSET,           /* cpu time */ \
++        RSBAC_RES_UNSET,           /* file size */ \
++        RSBAC_RES_UNSET,           /* process data segment size */ \
++        RSBAC_RES_UNSET,           /* stack size */ \
++        RSBAC_RES_UNSET,           /* core dump size */ \
++        RSBAC_RES_UNSET,           /* resident memory set size */ \
++        RSBAC_RES_UNSET,           /* number of processes for this user */ \
++        RSBAC_RES_UNSET,           /* number of files */ \
++        RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
++        RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
++        RSBAC_RES_UNSET            /* maximum file locks */ \
++      }, \
++      .res_max = { \
++        RSBAC_RES_UNSET,           /* cpu time */ \
++        RSBAC_RES_UNSET,           /* file size */ \
++        RSBAC_RES_UNSET,           /* process data segment size */ \
++        RSBAC_RES_UNSET,           /* stack size */ \
++        RSBAC_RES_UNSET,           /* core dump size */ \
++        RSBAC_RES_UNSET,           /* resident memory set size */ \
++        RSBAC_RES_UNSET,           /* number of processes for this user */ \
++        RSBAC_RES_UNSET,           /* number of files */ \
++        RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
++        RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
++        RSBAC_RES_UNSET            /* maximum file locks */ \
++      } \
++    }
++#define DEFAULT_RES_U_AUDITOR_ACI \
++    { \
++      .res_role = SR_auditor, \
++      .res_min = { \
++        RSBAC_RES_UNSET,           /* cpu time */ \
++        RSBAC_RES_UNSET,           /* file size */ \
++        RSBAC_RES_UNSET,           /* process data segment size */ \
++        RSBAC_RES_UNSET,           /* stack size */ \
++        RSBAC_RES_UNSET,           /* core dump size */ \
++        RSBAC_RES_UNSET,           /* resident memory set size */ \
++        RSBAC_RES_UNSET,           /* number of processes for this user */ \
++        RSBAC_RES_UNSET,           /* number of files */ \
++        RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
++        RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
++        RSBAC_RES_UNSET            /* maximum file locks */ \
++      }, \
++      .res_max = { \
++        RSBAC_RES_UNSET,           /* cpu time */ \
++        RSBAC_RES_UNSET,           /* file size */ \
++        RSBAC_RES_UNSET,           /* process data segment size */ \
++        RSBAC_RES_UNSET,           /* stack size */ \
++        RSBAC_RES_UNSET,           /* core dump size */ \
++        RSBAC_RES_UNSET,           /* resident memory set size */ \
++        RSBAC_RES_UNSET,           /* number of processes for this user */ \
++        RSBAC_RES_UNSET,           /* number of files */ \
++        RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
++        RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
++        RSBAC_RES_UNSET            /* maximum file locks */ \
++      } \
++    }
++#endif
++
++#define RSBAC_USER_NR_ATTRIBUTES 24
++#define RSBAC_USER_ATTR_LIST { \
++      A_pseudo, \
++      A_log_user_based, \
++      A_security_level, \
++      A_initial_security_level, \
++      A_min_security_level, \
++      A_mac_categories, \
++      A_mac_initial_categories, \
++      A_mac_min_categories, \
++      A_mac_role, \
++      A_mac_user_flags, \
++      A_daz_role, \
++      A_ff_role, \
++      A_auth_role, \
++      A_pm_task_set, \
++      A_pm_role, \
++      A_rc_def_role, \
++      A_rc_type, \
++      A_min_caps, \
++      A_max_caps, \
++      A_cap_role, \
++      A_cap_ld_env, \
++      A_jail_role, \
++      A_res_role, \
++      A_pax_role \
++      }
++
++#ifdef __KERNEL__
++struct rsbac_user_handles_t {
++	rsbac_list_handle_t gen;
++#if defined(CONFIG_RSBAC_MAC)
++	rsbac_list_handle_t mac;
++#endif
++#if defined(CONFIG_RSBAC_PM)
++	rsbac_list_handle_t pm;
++#endif
++#if defined(CONFIG_RSBAC_DAZ)
++	rsbac_list_handle_t daz;
++#endif
++#if defined(CONFIG_RSBAC_FF)
++	rsbac_list_handle_t ff;
++#endif
++#if defined(CONFIG_RSBAC_RC)
++	rsbac_list_handle_t rc;
++#endif
++#if defined(CONFIG_RSBAC_AUTH)
++	rsbac_list_handle_t auth;
++#endif
++#if defined(CONFIG_RSBAC_CAP)
++	rsbac_list_handle_t cap;
++#endif
++#if defined(CONFIG_RSBAC_JAIL)
++	rsbac_list_handle_t jail;
++#endif
++#if defined(CONFIG_RSBAC_PAX)
++	rsbac_list_handle_t pax;
++#endif
++#if defined(CONFIG_RSBAC_RES)
++	rsbac_list_handle_t res;
++#endif
++};
++#endif
++
++/********************************/
++/* Process ACI. */
++
++#define RSBAC_GEN_ACI_PROCESS_NAME   "process_gen"
++#define RSBAC_MAC_ACI_PROCESS_NAME   "process_mac"
++#define RSBAC_PM_ACI_PROCESS_NAME    "process_pm"
++#define RSBAC_DAZ_ACI_PROCESS_NAME    "process_daz"
++#define RSBAC_RC_ACI_PROCESS_NAME    "process_rc"
++#define RSBAC_AUTH_ACI_PROCESS_NAME    "process_auth"
++#define RSBAC_CAP_ACI_PROCESS_NAME    "process_cap"
++#define RSBAC_JAIL_ACI_PROCESS_NAME    "process_jail"
++
++#define RSBAC_GEN_PROCESS_ACI_VERSION 3
++#define RSBAC_GEN_PROCESS_ACI_KEY 1001
++struct rsbac_gen_process_aci_t {
++	rsbac_request_vector_t log_program_based;
++	rsbac_fake_root_uid_int_t fake_root_uid;
++	rsbac_uid_t audit_uid;
++	rsbac_uid_t auid_exempt;
++	__u32 remote_ip;
++	rsbac_boolean_t kernel_thread;
++	rsbac_um_set_t vset;
++#if defined(CONFIG_RSBAC_AUTH_LEARN) || defined(CONFIG_RSBAC_CAP_LEARN)
++	struct rsbac_fs_file_t program_file;
++#endif
++};
++#if defined(CONFIG_RSBAC_AUTH_LEARN) || defined(CONFIG_RSBAC_CAP_LEARN)
++#define DEFAULT_GEN_P_ACI \
++    { \
++      .log_program_based = 0, \
++      .fake_root_uid = FR_off, \
++      .audit_uid = RSBAC_NO_USER, \
++      .auid_exempt = RSBAC_NO_USER, \
++      .remote_ip = 0, \
++      .kernel_thread = 0, \
++      .vset = 0, \
++      .program_file = { RSBAC_ZERO_DEV, 0, NULL }, \
++    }
++#else
++#define DEFAULT_GEN_P_ACI \
++    { \
++      .log_program_based = 0, \
++      .fake_root_uid = FR_off, \
++      .audit_uid = RSBAC_NO_USER, \
++      .auid_exempt = RSBAC_NO_USER, \
++      .remote_ip = 0, \
++      .kernel_thread = 0, \
++      .vset = 0, \
++    }
++#endif
++
++
++#if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
++#define RSBAC_MAC_PROCESS_ACI_VERSION 1
++#define RSBAC_MAC_PROCESS_ACI_KEY 1001
++struct rsbac_mac_process_aci_t {
++	rsbac_security_level_t owner_sec_level;	/* enum old_rsbac_security_level_t */
++	rsbac_security_level_t owner_initial_sec_level;	/* enum old_rsbac_security_level_t */
++	rsbac_security_level_t owner_min_sec_level;	/* enum old_rsbac_security_level_t */
++	rsbac_mac_category_vector_t mac_owner_categories;	/* MAC category set */
++	rsbac_mac_category_vector_t mac_owner_initial_categories;	/* MAC category set */
++	rsbac_mac_category_vector_t mac_owner_min_categories;	/* MAC category set */
++	rsbac_security_level_t current_sec_level;	/* enum rsbac_security_level_t */
++	rsbac_mac_category_vector_t mac_curr_categories;	/* MAC current category set */
++	rsbac_security_level_t min_write_open;	/* for *-property, enum rsbac_security_level_t */
++	rsbac_mac_category_vector_t min_write_categories;	/* MAC, for *-property */
++	rsbac_security_level_t max_read_open;	/* for *-property, enum rsbac_security_level_t */
++	rsbac_mac_category_vector_t max_read_categories;	/* MAC, for *-property */
++	rsbac_mac_process_flags_t mac_process_flags;	/* flags (override, trusted, auto etc.) */
++};
++#define DEFAULT_MAC_P_ACI \
++    { \
++      .owner_sec_level = SL_unclassified, \
++      .owner_initial_sec_level = SL_unclassified, \
++      .owner_min_sec_level = SL_unclassified, \
++      .mac_owner_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_owner_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_owner_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
++      .current_sec_level = SL_unclassified, \
++      .mac_curr_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .min_write_open = SL_max, \
++      .min_write_categories = RSBAC_MAC_MAX_CAT_VECTOR, \
++      .max_read_open = SL_unclassified, \
++      .max_read_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
++      .mac_process_flags = RSBAC_MAC_DEF_P_FLAGS, \
++    }
++#define DEFAULT_MAC_P_INIT_ACI \
++    { \
++      .owner_sec_level = SL_unclassified, \
++      .owner_initial_sec_level = SL_unclassified, \
++      .owner_min_sec_level = SL_unclassified, \
++      .mac_owner_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_owner_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .mac_owner_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
++      .current_sec_level = SL_unclassified, \
++      .mac_curr_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++      .min_write_open = SL_max, \
++      .min_write_categories = RSBAC_MAC_MAX_CAT_VECTOR, \
++      .max_read_open = SL_unclassified, \
++      .max_read_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
++      .mac_process_flags = RSBAC_MAC_DEF_INIT_P_FLAGS, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_PM)
++#define RSBAC_PM_PROCESS_ACI_VERSION 1
++#define RSBAC_PM_PROCESS_ACI_KEY 1001
++struct rsbac_pm_process_aci_t {
++	rsbac_pm_tp_id_t pm_tp;
++	rsbac_pm_task_id_t pm_current_task;
++	rsbac_pm_process_type_int_t pm_process_type;	/* enum rsbac_pm_process_type_t */
++};
++#define DEFAULT_PM_P_ACI \
++    { \
++      .pm_tp = 0, \
++      .pm_current_task = 0, \
++      .pm_process_type = PP_none, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_DAZ)
++#define RSBAC_DAZ_PROCESS_ACI_VERSION 1
++#define RSBAC_DAZ_PROCESS_ACI_KEY 1001
++struct rsbac_daz_process_aci_t {
++	rsbac_boolean_int_t daz_scanner;	/* DAZ, boolean */
++};
++#define DEFAULT_DAZ_P_ACI \
++    { \
++      .daz_scanner = FALSE, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_RC)
++#define RSBAC_RC_PROCESS_ACI_VERSION 1
++#define RSBAC_RC_PROCESS_ACI_KEY 1001
++struct rsbac_rc_process_aci_t {
++	rsbac_rc_role_id_t rc_role;	/* RC */
++	rsbac_rc_type_id_t rc_type;	/* RC */
++	rsbac_rc_role_id_t rc_force_role;	/* RC */
++	rsbac_rc_type_id_t rc_select_type; /* RC */
++};
++#define DEFAULT_RC_P_ACI \
++    { \
++      .rc_role = RSBAC_RC_GENERAL_ROLE, \
++      .rc_type = RSBAC_RC_GENERAL_TYPE, \
++      .rc_force_role = RC_default_force_role, \
++      .rc_select_type = RC_type_use_fd, \
++    }
++#define DEFAULT_RC_P_INIT_ACI \
++    { \
++      .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, \
++      .rc_type = RSBAC_RC_GENERAL_TYPE, \
++      .rc_force_role = RC_default_force_role, \
++      .rc_select_type = RC_type_use_fd, \
++    }
++#define DEFAULT_RC_P_KERNEL_ACI \
++    { \
++      .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, \
++      .rc_type = CONFIG_RSBAC_RC_KERNEL_PROCESS_TYPE, \
++      .rc_force_role = RC_default_force_role, \
++      .rc_select_type = RC_type_use_fd, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_AUTH)
++#define RSBAC_AUTH_PROCESS_ACI_VERSION 1
++#define RSBAC_AUTH_PROCESS_ACI_KEY 1001
++struct rsbac_auth_process_aci_t {
++	__u8 auth_may_setuid;	/* AUTH (boolean) */
++	__u8 auth_may_set_cap;	/* AUTH (boolean) */
++	rsbac_uid_t auth_last_auth;
++#if defined(CONFIG_RSBAC_AUTH_LEARN)
++	rsbac_uid_t auth_start_uid;
++#ifdef CONFIG_RSBAC_AUTH_DAC_OWNER
++	rsbac_uid_t auth_start_euid;
++#endif
++#ifdef CONFIG_RSBAC_AUTH_GROUP
++	rsbac_gid_t auth_start_gid;
++#ifdef CONFIG_RSBAC_AUTH_DAC_GROUP
++	rsbac_gid_t auth_start_egid;
++#endif
++#endif
++	__u8 auth_learn;	/* AUTH (boolean) */
++#endif
++};
++
++#if defined(CONFIG_RSBAC_AUTH_LEARN)
++#define DEFAULT_AUTH_P_ACI \
++    { \
++      .auth_may_setuid = FALSE, \
++      .auth_may_set_cap = FALSE, \
++      .auth_last_auth = RSBAC_NO_USER, \
++      .auth_start_uid = 0, \
++      .auth_learn = 0, \
++    }
++#else
++#define DEFAULT_AUTH_P_ACI \
++    { \
++      .auth_may_setuid = FALSE, \
++      .auth_may_set_cap = FALSE, \
++      .auth_last_auth = RSBAC_NO_USER, \
++    }
++#endif
++#endif
++
++
++#if defined(CONFIG_RSBAC_CAP)
++#define RSBAC_CAP_PROCESS_ACI_VERSION 2
++#define RSBAC_CAP_PROCESS_ACI_KEY 10013283
++struct rsbac_cap_process_aci_t {
++	rsbac_cap_process_hiding_int_t cap_process_hiding;
++#if defined(CONFIG_RSBAC_CAP_LOG_MISSING) || defined(CONFIG_RSBAC_CAP_LEARN)
++	rsbac_cap_vector_t max_caps_user;
++	rsbac_cap_vector_t max_caps_program;
++#endif
++	rsbac_cap_ld_env_int_t cap_ld_env;
++};
++
++#ifdef CONFIG_RSBAC_CAP_LOG_MISSING
++#define DEFAULT_CAP_P_ACI \
++    { \
++      .cap_process_hiding = PH_off, \
++      .max_caps_user.cap[0] = RSBAC_CAP_DEFAULT_MAX, \
++      .max_caps_user.cap[1] = RSBAC_CAP_DEFAULT_MAX, \
++      .max_caps_program.cap[0] = RSBAC_CAP_DEFAULT_MAX, \
++      .max_caps_program.cap[1] = RSBAC_CAP_DEFAULT_MAX, \
++      .cap_ld_env = LD_allow, \
++    }
++#else
++#define DEFAULT_CAP_P_ACI \
++    { \
++      .cap_process_hiding = PH_off, \
++      .cap_ld_env = LD_allow, \
++    }
++#endif
++#endif
++
++#if defined(CONFIG_RSBAC_JAIL)
++#define RSBAC_JAIL_PROCESS_ACI_VERSION 1
++#define RSBAC_JAIL_PROCESS_ACI_KEY 1001
++struct rsbac_jail_process_aci_t {
++	rsbac_jail_id_t id;
++	rsbac_jail_id_t parent;
++	rsbac_jail_ip_t ip;
++	rsbac_jail_flags_t flags;
++	rsbac_cap_vector_t max_caps;	/* Program max Linux capabilities */
++	rsbac_jail_scd_vector_t scd_get;	/* SCD targets GET_STATUS_DATA */
++	rsbac_jail_scd_vector_t scd_modify;	/* SCD targets MODIFY_SYSTEM_DATA */
++};
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25)
++#define DEFAULT_JAIL_P_ACI \
++    { \
++      .id = 0, \
++      .parent = 0, \
++      .ip = 0, \
++      .flags = 0, \
++      .max_caps.cap[0] = -1, \
++      .max_caps.cap[1] = -1, \
++      .scd_get = 0, \
++      .scd_modify = 0, \
++    }
++#else
++#define DEFAULT_JAIL_P_ACI \
++    { \
++      .id = 0, \
++      .parent = 0, \
++      .ip = 0, \
++      .flags = 0, \
++      .max_caps = -1, \
++      .scd_get = 0, \
++      .scd_modify = 0, \
++    }
++#endif
++#endif
++
++#define RSBAC_PROCESS_NR_ATTRIBUTES 39
++#define RSBAC_PROCESS_ATTR_LIST { \
++      A_security_level, \
++      A_min_security_level, \
++      A_mac_categories, \
++      A_mac_min_categories, \
++      A_current_sec_level, \
++      A_mac_curr_categories, \
++      A_min_write_open, \
++      A_min_write_categories, \
++      A_max_read_open, \
++      A_max_read_categories, \
++      A_mac_process_flags, \
++      A_pm_tp, \
++      A_pm_current_task, \
++      A_pm_process_type, \
++      A_daz_scanner, \
++      A_rc_role, \
++      A_rc_type, \
++      A_rc_force_role, \
++      A_rc_select_type, \
++      A_auth_may_setuid, \
++      A_auth_may_set_cap, \
++      A_auth_learn, \
++      A_cap_process_hiding, \
++      A_max_caps_user, \
++      A_max_caps_program, \
++      A_cap_ld_env, \
++      A_jail_id, \
++      A_jail_ip, \
++      A_jail_flags, \
++      A_jail_max_caps, \
++      A_jail_scd_get, \
++      A_jail_scd_modify, \
++      A_log_program_based, \
++      A_fake_root_uid, \
++      A_audit_uid, \
++      A_auid_exempt, \
++      A_auth_last_auth, \
++      A_remote_ip, \
++      A_vset \
++      }
++
++#ifdef __KERNEL__
++struct rsbac_process_handles_t {
++	rsbac_list_handle_t gen;
++#if defined(CONFIG_RSBAC_MAC)
++	rsbac_list_handle_t mac;
++#endif
++#if defined(CONFIG_RSBAC_PM)
++	rsbac_list_handle_t pm;
++#endif
++#if defined(CONFIG_RSBAC_DAZ)
++	rsbac_list_handle_t daz;
++#endif
++#if defined(CONFIG_RSBAC_RC)
++	rsbac_list_handle_t rc;
++#endif
++#if defined(CONFIG_RSBAC_AUTH)
++	rsbac_list_handle_t auth;
++#endif
++#if defined(CONFIG_RSBAC_CAP)
++	rsbac_list_handle_t cap;
++#endif
++#if defined(CONFIG_RSBAC_JAIL)
++	rsbac_list_handle_t jail;
++#endif
++};
++#endif				/* __KERNEL__ */
++
++
++/******************************/
++/* OK, now we define the UM group ACI, holding all information */
++/* the ADF needs for decisions.                                */
++
++#define RSBAC_RC_ACI_GROUP_NAME    "grouprc"
++
++/* Caution: whenever ACI changes, version should be increased!            */
++
++#if defined(CONFIG_RSBAC_RC_UM_PROT)
++#define RSBAC_RC_GROUP_ACI_VERSION 1
++#define RSBAC_RC_GROUP_ACI_KEY 13276142
++#endif
++
++#define RSBAC_GROUP_NR_ATTRIBUTES 1
++#define RSBAC_GROUP_ATTR_LIST { \
++      A_rc_type \
++      }
++
++#ifdef __KERNEL__
++struct rsbac_group_handles_t {
++#if defined(CONFIG_RSBAC_RC_UM_PROT)
++	rsbac_list_handle_t rc;
++#endif
++};
++#endif				/* __KERNEL__ */
++
++/********************************/
++/* NETDEV ACI */
++
++#define RSBAC_GEN_ACI_NETDEV_NAME   "nd_gen"
++#define RSBAC_RC_ACI_NETDEV_NAME    "nd_rc"
++
++#define RSBAC_GEN_NETDEV_ACI_VERSION 1
++#define RSBAC_GEN_NETDEV_ACI_KEY 1001
++struct rsbac_gen_netdev_aci_t {
++	rsbac_log_array_t log_array_low;	/* netdev based logging, */
++	rsbac_log_array_t log_array_high;	/* high and low bits */
++};
++#define DEFAULT_GEN_NETDEV_ACI \
++    { \
++      .log_array_low = -1, \
++      .log_array_high = -1, \
++    }
++
++#if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
++#define RSBAC_RC_NETDEV_ACI_VERSION 1
++#define RSBAC_RC_NETDEV_ACI_KEY 1001
++#endif
++
++#define RSBAC_NETDEV_NR_ATTRIBUTES 3
++#define RSBAC_NETDEV_ATTR_LIST { \
++      A_rc_type, \
++      A_log_array_low, \
++      A_log_array_high \
++      }
++
++#ifdef __KERNEL__
++struct rsbac_netdev_handles_t {
++#if defined(CONFIG_RSBAC_IND_NETDEV_LOG)
++	rsbac_list_handle_t gen;
++#endif
++#if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
++	rsbac_list_handle_t rc;
++#endif
++};
++#endif				/* __KERNEL__ */
++
++/********************************/
++/* NETTEMP ACI */
++
++#define RSBAC_GEN_ACI_NETTEMP_NAME   "nt_gen"
++#define RSBAC_MAC_ACI_NETTEMP_NAME   "nt_mac"
++#define RSBAC_PM_ACI_NETTEMP_NAME    "nt_pm"
++#define RSBAC_RC_ACI_NETTEMP_NAME    "nt_rc"
++
++#define RSBAC_MAC_ACI_LNETOBJ_NAME   "lnetobj_mac"
++#define RSBAC_PM_ACI_LNETOBJ_NAME    "lnetobj_pm"
++#define RSBAC_RC_ACI_LNETOBJ_NAME    "lnetobj_rc"
++#define RSBAC_MAC_ACI_RNETOBJ_NAME   "rnetobj_mac"
++#define RSBAC_PM_ACI_RNETOBJ_NAME    "rnetobj_pm"
++#define RSBAC_RC_ACI_RNETOBJ_NAME    "rnetobj_rc"
++
++#define RSBAC_GEN_NETOBJ_ACI_VERSION 1
++#define RSBAC_GEN_NETOBJ_ACI_KEY 1001
++struct rsbac_gen_netobj_aci_t {
++	rsbac_log_array_t log_array_low;	/* nettemp/netobj based logging, */
++	rsbac_log_array_t log_array_high;	/* high and low bits */
++};
++#define DEFAULT_GEN_NETOBJ_ACI \
++    { \
++      .log_array_low = -1, \
++      .log_array_high = -1, \
++    }
++
++#if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
++#define RSBAC_MAC_NETOBJ_ACI_VERSION 1
++#define RSBAC_MAC_NETOBJ_ACI_KEY 1001
++struct rsbac_mac_netobj_aci_t {
++	rsbac_security_level_t sec_level;	/* enum old_rsbac_security_level_t / __u8 */
++	rsbac_mac_category_vector_t mac_categories;	/* MAC category set */
++};
++#define DEFAULT_MAC_NETOBJ_ACI \
++    { \
++      .sec_level = SL_unclassified,  /* security_level (MAC) */ \
++      .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
++#define RSBAC_PM_NETOBJ_ACI_VERSION 1
++#define RSBAC_PM_NETOBJ_ACI_KEY 1001
++struct rsbac_pm_netobj_aci_t {
++	rsbac_pm_object_class_id_t pm_object_class;	/* netobj only */
++	rsbac_pm_purpose_id_t pm_ipc_purpose;
++	rsbac_pm_object_type_int_t pm_object_type;	/* enum rsbac_pm_object_type_t */
++};
++#define DEFAULT_PM_NETOBJ_ACI \
++    { \
++      .pm_object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID, \
++      .pm_ipc_purpose = 0, \
++      .pm_object_type = PO_ipc, \
++    }
++#endif
++
++#if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
++#define RSBAC_RC_NETOBJ_ACI_VERSION 1
++#define RSBAC_RC_NETOBJ_ACI_KEY 1001
++#define RSBAC_RC_NETTEMP_ACI_VERSION 1
++#define RSBAC_RC_NETTEMP_ACI_KEY 1002
++
++struct rsbac_rc_nettemp_aci_t {
++	rsbac_rc_type_id_t netobj_type;	/* type inherited to netobj */
++	rsbac_rc_type_id_t nettemp_type;	/* type of this tenplate */
++};
++#define DEFAULT_RC_NETTEMP_ACI \
++    { \
++      .netobj_type = RSBAC_RC_GENERAL_TYPE, \
++      .nettemp_type = RSBAC_RC_GENERAL_TYPE, \
++    }
++#endif
++
++#define RSBAC_NETTEMP_NR_ATTRIBUTES 9
++#define RSBAC_NETTEMP_ATTR_LIST { \
++      A_security_level, \
++      A_mac_categories, \
++      A_pm_object_class, \
++      A_pm_ipc_purpose, \
++      A_pm_object_type, \
++      A_rc_type, \
++      A_rc_type_nt, \
++      A_log_array_low, \
++      A_log_array_high \
++      }
++
++#define RSBAC_NETOBJ_NR_ATTRIBUTES 16
++#define RSBAC_NETOBJ_ATTR_LIST { \
++      A_local_sec_level, \
++      A_remote_sec_level, \
++      A_local_mac_categories, \
++      A_remote_mac_categories, \
++      A_local_pm_object_class, \
++      A_remote_pm_object_class, \
++      A_local_pm_ipc_purpose, \
++      A_remote_pm_ipc_purpose, \
++      A_local_pm_object_type, \
++      A_remote_pm_object_type, \
++      A_local_rc_type, \
++      A_remote_rc_type, \
++      A_local_log_array_low, \
++      A_remote_log_array_low, \
++      A_local_log_array_high, \
++      A_remote_log_array_high \
++      }
++
++#ifdef __KERNEL__
++struct rsbac_nettemp_handles_t {
++#if defined(CONFIG_RSBAC_IND_NETOBJ_LOG)
++	rsbac_list_handle_t gen;
++#endif
++#if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
++	rsbac_list_handle_t mac;
++#endif
++#if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
++	rsbac_list_handle_t pm;
++#endif
++#if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
++	rsbac_list_handle_t rc;
++#endif
++};
++
++struct rsbac_lnetobj_handles_t {
++#if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
++	rsbac_list_handle_t mac;
++#endif
++#if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
++	rsbac_list_handle_t pm;
++#endif
++#if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
++	rsbac_list_handle_t rc;
++#endif
++};
++struct rsbac_rnetobj_handles_t {
++#if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
++	rsbac_list_handle_t mac;
++#endif
++#if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
++	rsbac_list_handle_t pm;
++#endif
++#if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
++	rsbac_list_handle_t rc;
++#endif
++};
++#endif				/* __KERNEL__ */
++
++
++/**********************************************/
++/*              Declarations                  */
++/**********************************************/
++
++#ifdef __KERNEL__
++extern kdev_t rsbac_root_dev;
++
++int rsbac_read_open(char *, struct file **,	/* file */
++		    kdev_t);
++
++int rsbac_write_open(char *, struct file **,	/* file */
++		     kdev_t);
++
++void rsbac_read_close(struct file *);
++
++void rsbac_write_close(struct file *);
++
++extern struct semaphore rsbac_write_sem;
++
++#endif				/* __KERNEL__ */
++
++/**********************************************/
++/*          External Declarations             */
++/**********************************************/
++
++#ifdef __KERNEL__
++
++static inline struct dentry *lock_parent(struct dentry *dentry)
++{
++	struct dentry *dir = dget(dentry->d_parent);
++
++	mutex_lock(&dir->d_inode->i_mutex);
++	return dir;
++}
++
++static inline void unlock_dir(struct dentry *dir)
++{
++	mutex_unlock(&dir->d_inode->i_mutex);
++	dput(dir);
++}
++
++static inline void double_mutex_lock(struct mutex *m1, struct mutex *m2)
++{
++	if (m1 != m2) {
++		if ((unsigned long) m1 < (unsigned long) m2) {
++			struct mutex *tmp = m2;
++			m2 = m1;
++			m1 = tmp;
++		}
++		mutex_lock(m1);
++	}
++	mutex_lock(m2);
++}
++
++static inline void double_mutex_unlock(struct mutex *m1, struct mutex *m2)
++{
++	mutex_unlock(m1);
++	if (m1 != m2)
++		mutex_unlock(m2);
++}
++
++static inline void double_lock(struct dentry *d1, struct dentry *d2)
++{
++	double_mutex_lock(&d1->d_inode->i_mutex, &d2->d_inode->i_mutex);
++}
++
++static inline void double_unlock(struct dentry *d1, struct dentry *d2)
++{
++	double_mutex_unlock(&d1->d_inode->i_mutex, &d2->d_inode->i_mutex);
++	dput(d1);
++	dput(d2);
++}
++
++#ifdef CONFIG_RSBAC_DEBUG
++static inline unsigned long rsbac_stack_free_space(void)
++{
++	unsigned long *n = (unsigned long *)(current + 1);
++	while (!*n)
++		n++;
++	return (unsigned long)n - (unsigned long)(current + 1);
++}
++#else
++#define rsbac_stack_free_space() 0
++#endif
++
++#endif				/* __KERNEL__ */
++
++#endif
+diff --git a/include/rsbac/acl.h b/include/rsbac/acl.h
+new file mode 100644
+index 0000000..35554c3
+--- /dev/null
++++ b/include/rsbac/acl.h
+@@ -0,0 +1,266 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2009: Amon Ott */
++/* API: Data structures               */
++/* and functions for Access           */
++/* Control Information / ACL          */
++/* Last modified: 15/Oct/2009         */
++/************************************ */
++
++#ifndef __RSBAC_ACL_H
++#define __RSBAC_ACL_H
++
++#include <linux/init.h>
++#include <rsbac/types.h>
++
++/***************************************************/
++/*               General Prototypes                */
++/***************************************************/
++
++/* All functions return 0, if no error occurred, and a negative error code  */
++/* otherwise. The error codes are defined in rsbac_error.h.                 */
++
++/****************************************************************************/
++/* Initialization, including ACI restoration for all mounted devices from   */
++/* disk. After this call, all ACI is kept in memory for performance reasons,*/
++/* but user and file/dir object ACI are written to disk on every change.    */
++
++#ifdef CONFIG_RSBAC_INIT_DELAY
++extern int rsbac_init_acl(void);
++#else
++extern int rsbac_init_acl(void) __init;
++#endif
++
++/* mounting and umounting */
++int rsbac_mount_acl(kdev_t kdev);
++int rsbac_umount_acl(kdev_t kdev);
++
++/* Some information about the current status is also available */
++extern int rsbac_stats_acl(void);
++
++/* Status checking */
++extern int rsbac_check_acl(int correct);
++
++/************************************************* */
++/*               Access functions                  */
++/************************************************* */
++
++/* All these procedures handle the spinlocks to protect the targets during */
++/* access.                                                                 */
++
++/* rsbac_acl_set_acl_entry
++ * Set ACL entry for given target and subject to given rights. If entry does
++ * not exist, it is created, thus cutting the inheritance from default/parent.
++ */
++
++int rsbac_acl_set_acl_entry(rsbac_list_ta_number_t ta_number,
++			    enum rsbac_target_t target,
++			    union rsbac_target_id_t tid,
++			    enum rsbac_acl_subject_type_t subj_type,
++			    rsbac_acl_subject_id_t subj_id,
++			    rsbac_acl_rights_vector_t rights,
++			    rsbac_time_t ttl);
++
++/* rsbac_acl_remove_acl_entry
++ * Remove ACL entry for given target and subject. This reactivates the
++ * inheritance from default/parent.
++ */
++
++int rsbac_acl_remove_acl_entry(rsbac_list_ta_number_t ta_number,
++			       enum rsbac_target_t target,
++			       union rsbac_target_id_t tid,
++			       enum rsbac_acl_subject_type_t subj_type,
++			       rsbac_acl_subject_id_t subj_id);
++
++/* rsbac_acl_remove_acl
++ * Remove ACL for given target. For cleanup on delete.
++ */
++
++int rsbac_acl_remove_acl(rsbac_list_ta_number_t ta_number,
++			 enum rsbac_target_t target,
++			 union rsbac_target_id_t tid);
++
++/* rsbac_acl_add_to_acl_entry
++ * Add given rights to ACL entry for given target and subject. If entry does
++ * not exist, behaviour is exactly like rsbac_acl_set_acl_entry.
++ */
++
++int rsbac_acl_add_to_acl_entry(rsbac_list_ta_number_t ta_number,
++			       enum rsbac_target_t target,
++			       union rsbac_target_id_t tid,
++			       enum rsbac_acl_subject_type_t subj_type,
++			       rsbac_acl_subject_id_t subj_id,
++			       rsbac_acl_rights_vector_t rights,
++			       rsbac_time_t ttl);
++
++/* rsbac_acl_remove_from_acl_entry
++ * Remove given rights from ACL entry for given target and subject. If entry does
++ * not exist, nothing happens.
++ * This function does NOT remove the ACL entry, so removing all rights results in
++ * NO rights for this subject/target combination!
++ */
++
++int rsbac_acl_remove_from_acl_entry(rsbac_list_ta_number_t ta_number,
++				    enum rsbac_target_t target,
++				    union rsbac_target_id_t tid,
++				    enum rsbac_acl_subject_type_t
++				    subj_type,
++				    rsbac_acl_subject_id_t subj_id,
++				    rsbac_acl_rights_vector_t rights);
++
++/* rsbac_acl_set_mask
++ * Set inheritance mask for given target to given rights. If item does
++ * not exist, it is created.
++ */
++
++int rsbac_acl_set_mask(rsbac_list_ta_number_t ta_number,
++		       enum rsbac_target_t target,
++		       union rsbac_target_id_t tid,
++		       rsbac_acl_rights_vector_t mask);
++
++/* rsbac_acl_get_mask
++ * Get inheritance mask for given target to given rights. If item does
++ * not exist, default mask is returned.
++ */
++
++int rsbac_acl_get_mask(rsbac_list_ta_number_t ta_number,
++		       enum rsbac_target_t target,
++		       union rsbac_target_id_t tid,
++		       rsbac_acl_rights_vector_t * mask_p);
++
++/* rsbac_acl_get_rights
++ * Get effective rights from ACL entry for given target and subject.
++ * If entry does not exist, inherited rights are used. If there is no parent,
++ * the default rights vector for this target type is returned.
++ * This function does NOT add role or group rights to user rights!
++ */
++
++int rsbac_acl_get_rights(rsbac_list_ta_number_t ta_number,
++			 enum rsbac_target_t target,
++			 union rsbac_target_id_t tid,
++			 enum rsbac_acl_subject_type_t subj_type,
++			 rsbac_acl_subject_id_t subj_id,
++			 rsbac_acl_rights_vector_t * rights_p,
++			 rsbac_boolean_t inherit);
++
++/* rsbac_acl_get_single_right
++ * Show, whether a right is set for given target and subject.
++ * If right is not set, it is checked at all parents, unless it has been
++ * masked out *or* it is SUPERVISOR, CONFIG_RSBAC_ACL_SUPER_FILTER is set
++ * and supervisor is masked out.
++ */
++
++int rsbac_acl_get_single_right(enum rsbac_target_t target,
++			       union rsbac_target_id_t tid,
++			       enum rsbac_acl_subject_type_t subj_type,
++			       rsbac_acl_subject_id_t subj_id,
++			       enum rsbac_adf_request_t right,
++			       rsbac_boolean_t * result);
++
++
++/************************************************************************** */
++/* The rsbac_acl_copy_fd_acl() function copies a file/dir ACL to another    */
++/* file/dir ACL. The old ACL of fd2 is erased before copying.               */
++
++int rsbac_acl_copy_fd_acl(struct rsbac_fs_file_t file1,
++			  struct rsbac_fs_file_t file2);
++
++/************************************************************************** */
++/* The rsbac_acl_copy_pp_acl() function copies a process acl to another     */
++
++int rsbac_acl_copy_pp_acl(rsbac_pid_t old_pid, rsbac_pid_t new_pid);
++
++/*************************************************
++ * rsbac_acl_get_tlist
++ * Get subjects from ACL entries for given target.
++ */
++
++int rsbac_acl_get_tlist(rsbac_list_ta_number_t ta_number,
++			enum rsbac_target_t target,
++			union rsbac_target_id_t tid,
++			struct rsbac_acl_entry_t **entry_pp,
++			rsbac_time_t ** ttl_pp);
++
++/*************************************************
++ * Group management
++ */
++
++/* add a group with new id and fill this id into *group_id_p */
++int rsbac_acl_add_group(rsbac_list_ta_number_t ta_number,
++			rsbac_uid_t owner,
++			enum rsbac_acl_group_type_t type,
++			char *name, rsbac_acl_group_id_t * group_id_p);
++
++int rsbac_acl_change_group(rsbac_list_ta_number_t ta_number,
++			   rsbac_acl_group_id_t id,
++			   rsbac_uid_t owner,
++			   enum rsbac_acl_group_type_t type, char *name);
++
++int rsbac_acl_remove_group(rsbac_list_ta_number_t ta_number,
++			   rsbac_acl_group_id_t id);
++
++int rsbac_acl_get_group_entry(rsbac_list_ta_number_t ta_number,
++			      rsbac_acl_group_id_t group,
++			      struct rsbac_acl_group_entry_t *entry_p);
++
++int rsbac_acl_list_groups(rsbac_list_ta_number_t ta_number,
++			  rsbac_uid_t owner,
++			  rsbac_boolean_t include_global,
++			  struct rsbac_acl_group_entry_t **entry_pp);
++
++/* check group existence */
++rsbac_boolean_t rsbac_acl_group_exist(rsbac_acl_group_id_t group);
++
++int rsbac_acl_add_group_member(rsbac_list_ta_number_t ta_number,
++			       rsbac_acl_group_id_t group,
++			       rsbac_uid_t user, rsbac_time_t ttl);
++
++int rsbac_acl_remove_group_member(rsbac_list_ta_number_t ta_number,
++				  rsbac_acl_group_id_t group,
++				  rsbac_uid_t user);
++
++/* check membership */
++rsbac_boolean_t rsbac_acl_group_member(rsbac_acl_group_id_t group,
++				       rsbac_uid_t user);
++
++/* build rsbac_kmalloc'd array of all group memberships of the given user */
++/* returns number of groups or negative error */
++/* Attention: memory deallocation with rsbac_kfree must be done by caller! */
++int rsbac_acl_get_user_groups(rsbac_list_ta_number_t ta_number,
++			      rsbac_uid_t user,
++			      rsbac_acl_group_id_t ** group_pp,
++			      rsbac_time_t ** ttl_pp);
++
++/* Returns number of members or negative error */
++int rsbac_acl_get_group_members(rsbac_list_ta_number_t ta_number,
++				rsbac_acl_group_id_t group,
++				rsbac_uid_t user_array[],
++				rsbac_time_t ttl_array[], int maxnum);
++
++/* Remove subject from all ACLs */
++int rsbac_acl_remove_subject(rsbac_list_ta_number_t ta_number,
++			     struct rsbac_acl_entry_desc_t desc);
++
++/*************************************************/
++/* remove user from all groups and from all ACLs */
++int rsbac_acl_remove_user(rsbac_list_ta_number_t ta_number,
++			  rsbac_uid_t user);
++
++/* Get list of all device entries */
++
++int rsbac_acl_list_all_dev(rsbac_list_ta_number_t ta_number,
++			   struct rsbac_dev_desc_t **id_pp);
++
++int rsbac_acl_list_all_major_dev(rsbac_list_ta_number_t ta_number,
++				 struct rsbac_dev_desc_t **id_pp);
++
++int rsbac_acl_list_all_user(rsbac_list_ta_number_t ta_number,
++			    rsbac_uid_t ** id_pp);
++
++int rsbac_acl_list_all_group(rsbac_list_ta_number_t ta_number,
++			     rsbac_gid_t ** id_pp);
++
++int rsbac_acl_list_all_ipc(rsbac_list_ta_number_t ta_number,
++			   struct rsbac_ipc_t ** id_pp);
++
++#endif
+diff --git a/include/rsbac/acl_data_structures.h b/include/rsbac/acl_data_structures.h
+new file mode 100644
+index 0000000..f30d72b
+--- /dev/null
++++ b/include/rsbac/acl_data_structures.h
+@@ -0,0 +1,469 @@
++/**************************************/
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2007:          */
++/*   Amon Ott <ao@...>          */
++/* Data structures / ACL              */
++/* Last modified: 25/Sep/2007         */
++/**************************************/
++
++#ifndef __RSBAC_ACL_DATA_STRUC_H
++#define __RSBAC_ACL_DATA_STRUC_H
++
++#include <linux/types.h>
++#include <rsbac/aci.h>
++#include <rsbac/types.h>
++#include <rsbac/lists.h>
++
++#define RSBAC_ACL_LIST_KEY 0x815affe
++
++#define RSBAC_ACL_GENERAL_FD_ENTRY \
++   { ACLS_GROUP, \
++     RSBAC_ACL_GROUP_EVERYONE, \
++     ( RSBAC_FD_REQUEST_VECTOR & RSBAC_READ_WRITE_REQUEST_VECTOR ) | RSBAC_EXECUTE_REQUEST_VECTOR | RSBAC_ACL_GEN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_ACMAN_FD_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SECOFF_UID, \
++     ( RSBAC_FD_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_EXECUTE_REQUEST_VECTOR | RSBAC_SECURITY_REQUEST_VECTOR ) ) \
++     | RSBAC_ACL_ACMAN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_SYSADM_FD_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SYSADM_UID, \
++     ( RSBAC_FD_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_EXECUTE_REQUEST_VECTOR | RSBAC_SYSTEM_REQUEST_VECTOR ) ) \
++     | RSBAC_ACL_SYSADM_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_GENERAL_DEV_ENTRY \
++   { ACLS_GROUP, \
++     RSBAC_ACL_GROUP_EVERYONE, \
++     ( RSBAC_DEV_REQUEST_VECTOR & RSBAC_READ_WRITE_REQUEST_VECTOR ) | RSBAC_ACL_GEN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_ACMAN_DEV_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SECOFF_UID, \
++     ( RSBAC_DEV_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_SECURITY_REQUEST_VECTOR ) ) \
++     | RSBAC_ACL_ACMAN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_SYSADM_DEV_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SYSADM_UID, \
++     ( RSBAC_DEV_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_SYSTEM_REQUEST_VECTOR ) ) \
++     | RSBAC_ACL_SYSADM_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_GENERAL_IPC_ENTRY \
++   { ACLS_GROUP, \
++     RSBAC_ACL_GROUP_EVERYONE, \
++     ( RSBAC_IPC_REQUEST_VECTOR & RSBAC_READ_WRITE_REQUEST_VECTOR ) | RSBAC_ACL_GEN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_ACMAN_IPC_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SECOFF_UID, \
++     ( RSBAC_IPC_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_SECURITY_REQUEST_VECTOR ) ) \
++     | RSBAC_ACL_ACMAN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_SYSADM_IPC_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SYSADM_UID, \
++     ( RSBAC_IPC_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_SYSTEM_REQUEST_VECTOR ) ) \
++     | RSBAC_ACL_SYSADM_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_GENERAL_SCD_ENTRY \
++   { ACLS_GROUP, \
++     RSBAC_ACL_GROUP_EVERYONE, \
++     ( RSBAC_SCD_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) ) \
++     ) \
++     | RSBAC_ACL_GEN_RIGHTS_VECTOR \
++   }
++
++#ifdef CONFIG_RSBAC_USER_MOD_IOPERM
++#define RSBAC_ACL_GENERAL_SCD_IOPORTS_ENTRY \
++   { ACLS_GROUP, \
++     RSBAC_ACL_GROUP_EVERYONE, \
++     ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) \
++   }
++#endif
++
++#define RSBAC_ACL_GENERAL_SCD_OTHER_ENTRY \
++   { ACLS_GROUP, \
++     RSBAC_ACL_GROUP_EVERYONE, \
++     ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
++   }
++
++#define RSBAC_ACL_GENERAL_SCD_NETWORK_ENTRY \
++   { ACLS_GROUP, \
++     RSBAC_ACL_GROUP_EVERYONE, \
++     ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) \
++   }
++
++#define RSBAC_ACL_ACMAN_SCD_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SECOFF_UID, \
++     ( RSBAC_SCD_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_SECURITY_REQUEST_VECTOR ) ) \
++     | RSBAC_ACL_ACMAN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_ACMAN_SCD_OTHER_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SECOFF_UID, \
++     ( RSBAC_NONE_REQUEST_VECTOR & \
++       ( \
++          ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
++        | ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) \
++        | ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) \
++        | ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) \
++        | ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) \
++        | ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) \
++        | ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) \
++       ) \
++     ) \
++     | RSBAC_ACL_ACMAN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_SYSADM_SCD_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SYSADM_UID, \
++     ( RSBAC_SCD_REQUEST_VECTOR & \
++       ( \
++          ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) \
++        | ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) \
++        | ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) \
++        | ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) \
++        | ((rsbac_request_vector_t) 1 << R_WRITE) \
++       ) \
++     ) \
++     | RSBAC_ACL_SYSADM_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_SYSADM_SCD_OTHER_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SYSADM_UID, \
++     ( RSBAC_NONE_REQUEST_VECTOR & \
++       ( \
++          ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) \
++        | ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) \
++        | ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) \
++        | ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) \
++        | ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
++        | ((rsbac_request_vector_t) 1 << R_MOUNT) \
++        | ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) \
++        | ((rsbac_request_vector_t) 1 << R_UMOUNT) \
++        | ((rsbac_request_vector_t) 1 << R_SHUTDOWN) \
++       ) \
++     ) \
++     | ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) \
++     | RSBAC_ACL_SYSADM_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_AUDITOR_SCD_RSBACLOG_ENTRY \
++   { ACLS_USER, \
++     RSBAC_AUDITOR_UID, \
++     ( RSBAC_SCD_REQUEST_VECTOR & \
++       ( \
++          ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) \
++        | ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) \
++       ) \
++     ) \
++   }
++
++#ifdef CONFIG_RSBAC_USER_MOD_IOPERM
++#define RSBAC_ACL_SYSADM_SCD_KMEM_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SYSADM_UID, \
++     ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) \
++   }
++#endif
++
++#define RSBAC_ACL_GENERAL_U_ENTRY \
++   { ACLS_GROUP, \
++     RSBAC_ACL_GROUP_EVERYONE, \
++     RSBAC_REQUEST_VECTOR(R_CHANGE_OWNER) | RSBAC_REQUEST_VECTOR(R_SEARCH) \
++     | RSBAC_REQUEST_VECTOR(R_GET_STATUS_DATA) }
++
++#define RSBAC_ACL_ACMAN_U_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SECOFF_UID, \
++     RSBAC_ACL_USER_RIGHTS_VECTOR \
++     | RSBAC_ACL_ACMAN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_SYSADM_U_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SYSADM_UID, \
++     RSBAC_REQUEST_VECTOR(R_CHANGE_OWNER) | RSBAC_ACL_RIGHTS_VECTOR(R_READ_ATTRIBUTE) \
++     | RSBAC_REQUEST_VECTOR(R_SEARCH) | RSBAC_REQUEST_VECTOR(R_GET_STATUS_DATA) \
++     | RSBAC_REQUEST_VECTOR(R_AUTHENTICATE) \
++     | RSBAC_ACL_SYSADM_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_GENERAL_P_ENTRY \
++   { ACLS_GROUP, \
++     RSBAC_ACL_GROUP_EVERYONE, \
++     ( RSBAC_PROCESS_REQUEST_VECTOR & RSBAC_READ_WRITE_REQUEST_VECTOR ) | RSBAC_ACL_GEN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_ACMAN_P_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SECOFF_UID, \
++     ( RSBAC_PROCESS_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_SECURITY_REQUEST_VECTOR ) ) \
++     | RSBAC_ACL_ACMAN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_SYSADM_P_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SYSADM_UID, \
++     ( RSBAC_PROCESS_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_SYSTEM_REQUEST_VECTOR ) ) \
++     | RSBAC_ACL_SYSADM_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_GENERAL_G_ENTRY \
++   { ACLS_GROUP, \
++     RSBAC_ACL_GROUP_EVERYONE, \
++     RSBAC_REQUEST_VECTOR(R_SEARCH) | RSBAC_REQUEST_VECTOR(R_READ) }
++
++#define RSBAC_ACL_ACMAN_G_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SECOFF_UID, \
++     ( RSBAC_GROUP_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_SECURITY_REQUEST_VECTOR ) ) \
++     | RSBAC_ACL_ACMAN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_SYSADM_G_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SYSADM_UID, \
++     RSBAC_REQUEST_VECTOR(R_SEARCH) | RSBAC_REQUEST_VECTOR(R_READ) }
++
++#define RSBAC_ACL_GENERAL_NETDEV_ENTRY \
++   { ACLS_GROUP, \
++     RSBAC_ACL_GROUP_EVERYONE, \
++     ( RSBAC_NETDEV_REQUEST_VECTOR ) | RSBAC_ACL_GEN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_ACMAN_NETDEV_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SECOFF_UID, \
++     ( RSBAC_NETDEV_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_SECURITY_REQUEST_VECTOR ) ) \
++     | RSBAC_ACL_ACMAN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_SYSADM_NETDEV_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SYSADM_UID, \
++     ( RSBAC_NETDEV_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_SYSTEM_REQUEST_VECTOR ) ) \
++     | RSBAC_ACL_SYSADM_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_GENERAL_NETTEMP_NT_ENTRY \
++   { ACLS_GROUP, \
++     RSBAC_ACL_GROUP_EVERYONE, \
++     ( RSBAC_NETTEMP_REQUEST_VECTOR & RSBAC_READ_REQUEST_VECTOR ) | RSBAC_ACL_GEN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_ACMAN_NETTEMP_NT_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SECOFF_UID, \
++     ( RSBAC_NETTEMP_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_SECURITY_REQUEST_VECTOR ) ) \
++     | RSBAC_ACL_ACMAN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_SYSADM_NETTEMP_NT_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SYSADM_UID, \
++     ( RSBAC_NETTEMP_REQUEST_VECTOR & \
++       ( RSBAC_READ_REQUEST_VECTOR | RSBAC_SYSTEM_REQUEST_VECTOR ) ) \
++     | RSBAC_ACL_SYSADM_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_GENERAL_NETOBJ_ENTRY \
++   { ACLS_GROUP, \
++     RSBAC_ACL_GROUP_EVERYONE, \
++     ( RSBAC_NETOBJ_REQUEST_VECTOR & RSBAC_READ_WRITE_REQUEST_VECTOR ) \
++     | RSBAC_REQUEST_VECTOR(R_MODIFY_SYSTEM_DATA) \
++     | RSBAC_ACL_GEN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_ACMAN_NETOBJ_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SECOFF_UID, \
++     ( RSBAC_NETOBJ_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_SECURITY_REQUEST_VECTOR ) ) \
++     | RSBAC_REQUEST_VECTOR(R_MODIFY_SYSTEM_DATA) \
++     | RSBAC_ACL_ACMAN_RIGHTS_VECTOR }
++
++#define RSBAC_ACL_SYSADM_NETOBJ_ENTRY \
++   { ACLS_USER, \
++     RSBAC_SYSADM_UID, \
++     ( RSBAC_NETOBJ_REQUEST_VECTOR & \
++       ( RSBAC_READ_WRITE_REQUEST_VECTOR | RSBAC_SYSTEM_REQUEST_VECTOR ) ) \
++     | RSBAC_REQUEST_VECTOR(R_MODIFY_SYSTEM_DATA) \
++     | RSBAC_ACL_SYSADM_RIGHTS_VECTOR }
++
++
++/**********************************************/
++/* Lists of ACL / General subitems            */
++/**********************************************/
++
++/* Each list represents sets of ACL entries, using a set-id and a sublist each */
++
++#define RSBAC_ACL_VERSION 1
++
++/**********************************************/
++/* ACL and device entries for File/Dir ACL    */
++/**********************************************/
++
++#define RSBAC_ACL_FD_FILENAME "aclfd"
++#define RSBAC_ACL_FD_OLD_FILENAME "aclfd."
++#define RSBAC_ACL_DEF_FD_FILENAME "aclfd.df"
++#define RSBAC_ACL_NR_FD_LISTS 4
++#define RSBAC_ACL_FD_LIST_VERSION 3
++#define RSBAC_ACL_DEF_FD_LIST_VERSION 3
++#define RSBAC_ACL_FD_OLD_LIST_VERSION 2
++#define RSBAC_ACL_DEF_FD_OLD_LIST_VERSION 2
++#define RSBAC_ACL_FD_OLD_OLD_LIST_VERSION 1
++#define RSBAC_ACL_DEF_FD_OLD_OLD_LIST_VERSION 1
++
++/* The list of devices is also a double linked list, so we define list    */
++/* items and a list head.                                                 */
++
++struct rsbac_acl_device_list_item_t {
++	kdev_t id;
++	u_int mount_count;
++	rsbac_list_handle_t handle;
++	struct rsbac_acl_device_list_item_t *prev;
++	struct rsbac_acl_device_list_item_t *next;
++};
++
++/* To provide consistency we use spinlocks for all list accesses. The     */
++/* 'curr' entry is used to avoid repeated lookups for the same item.       */
++
++struct rsbac_acl_device_list_head_t {
++	struct rsbac_acl_device_list_item_t *head;
++	struct rsbac_acl_device_list_item_t *tail;
++	struct rsbac_acl_device_list_item_t *curr;
++	u_int count;
++};
++
++
++/**********************************************/
++/* ACL entries for Device ACL                 */
++/**********************************************/
++
++#define RSBAC_ACL_DEV_FILENAME "acldev"
++#define RSBAC_ACL_DEV_MAJOR_FILENAME "acldevm"
++#define RSBAC_ACL_DEV_LIST_VERSION 4
++#define RSBAC_ACL_DEV_OLD_LIST_VERSION 3
++#define RSBAC_ACL_DEV_OLD_OLD_LIST_VERSION 2
++#define RSBAC_ACL_DEV_OLD_OLD_OLD_LIST_VERSION 1
++#define RSBAC_ACL_DEF_DEV_FILENAME "acldev.df"
++#define RSBAC_ACL_DEF_DEV_LIST_VERSION 3
++#define RSBAC_ACL_DEF_DEV_OLD_LIST_VERSION 2
++#define RSBAC_ACL_DEF_DEV_OLD_OLD_LIST_VERSION 1
++
++/**********************************************/
++/* ACL entries for IPC ACL                    */
++/**********************************************/
++
++#define RSBAC_ACL_DEF_IPC_FILENAME "aclipc.df"
++#define RSBAC_ACL_DEF_IPC_LIST_VERSION 3
++#define RSBAC_ACL_DEF_IPC_OLD_LIST_VERSION 2
++#define RSBAC_ACL_DEF_IPC_OLD_OLD_LIST_VERSION 1
++
++/**********************************************/
++/* ACL entries for SCD ACL                    */
++/**********************************************/
++
++#define RSBAC_ACL_SCD_FILENAME "aclscd"
++#define RSBAC_ACL_DEF_SCD_FILENAME "aclscd.df"
++#define RSBAC_ACL_SCD_LIST_VERSION 3
++#define RSBAC_ACL_SCD_OLD_LIST_VERSION 2
++#define RSBAC_ACL_SCD_OLD_OLD_LIST_VERSION 1
++#define RSBAC_ACL_DEF_SCD_LIST_VERSION 3
++#define RSBAC_ACL_DEF_SCD_OLD_LIST_VERSION 2
++#define RSBAC_ACL_DEF_SCD_OLD_OLD_LIST_VERSION 1
++
++/**********************************************/
++/* ACL entries for user ACL                   */
++/**********************************************/
++
++#define RSBAC_ACL_U_FILENAME "acluser"
++#define RSBAC_ACL_U_LIST_VERSION 2
++#define RSBAC_ACL_U_OLD_LIST_VERSION 1
++#define RSBAC_ACL_DEF_U_FILENAME "acluser.df"
++#define RSBAC_ACL_DEF_U_LIST_VERSION 3
++#define RSBAC_ACL_DEF_U_OLD_LIST_VERSION 2
++#define RSBAC_ACL_DEF_U_OLD_OLD_LIST_VERSION 1
++
++/**********************************************/
++/* ACL entries for process ACL                */
++/**********************************************/
++
++#define RSBAC_ACL_DEF_P_FILENAME "aclproc.df"
++#define RSBAC_ACL_DEF_P_LIST_VERSION 3
++#define RSBAC_ACL_DEF_P_OLD_LIST_VERSION 2
++#define RSBAC_ACL_DEF_P_OLD_OLD_LIST_VERSION 1
++
++/**********************************************/
++/* ACL entries for Linux group ACL            */
++/**********************************************/
++
++#define RSBAC_ACL_G_FILENAME "acllgrp"
++#define RSBAC_ACL_G_LIST_VERSION 2
++#define RSBAC_ACL_G_OLD_LIST_VERSION 1
++#define RSBAC_ACL_DEF_G_FILENAME "acllgrp.df"
++#define RSBAC_ACL_DEF_G_LIST_VERSION 3
++#define RSBAC_ACL_DEF_G_OLD_LIST_VERSION 2
++#define RSBAC_ACL_DEF_G_OLD_OLD_LIST_VERSION 1
++
++/**********************************************/
++/* ACL entries for Network Device ACL         */
++/**********************************************/
++
++#define RSBAC_ACL_NETDEV_FILENAME "aclndev"
++#define RSBAC_ACL_NETDEV_LIST_VERSION 3
++#define RSBAC_ACL_NETDEV_OLD_LIST_VERSION 2
++#define RSBAC_ACL_NETDEV_OLD_OLD_LIST_VERSION 1
++#define RSBAC_ACL_DEF_NETDEV_FILENAME "aclndev.df"
++#define RSBAC_ACL_DEF_NETDEV_LIST_VERSION 3
++#define RSBAC_ACL_DEF_NETDEV_OLD_LIST_VERSION 2
++#define RSBAC_ACL_DEF_NETDEV_OLD_OLD_LIST_VERSION 1
++
++/**********************************************/
++/* ACL entries for Network Template NT (template protection) ACL */
++/**********************************************/
++
++#define RSBAC_ACL_NETTEMP_NT_FILENAME "aclntnt"
++#define RSBAC_ACL_NETTEMP_NT_LIST_VERSION 3
++#define RSBAC_ACL_NETTEMP_NT_OLD_LIST_VERSION 2
++#define RSBAC_ACL_NETTEMP_NT_OLD_OLD_LIST_VERSION 1
++#define RSBAC_ACL_DEF_NETTEMP_NT_FILENAME "aclntnt.df"
++#define RSBAC_ACL_DEF_NETTEMP_NT_LIST_VERSION 3
++#define RSBAC_ACL_DEF_NETTEMP_NT_OLD_LIST_VERSION 2
++#define RSBAC_ACL_DEF_NETTEMP_NT_OLD_OLD_LIST_VERSION 1
++
++/**********************************************/
++/* ACL entries for Network Object ACL         */
++/**********************************************/
++
++#define RSBAC_ACL_NETTEMP_FILENAME "aclnt"
++#define RSBAC_ACL_NETTEMP_LIST_VERSION 3
++#define RSBAC_ACL_NETTEMP_OLD_LIST_VERSION 2
++#define RSBAC_ACL_NETTEMP_OLD_OLD_LIST_VERSION 1
++#define RSBAC_ACL_NETOBJ_FILENAME "aclno"
++#define RSBAC_ACL_NETOBJ_LIST_VERSION 3
++#define RSBAC_ACL_NETOBJ_OLD_LIST_VERSION 2
++#define RSBAC_ACL_NETOBJ_OLD_OLD_LIST_VERSION 1
++#define RSBAC_ACL_DEF_NETOBJ_FILENAME "aclno.df"
++#define RSBAC_ACL_DEF_NETOBJ_LIST_VERSION 3
++#define RSBAC_ACL_DEF_NETOBJ_OLD_LIST_VERSION 2
++#define RSBAC_ACL_DEF_NETOBJ_OLD_OLD_LIST_VERSION 1
++
++
++/**********************************************/
++/* Group Lists                                */
++/**********************************************/
++
++#define RSBAC_ACL_GROUP_FILENAME "aclgrp"
++#define RSBAC_ACL_GM_FILENAME "aclgm"
++
++/* In acl_types.h: #define RSBAC_ACL_GROUP_VERSION 2 */
++
++#define RSBAC_ACL_GM_VERSION 2
++#define RSBAC_ACL_GM_OLD_VERSION 1
++
++#endif
+diff --git a/include/rsbac/acl_getname.h b/include/rsbac/acl_getname.h
+new file mode 100644
+index 0000000..638b43c
+--- /dev/null
++++ b/include/rsbac/acl_getname.h
+@@ -0,0 +1,42 @@
++/********************************* */
++/* Rule Set Based Access Control   */
++/* Author and (c) 1999-2001:       */
++/*   Amon Ott <ao@...>       */
++/* Getname functions for ACL parts */
++/* Last modified: 02/Aug/2001      */
++/********************************* */
++
++#ifndef __RSBAC_ACL_GETNAME_H
++#define __RSBAC_ACL_GETNAME_H
++
++#include <rsbac/types.h>
++
++char * get_acl_subject_type_name(char * name,
++                                 enum rsbac_acl_subject_type_t value);
++
++#ifndef __KERNEL__
++enum rsbac_acl_subject_type_t get_acl_subject_type_nr(const char * name);
++#endif
++
++char * get_acl_group_syscall_name(char * name,
++                                  enum rsbac_acl_group_syscall_type_t value);
++
++#ifndef __KERNEL__
++enum rsbac_acl_group_syscall_type_t get_acl_group_syscall_nr(const char * name);
++#endif
++
++char * get_acl_special_right_name(char * name,
++                            enum rsbac_acl_special_rights_t value);
++
++#ifndef __KERNEL__
++enum rsbac_acl_special_rights_t get_acl_special_right_nr(const char * name);
++#endif
++
++char * get_acl_scd_type_name(char * name,
++                             enum rsbac_acl_scd_type_t value);
++
++#ifndef __KERNEL__
++enum rsbac_acl_scd_type_t get_acl_scd_type_nr(const char * name);
++#endif
++
++#endif
+diff --git a/include/rsbac/acl_types.h b/include/rsbac/acl_types.h
+new file mode 100644
+index 0000000..601dcd7
+--- /dev/null
++++ b/include/rsbac/acl_types.h
+@@ -0,0 +1,344 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2012:          */
++/*   Amon Ott <ao@...>          */
++/* API: Data types for attributes     */
++/*      and standard module calls     */
++/* Last modified: 08/May/2012         */
++/************************************ */
++
++#ifndef __RSBAC_ACL_TYPES_H
++#define __RSBAC_ACL_TYPES_H
++
++#include <linux/types.h>
++
++#define RSBAC_ACL_TTL_KEEP RSBAC_LIST_TTL_KEEP
++
++#define RSBAC_ACL_MAX_MAXNUM 1000000
++
++enum rsbac_acl_subject_type_t {ACLS_USER, ACLS_ROLE, ACLS_GROUP, ACLS_NONE};
++
++typedef __u8 rsbac_acl_int_subject_type_t;
++typedef __u64 rsbac_acl_subject_id_t;
++typedef __u32 rsbac_acl_old_subject_id_t;
++
++#define RSBAC_ACL_GROUP_EVERYONE 0
++
++#define RSBAC_ACL_ROLE_EVERYROLE 64
++
++#define RSBAC_ACL_OLD_SPECIAL_RIGHT_BASE 48
++#define RSBAC_ACL_SPECIAL_RIGHT_BASE 56
++
++enum rsbac_acl_special_rights_t
++  { ACLR_FORWARD = RSBAC_ACL_SPECIAL_RIGHT_BASE,
++    ACLR_ACCESS_CONTROL,
++    ACLR_SUPERVISOR,
++    ACLR_NONE};
++
++typedef __u64 rsbac_acl_rights_vector_t;
++
++#define RSBAC_ACL_RIGHTS_VECTOR(x) ((rsbac_acl_rights_vector_t) 1 << (x))
++
++#define RSBAC_ACL_SPECIAL_RIGHTS_VECTOR (\
++  ((rsbac_acl_rights_vector_t) 1 << ACLR_FORWARD) | \
++  ((rsbac_acl_rights_vector_t) 1 << ACLR_ACCESS_CONTROL) | \
++  ((rsbac_acl_rights_vector_t) 1 << ACLR_SUPERVISOR) \
++  )
++
++#define RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR (\
++  ((rsbac_acl_rights_vector_t) 1 << ACLR_SUPERVISOR) \
++  )
++#define RSBAC_NWS_REQUEST_VECTOR RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR
++
++#define RSBAC_ACL_ACCESS_CONTROL_RIGHT_VECTOR (\
++  ((rsbac_acl_rights_vector_t) 1 << ACLR_ACCESS_CONTROL) \
++  )
++#define RSBAC_NWA_REQUEST_VECTOR RSBAC_ACL_ACCESS_CONTROL_RIGHT_VECTOR
++
++#define RSBAC_ACL_ALL_RIGHTS_VECTOR (RSBAC_ALL_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR)
++
++#define RSBAC_ACL_DEFAULT_FD_MASK (RSBAC_FD_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR)
++#define RSBAC_ACL_DEFAULT_DEV_MASK (RSBAC_DEV_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR)
++#define RSBAC_ACL_DEFAULT_SCD_MASK (RSBAC_SCD_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR)
++#define RSBAC_ACL_DEFAULT_U_MASK (RSBAC_USER_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR)
++#define RSBAC_ACL_DEFAULT_G_MASK (RSBAC_GROUP_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR)
++#define RSBAC_ACL_DEFAULT_NETDEV_MASK (RSBAC_NETDEV_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR)
++#define RSBAC_ACL_DEFAULT_NETTEMP_MASK (RSBAC_NETTEMP_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR)
++#define RSBAC_ACL_DEFAULT_NETOBJ_MASK (RSBAC_NETOBJ_REQUEST_VECTOR | RSBAC_ACL_SPECIAL_RIGHTS_VECTOR)
++
++#define RSBAC_ACL_USER_RIGHTS_VECTOR (RSBAC_USER_REQUEST_VECTOR \
++                                      | RSBAC_ACL_RIGHTS_VECTOR(R_DELETE))
++
++#define RSBAC_ACL_GROUP_RIGHTS_VECTOR RSBAC_GROUP_REQUEST_VECTOR
++
++#define RSBAC_ACL_GEN_RIGHTS_VECTOR 0
++
++#define RSBAC_ACL_ACMAN_RIGHTS_VECTOR (\
++  ((rsbac_acl_rights_vector_t) 1 << ACLR_FORWARD) | \
++  ((rsbac_acl_rights_vector_t) 1 << ACLR_ACCESS_CONTROL) | \
++  ((rsbac_acl_rights_vector_t) 1 << ACLR_SUPERVISOR) \
++  )
++
++#define RSBAC_ACL_SYSADM_RIGHTS_VECTOR 0
++
++/*
++ * System Control Types, including general SCD types
++ * (start at 32 to allow future SCD types, max is 63)
++ * (should always be same as in RC model)
++ */
++#define AST_min 32
++enum rsbac_acl_scd_type_t{AST_auth_administration = AST_min,
++                          AST_none};
++
++/* note: the desc struct must be the same as the beginning of the entry struct! */
++struct rsbac_acl_entry_t
++  {
++    rsbac_acl_int_subject_type_t subj_type;  /* enum rsbac_acl_subject_type_t */
++    rsbac_acl_subject_id_t       subj_id;
++    rsbac_acl_rights_vector_t    rights;
++  };
++
++struct rsbac_acl_entry_desc_t
++  {
++    rsbac_acl_int_subject_type_t subj_type;  /* enum rsbac_acl_subject_type_t */
++    rsbac_acl_subject_id_t       subj_id;
++  };
++
++struct rsbac_acl_old_entry_desc_t
++  {
++    rsbac_acl_int_subject_type_t subj_type;  /* enum rsbac_acl_subject_type_t */
++    rsbac_acl_old_subject_id_t   subj_id;
++  };
++
++enum rsbac_acl_group_type_t {ACLG_GLOBAL, ACLG_PRIVATE, ACLG_NONE};
++
++typedef __u32 rsbac_acl_group_id_t;
++
++#define RSBAC_ACL_GROUP_NAMELEN 16
++
++#define RSBAC_ACL_GROUP_VERSION 2
++
++struct rsbac_acl_group_entry_t
++  {
++         rsbac_acl_group_id_t   id;
++         rsbac_uid_t            owner;
++    enum rsbac_acl_group_type_t type;
++         char                   name[RSBAC_ACL_GROUP_NAMELEN];
++  };
++
++/**** syscalls ****/
++
++enum rsbac_acl_syscall_type_t
++  {
++    ACLC_set_acl_entry,
++    ACLC_remove_acl_entry,
++    ACLC_remove_acl,
++    ACLC_add_to_acl_entry,
++    ACLC_remove_from_acl_entry,
++    ACLC_set_mask,
++    ACLC_remove_user,
++    ACLC_none
++  };
++
++struct rsbac_acl_syscall_arg_t
++  {
++    enum   rsbac_target_t              target;
++    union  rsbac_target_id_t           tid;
++    enum   rsbac_acl_subject_type_t    subj_type;
++           rsbac_acl_subject_id_t      subj_id;
++           rsbac_acl_rights_vector_t   rights;
++           rsbac_time_t                ttl;
++  };
++
++struct rsbac_acl_syscall_n_arg_t
++  {
++    enum   rsbac_target_t              target;
++           char                        __user * name;
++    enum   rsbac_acl_subject_type_t    subj_type;
++           rsbac_acl_subject_id_t      subj_id;
++           rsbac_acl_rights_vector_t   rights;
++           rsbac_time_t                ttl;
++  };
++
++
++enum rsbac_acl_group_syscall_type_t
++  {
++    ACLGS_add_group,
++    ACLGS_change_group,
++    ACLGS_remove_group,
++    ACLGS_get_group_entry,
++    ACLGS_list_groups,
++    ACLGS_add_member,
++    ACLGS_remove_member,
++    ACLGS_get_user_groups,
++    ACLGS_get_group_members,
++    ACLGS_none
++  };
++
++struct rsbac_acl_add_group_arg_t
++  {
++    enum rsbac_acl_group_type_t type;
++    char __user * name;
++    rsbac_acl_group_id_t * group_id_p;
++  };
++
++struct rsbac_acl_change_group_arg_t
++  {
++         rsbac_acl_group_id_t     id;
++         rsbac_uid_t              owner;
++    enum rsbac_acl_group_type_t   type;
++         char                  __user * name;
++  };
++
++struct rsbac_acl_remove_group_arg_t
++  {
++    rsbac_acl_group_id_t id;
++  };
++
++struct rsbac_acl_get_group_entry_arg_t
++  {
++    rsbac_acl_group_id_t id;
++    struct rsbac_acl_group_entry_t __user * entry_p;
++  };
++
++struct rsbac_acl_list_groups_arg_t
++  {
++    rsbac_boolean_t        include_global;
++    struct rsbac_acl_group_entry_t __user * group_entry_array;
++    u_int                  maxnum;
++  };
++
++struct rsbac_acl_add_member_arg_t
++  {
++    rsbac_acl_group_id_t group;
++    rsbac_uid_t          user;
++    rsbac_time_t ttl;
++  };
++
++struct rsbac_acl_remove_member_arg_t
++  {
++    rsbac_acl_group_id_t group;
++    rsbac_uid_t          user;
++  };
++
++struct rsbac_acl_get_user_groups_arg_t
++  {
++    rsbac_uid_t            user;
++    rsbac_acl_group_id_t   __user * group_array;
++    rsbac_time_t           __user * ttl_array;
++    u_int                  maxnum;
++  };
++
++struct rsbac_acl_get_group_members_arg_t
++  {
++    rsbac_acl_group_id_t   group;
++    rsbac_uid_t            __user * user_array;
++    rsbac_time_t           __user * ttl_array;
++    u_int                  maxnum;
++  };
++
++union rsbac_acl_group_syscall_arg_t
++  {
++    struct rsbac_acl_add_group_arg_t         add_group;
++    struct rsbac_acl_change_group_arg_t      change_group;
++    struct rsbac_acl_remove_group_arg_t      remove_group;
++    struct rsbac_acl_get_group_entry_arg_t   get_group_entry;
++    struct rsbac_acl_list_groups_arg_t       list_groups;
++    struct rsbac_acl_add_member_arg_t        add_member;
++    struct rsbac_acl_remove_member_arg_t     remove_member;
++    struct rsbac_acl_get_user_groups_arg_t   get_user_groups;
++    struct rsbac_acl_get_group_members_arg_t get_group_members;
++  };
++
++/*
++ * 32 Bit emulation support on x86_64 system
++ */
++
++#ifdef CONFIG_IA32_EMULATION
++struct rsbac_acl_syscall_n_arg_ia32_t
++  {
++    enum   rsbac_target_t              target;
++           __u32                       name;
++    enum   rsbac_acl_subject_type_t    subj_type;
++           rsbac_acl_subject_id_t      subj_id;
++           rsbac_acl_rights_vector_t   rights;
++           rsbac_time_t                ttl;
++  };
++
++struct rsbac_acl_add_group_arg_ia32_t
++  {
++    enum rsbac_acl_group_type_t type;
++    __u32 name;
++    __u32 group_id_p;
++  };
++
++struct rsbac_acl_change_group_arg_ia32_t
++  {
++         rsbac_acl_group_id_t     id;
++         rsbac_uid_t              owner;
++    enum rsbac_acl_group_type_t   type;
++         __u32                    name;
++  };
++
++struct rsbac_acl_remove_group_arg_ia32_t
++  {
++    rsbac_acl_group_id_t id;
++  };
++
++struct rsbac_acl_get_group_entry_arg_ia32_t
++  {
++    rsbac_acl_group_id_t id;
++    __u32                entry_p;
++  };
++
++struct rsbac_acl_list_groups_arg_ia32_t
++  {
++    rsbac_boolean_t include_global;
++    __u32           group_entry_array;
++    __u32           maxnum;
++  };
++
++struct rsbac_acl_add_member_arg_ia32_t
++  {
++    rsbac_acl_group_id_t group;
++    rsbac_uid_t          user;
++    rsbac_time_t ttl;
++  };
++
++struct rsbac_acl_remove_member_arg_ia32_t
++  {
++    rsbac_acl_group_id_t group;
++    rsbac_uid_t          user;
++  };
++
++struct rsbac_acl_get_user_groups_arg_ia32_t
++  {
++    rsbac_uid_t user;
++    __u32       group_array;
++    __u32       ttl_array;
++    __u32       maxnum;
++  };
++
++struct rsbac_acl_get_group_members_arg_ia32_t
++  {
++    rsbac_acl_group_id_t   group;
++    rsbac_uid_t            __user * user_array;
++    rsbac_time_t           __user * ttl_array;
++    __u32                  maxnum;
++  };
++
++union rsbac_acl_group_syscall_arg_ia32_t
++  {
++    struct rsbac_acl_add_group_arg_ia32_t         add_group;
++    struct rsbac_acl_change_group_arg_ia32_t      change_group;
++    struct rsbac_acl_remove_group_arg_ia32_t      remove_group;
++    struct rsbac_acl_get_group_entry_arg_ia32_t   get_group_entry;
++    struct rsbac_acl_list_groups_arg_ia32_t       list_groups;
++    struct rsbac_acl_add_member_arg_ia32_t        add_member;
++    struct rsbac_acl_remove_member_arg_ia32_t     remove_member;
++    struct rsbac_acl_get_user_groups_arg_ia32_t   get_user_groups;
++    struct rsbac_acl_get_group_members_arg_ia32_t get_group_members;
++  };
++#endif
++
++#endif
+diff --git a/include/rsbac/adf.h b/include/rsbac/adf.h
+new file mode 100644
+index 0000000..0a7aa68
+--- /dev/null
++++ b/include/rsbac/adf.h
+@@ -0,0 +1,138 @@
++/******************************* */
++/* Rule Set Based Access Control */
++/* Author and (c) 1999-2009:     */
++/*   Amon Ott <ao@...>     */
++/* API: for Access Control       */
++/* Decision Facility             */
++/* Last modified: 16/Jan/2009    */
++/******************************* */
++
++#ifndef __RSBAC_ADF_H
++#define __RSBAC_ADF_H
++
++#include <linux/init.h>
++#include <linux/binfmts.h>
++#include <asm/page.h>
++#include <rsbac/types.h>
++#include <rsbac/debug.h>
++#include <rsbac/fs.h>
++
++/***************************************************/
++/*                   Prototypes                    */
++/***************************************************/
++
++/* Init function */
++#ifdef CONFIG_RSBAC_INIT_DELAY
++extern  void rsbac_init_adf(void);
++#else
++extern  void rsbac_init_adf(void) __init;
++#endif
++
++/* This function is the internal decision function, called from the next. */
++/* It allows to ignore a certain module (last parameter), e.g. for asking */
++/* all _other_ modules, but not the calling module, to avoid a circle.    */
++
++extern enum rsbac_adf_req_ret_t
++   rsbac_adf_request_int(enum  rsbac_adf_request_t     request,
++                               rsbac_pid_t             caller_pid,
++                         enum  rsbac_target_t          target,
++                         union rsbac_target_id_t     * tid_p,
++                         enum  rsbac_attribute_t       attr,
++                         union rsbac_attribute_value_t * attr_val_p,
++                         enum  rsbac_switch_target_t   ignore_module);
++
++/*********************************************************************/
++/* rsbac_adf_request()                                               */
++/* This function is the main decision function, called from the AEF. */
++/* It is a simple wrapper to the internal function, setting          */
++/* ignore_module to SW_NONE.                                         */
++
++static inline enum rsbac_adf_req_ret_t
++   rsbac_adf_request( enum  rsbac_adf_request_t     request,
++                            rsbac_pid_t             caller_pid,
++                      enum  rsbac_target_t          target,
++                      union rsbac_target_id_t       tid,
++                      enum  rsbac_attribute_t       attr,
++                      union rsbac_attribute_value_t attr_val)
++  {
++    return rsbac_adf_request_int(request,
++                                 caller_pid,
++                                 target,
++                                 &tid,
++                                 attr,
++                                 &attr_val,
++                                 SW_NONE);
++  }
++
++
++/* If the request returned granted and the operation is performed,           */
++/* the following function is called by the AEF to get all aci set correctly. */
++/* The second instance of target specification is the new target, if one has */
++/* been created, otherwise its values are ignored.                           */
++/* It returns 0 on success and an error from error.h otherwise.              */
++
++extern  int  rsbac_adf_set_attr(     enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t);
++
++#include <linux/types.h>
++#include <linux/dcache.h>
++
++int rsbac_sec_del(struct dentry * dentry_p, u_int may_sync);
++
++int rsbac_sec_trunc(struct dentry * dentry_p,
++                    loff_t new_len, loff_t old_len);
++
++/* This function changes the symlink content by adding a suffix, if
++ * requested. It returns NULL, if unchanged, or a pointer to a
++ * kmalloc'd new char * otherwise, which has to be kfree'd after use.
++ */
++char * rsbac_symlink_redirect(
++  struct inode * inode_p,
++  const char * name,
++  u_int maxlen);
++
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
++extern int rsbac_dac_part_disabled(struct dentry * dentry_p);
++#endif
++
++#ifdef CONFIG_RSBAC_FAKE_ROOT_UID
++extern rsbac_uid_t rsbac_fake_uid(void);
++extern rsbac_uid_t rsbac_fake_euid(void);
++extern int rsbac_uid_faked(void);
++#endif
++
++int rsbac_cap_check_envp(struct linux_binprm *bprm);
++
++extern int rsbac_handle_filldir(const struct file *file, const char *name, const unsigned int namlen, const ino_t ino);
++
++int rsbac_set_audit_uid(rsbac_uid_t uid);
++
++/* Mostly copied from drivers/char/mem.c */
++static inline rsbac_boolean_t rsbac_is_videomem(unsigned long pfn, unsigned long size)
++{
++/* Intel architecture is a security disaster */
++#if defined X86_64 || defined X86
++
++	u64 from = ((u64)pfn) << PAGE_SHIFT;
++	u64 to = from + size;
++	u64 cursor = from;
++
++	while (cursor < to) {
++		if (!devmem_is_allowed(pfn)) {
++			return FALSE;
++		}
++		cursor += PAGE_SIZE;
++		pfn++;
++	}
++	return TRUE;
++#endif
++	return TRUE;
++};
++
++#endif
+diff --git a/include/rsbac/adf_main.h b/include/rsbac/adf_main.h
+new file mode 100644
+index 0000000..ffba0b8
+--- /dev/null
++++ b/include/rsbac/adf_main.h
+@@ -0,0 +1,836 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2010:          */
++/*   Amon Ott <ao@...>          */
++/* Data Structs etc. for Access       */
++/* Control Decision Facility          */
++/* Last modified: 21/May/2010         */
++/************************************ */
++
++#ifndef __RSBAC_ADF_MAIN_H
++#define __RSBAC_ADF_MAIN_H
++
++#include <linux/sched.h>
++#include <rsbac/types.h>
++
++#if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT)
++#include <rsbac/reg.h>
++#endif
++
++#ifdef CONFIG_RSBAC_SECDEL
++#include <linux/dcache.h>
++#endif
++
++/***************************************************/
++/*              Global Variables                   */
++/***************************************************/
++
++extern __u64 rsbac_adf_request_count[T_NONE+1];
++extern __u64 rsbac_adf_set_attr_count[T_NONE+1];
++#ifdef CONFIG_RSBAC_XSTATS
++extern __u64 rsbac_adf_request_xcount[T_NONE+1][R_NONE];
++extern __u64 rsbac_adf_set_attr_xcount[T_NONE+1][R_NONE];
++#endif
++
++/* Bitmasks to ignore some requests on some modules */
++
++#ifdef CONFIG_RSBAC_MAC
++#define RSBAC_MAC_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_ALTER) | \
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHDIR) | \
++  ((rsbac_request_vector_t) 1 << R_CLOSE) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_RENAME) | \
++  ((rsbac_request_vector_t) 1 << R_SEARCH) | \
++  ((rsbac_request_vector_t) 1 << R_SEND_SIGNAL) | \
++  ((rsbac_request_vector_t) 1 << R_SHUTDOWN) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) | \
++  ((rsbac_request_vector_t) 1 << R_TRACE) | \
++  ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \
++  ((rsbac_request_vector_t) 1 << R_UMOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_MAP_EXEC) | \
++  ((rsbac_request_vector_t) 1 << R_BIND) | \
++  ((rsbac_request_vector_t) 1 << R_LISTEN) | \
++  ((rsbac_request_vector_t) 1 << R_ACCEPT) | \
++  ((rsbac_request_vector_t) 1 << R_CONNECT) | \
++  ((rsbac_request_vector_t) 1 << R_SEND) | \
++  ((rsbac_request_vector_t) 1 << R_RECEIVE) \
++  )
++#define RSBAC_MAC_SET_ATTR_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CLONE) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_SEARCH) | \
++  ((rsbac_request_vector_t) 1 << R_TRACE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_BIND) | \
++  ((rsbac_request_vector_t) 1 << R_LISTEN) | \
++  ((rsbac_request_vector_t) 1 << R_ACCEPT) | \
++  ((rsbac_request_vector_t) 1 << R_CONNECT) | \
++  ((rsbac_request_vector_t) 1 << R_SEND) | \
++  ((rsbac_request_vector_t) 1 << R_RECEIVE) \
++  )
++#endif
++
++#ifdef CONFIG_RSBAC_PM
++#define RSBAC_PM_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CLONE) | \
++  ((rsbac_request_vector_t) 1 << R_CLOSE) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) | \
++  ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_RENAME) | \
++  ((rsbac_request_vector_t) 1 << R_SEND_SIGNAL) | \
++  ((rsbac_request_vector_t) 1 << R_SHUTDOWN) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) | \
++  ((rsbac_request_vector_t) 1 << R_TERMINATE) | \
++  ((rsbac_request_vector_t) 1 << R_TRACE) | \
++  ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \
++  ((rsbac_request_vector_t) 1 << R_UMOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
++  )
++#define RSBAC_PM_SET_ATTR_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CLONE) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) \
++  )
++#endif
++
++#ifdef CONFIG_RSBAC_DAZ
++#define RSBAC_DAZ_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CLOSE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) \
++  )
++#define RSBAC_DAZ_SET_ATTR_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CLONE) | \
++  ((rsbac_request_vector_t) 1 << R_CLOSE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) )
++#endif
++
++#ifdef CONFIG_RSBAC_FF
++#if defined(CONFIG_RSBAC_FF_UM_PROT)
++#define RSBAC_FF_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHDIR) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_RENAME) | \
++  ((rsbac_request_vector_t) 1 << R_SEARCH) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) | \
++  ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \
++  ((rsbac_request_vector_t) 1 << R_UMOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
++  )
++#else
++#define RSBAC_FF_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHDIR) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_RENAME) | \
++  ((rsbac_request_vector_t) 1 << R_SEARCH) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) | \
++  ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \
++  ((rsbac_request_vector_t) 1 << R_UMOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
++  )
++#endif
++#endif
++
++#ifdef CONFIG_RSBAC_AUTH
++#if defined(CONFIG_RSBAC_AUTH_UM_PROT)
++#define RSBAC_AUTH_REQUEST_VECTOR_UM (\
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_RENAME) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) )
++#else
++#define RSBAC_AUTH_REQUEST_VECTOR_UM 0
++#endif
++#if defined(CONFIG_RSBAC_AUTH_UM_PROT) || defined(CONFIG_RSBAC_AUTH_GROUP)
++#define RSBAC_AUTH_REQUEST_VECTOR_CG ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP)
++#else
++#define RSBAC_AUTH_REQUEST_VECTOR_CG 0
++#endif
++#if defined(CONFIG_RSBAC_AUTH_GROUP) && defined (CONFIG_RSBAC_AUTH_DAC_GROUP)
++#define RSBAC_AUTH_REQUEST_VECTOR_DG ( \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_GROUP) )
++#else
++#define RSBAC_AUTH_REQUEST_VECTOR_DG 0
++#endif
++#if defined (CONFIG_RSBAC_AUTH_DAC_OWNER)
++#define RSBAC_AUTH_REQUEST_VECTOR_DO ( \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_OWNER) )
++#else
++#define RSBAC_AUTH_REQUEST_VECTOR_DO 0
++#endif
++#if defined (CONFIG_RSBAC_AUTH_AUTH_PROT)
++#define RSBAC_AUTH_REQUEST_VECTOR_AA ( \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) )
++#else
++#define RSBAC_AUTH_REQUEST_VECTOR_AA 0
++#endif
++
++#define RSBAC_AUTH_REQUEST_VECTOR (\
++  RSBAC_AUTH_REQUEST_VECTOR_UM | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  RSBAC_AUTH_REQUEST_VECTOR_CG | \
++  RSBAC_AUTH_REQUEST_VECTOR_DG | \
++  RSBAC_AUTH_REQUEST_VECTOR_DO | \
++  RSBAC_AUTH_REQUEST_VECTOR_AA | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) \
++  )
++
++#if defined (CONFIG_RSBAC_AUTH_AUTH_PROT)
++#define RSBAC_AUTH_SET_ATTR_VECTOR_AA ( \
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_RENAME) | \
++  ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) )
++#else
++#define RSBAC_AUTH_SET_ATTR_VECTOR_AA 0
++#endif
++#define RSBAC_AUTH_SET_ATTR_VECTOR (\
++  RSBAC_AUTH_SET_ATTR_VECTOR_AA | \
++  ((rsbac_request_vector_t) 1 << R_CLONE) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) \
++  )
++#endif
++
++#ifdef CONFIG_RSBAC_CAP
++#ifdef CONFIG_RSBAC_CAP_PROC_HIDE
++#define RSBAC_CAP_REQUEST_VECTOR ( \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_SEND_SIGNAL) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) | \
++  ((rsbac_request_vector_t) 1 << R_TRACE) )
++#else
++#define RSBAC_CAP_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) )
++#endif
++#if defined (CONFIG_RSBAC_CAP_PROC_HIDE) || defined(CONFIG_RSBAC_CAP_LOG_MISSING)
++#define RSBAC_CAP_SET_ATTR_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CLONE) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) )
++#else
++#define RSBAC_CAP_SET_ATTR_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) )
++#endif
++#endif
++
++#ifdef CONFIG_RSBAC_JAIL
++#define RSBAC_JAIL_REQUEST_VECTOR ( \
++  ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_ALTER) | \
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_SEND_SIGNAL) | \
++  ((rsbac_request_vector_t) 1 << R_SHUTDOWN) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) | \
++  ((rsbac_request_vector_t) 1 << R_TRACE) | \
++  ((rsbac_request_vector_t) 1 << R_UMOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_BIND) | \
++  ((rsbac_request_vector_t) 1 << R_LISTEN) | \
++  ((rsbac_request_vector_t) 1 << R_ACCEPT) | \
++  ((rsbac_request_vector_t) 1 << R_CONNECT) | \
++  ((rsbac_request_vector_t) 1 << R_SEND) | \
++  ((rsbac_request_vector_t) 1 << R_RECEIVE) | \
++  ((rsbac_request_vector_t) 1 << R_NET_SHUTDOWN) )
++#define RSBAC_JAIL_SET_ATTR_VECTOR ( \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CLONE) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) | \
++  ((rsbac_request_vector_t) 1 << R_CONNECT) | \
++  ((rsbac_request_vector_t) 1 << R_BIND) )
++#endif
++
++#ifdef CONFIG_RSBAC_PAX
++#define RSBAC_PAX_REQUEST_VECTOR ( \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) )
++#endif
++
++#ifdef CONFIG_RSBAC_RES
++#define RSBAC_RES_REQUEST_VECTOR ( \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) )
++#define RSBAC_RES_SET_ATTR_VECTOR ( \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) )
++#endif
++
++/***************************************************/
++/*              General Prototypes                 */
++/***************************************************/
++
++/* We call this function in kernel/sched.c         */
++extern struct task_struct * find_process_by_pid(pid_t);
++
++#ifdef CONFIG_RSBAC_DEBUG
++extern  enum rsbac_adf_req_ret_t
++   rsbac_adf_request_check (enum  rsbac_adf_request_t     request,
++                                  rsbac_pid_t             caller_pid,
++                            enum  rsbac_target_t          target,
++                            union rsbac_target_id_t     * tid_p,
++                            enum  rsbac_attribute_t       attr,
++                            union rsbac_attribute_value_t * attr_val_p,
++                                  rsbac_uid_t             owner);
++
++extern int rsbac_adf_set_attr_check( enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++#endif
++
++extern enum rsbac_adf_req_ret_t
++    adf_and_plus(enum rsbac_adf_req_ret_t res1,
++                 enum rsbac_adf_req_ret_t res2);
++
++/***************************************************/
++/*              Module Prototypes                  */
++/***************************************************/
++
++#if !defined(CONFIG_RSBAC_MAINT)
++
++/******* MAC ********/
++
++#ifdef CONFIG_RSBAC_MAC
++#ifdef CONFIG_RSBAC_SWITCH_MAC
++extern  rsbac_boolean_t rsbac_switch_mac;
++#endif
++
++extern  enum rsbac_adf_req_ret_t  rsbac_adf_request_mac(
++                                     enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++extern  int  rsbac_adf_set_attr_mac( enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++#endif  /* MAC */
++
++
++/******* PM ********/
++
++#ifdef CONFIG_RSBAC_PM
++#ifdef CONFIG_RSBAC_SWITCH_PM
++extern  rsbac_boolean_t rsbac_switch_pm;
++#endif
++
++extern  enum rsbac_adf_req_ret_t  rsbac_adf_request_pm(
++                                     enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++extern  int  rsbac_adf_set_attr_pm ( enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++#ifdef CONFIG_RSBAC_SECDEL
++extern rsbac_boolean_t rsbac_need_overwrite_pm(struct dentry * dentry_p);
++#endif
++
++#endif  /* PM */
++
++/******* DAZ ********/
++
++#ifdef CONFIG_RSBAC_DAZ
++#ifdef CONFIG_RSBAC_SWITCH_DAZ
++extern  rsbac_boolean_t rsbac_switch_daz;
++#endif
++
++extern  enum rsbac_adf_req_ret_t  rsbac_adf_request_daz(
++                                     enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++extern  int  rsbac_adf_set_attr_daz (enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++#endif  /* DAZ */
++ 
++/******* FF ********/
++
++#ifdef CONFIG_RSBAC_FF
++#ifdef CONFIG_RSBAC_SWITCH_FF
++extern  rsbac_boolean_t rsbac_switch_ff;
++#endif
++
++extern  enum rsbac_adf_req_ret_t  rsbac_adf_request_ff(
++                                     enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++extern  int  rsbac_adf_set_attr_ff ( enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++#ifdef CONFIG_RSBAC_SECDEL
++extern rsbac_boolean_t rsbac_need_overwrite_ff(struct dentry * dentry_p);
++#endif
++
++#endif  /* FF */
++ 
++/******* RC ********/
++
++#ifdef CONFIG_RSBAC_RC
++#ifdef CONFIG_RSBAC_SWITCH_RC
++extern  rsbac_boolean_t rsbac_switch_rc;
++#endif
++
++extern  enum rsbac_adf_req_ret_t  rsbac_adf_request_rc(
++                                     enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++extern  int  rsbac_adf_set_attr_rc ( enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++/* Secure delete/truncate for this module */
++#ifdef CONFIG_RSBAC_SECDEL
++extern rsbac_boolean_t rsbac_need_overwrite_rc(struct dentry * dentry_p);
++#endif
++#endif  /* RC */
++
++/****** AUTH *******/
++
++#ifdef CONFIG_RSBAC_AUTH
++#ifdef CONFIG_RSBAC_SWITCH_AUTH
++extern  rsbac_boolean_t rsbac_switch_auth;
++#endif
++
++extern  enum rsbac_adf_req_ret_t  rsbac_adf_request_auth(
++                                     enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++extern  int  rsbac_adf_set_attr_auth(enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++#endif /* AUTH */
++
++/****** ACL *******/
++
++#ifdef CONFIG_RSBAC_ACL
++#ifdef CONFIG_RSBAC_SWITCH_ACL
++extern  rsbac_boolean_t rsbac_switch_acl;
++#endif
++
++extern  enum rsbac_adf_req_ret_t  rsbac_adf_request_acl(
++                                     enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++extern  int  rsbac_adf_set_attr_acl (enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++#endif /* ACL */
++
++/****** CAP *******/
++
++#ifdef CONFIG_RSBAC_CAP
++#ifdef CONFIG_RSBAC_SWITCH_CAP
++extern  rsbac_boolean_t rsbac_switch_cap;
++#endif
++
++extern  enum rsbac_adf_req_ret_t  rsbac_adf_request_cap(
++                                     enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++extern  int  rsbac_adf_set_attr_cap (enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++#endif /* CAP */
++
++/****** JAIL *******/
++
++#ifdef CONFIG_RSBAC_JAIL
++#ifdef CONFIG_RSBAC_SWITCH_JAIL
++extern  rsbac_boolean_t rsbac_switch_jail;
++#endif
++
++extern  enum rsbac_adf_req_ret_t  rsbac_adf_request_jail(
++                                     enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++extern  int  rsbac_adf_set_attr_jail(enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++#endif /* JAIL */
++
++/******* PAX ********/
++
++#ifdef CONFIG_RSBAC_PAX
++#ifdef CONFIG_RSBAC_SWITCH_PAX
++extern  rsbac_boolean_t rsbac_switch_pax;
++#endif
++
++extern  enum rsbac_adf_req_ret_t  rsbac_adf_request_pax(
++                                     enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++extern  int  rsbac_adf_set_attr_pax( enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++#endif  /* PAX */
++
++
++/****** RES *******/
++
++#ifdef CONFIG_RSBAC_RES
++#ifdef CONFIG_RSBAC_SWITCH_RES
++extern  rsbac_boolean_t rsbac_switch_res;
++#endif
++
++extern  enum rsbac_adf_req_ret_t  rsbac_adf_request_res(
++                                     enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++extern  int  rsbac_adf_set_attr_res (enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++#ifdef CONFIG_RSBAC_SECDEL
++extern inline rsbac_boolean_t rsbac_need_overwrite_res(struct dentry * dentry_p)
++  {
++    return FALSE;
++  }
++#endif
++#endif /* RES */
++
++/****** REG *******/
++
++#if defined(CONFIG_RSBAC_REG)
++extern  enum rsbac_adf_req_ret_t  rsbac_adf_request_reg(
++                                     enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++extern  int  rsbac_adf_set_attr_reg (enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++#ifdef CONFIG_RSBAC_SECDEL
++extern inline rsbac_boolean_t rsbac_need_overwrite_reg(struct dentry * dentry_p)
++  {
++    return FALSE;
++  }
++#endif
++#endif /* REG */
++
++#endif /* !MAINT */
++
++#if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT)
++/* Init */
++#ifdef CONFIG_RSBAC_INIT_DELAY
++void rsbac_reg_init(void);
++#else
++void rsbac_reg_init(void) __init;
++#endif
++
++/* mounting and umounting */
++extern int rsbac_mount_reg(kdev_t kdev);
++extern int rsbac_umount_reg(kdev_t kdev);
++
++/* RSBAC attribute saving to disk can be triggered from outside
++ * param: call lock_kernel() before writing?
++ */
++#if defined(CONFIG_RSBAC_AUTO_WRITE)
++extern int rsbac_write_reg(void);
++#endif /* CONFIG_RSBAC_AUTO_WRITE */
++
++/* Status checking */
++extern int rsbac_check_reg(int correct, int check_inode);
++
++#endif /* REG */
++
++#endif /* End of adf_main.h */
+diff --git a/include/rsbac/adf_syshelpers.h b/include/rsbac/adf_syshelpers.h
+new file mode 100644
+index 0000000..ccec900
+--- /dev/null
++++ b/include/rsbac/adf_syshelpers.h
+@@ -0,0 +1,285 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2012:          */
++/*   Amon Ott <ao@...>          */
++/*                                    */
++/* Helper Prototypes for model        */
++/* specific system calls              */
++/* Last modified: 07/May/2012         */
++/************************************ */
++
++#ifndef __RSBAC_ADF_SYSHELPERS_H
++#define __RSBAC_ADF_SYSHELPERS_H
++
++/* #include <linux/sched.h> */
++#include <rsbac/types.h>
++
++/***************************************************/
++/*              Global Variables                   */
++/***************************************************/
++
++/***************************************************/
++/*              General Prototypes                 */
++/***************************************************/
++
++/***************************************************/
++/*              Module Prototypes                  */
++/***************************************************/
++
++/******* MAC ********/
++
++#if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
++int  rsbac_mac_set_curr_level(rsbac_security_level_t level,
++                              rsbac_mac_category_vector_t categories);
++
++int  rsbac_mac_get_curr_level(rsbac_security_level_t * level_p,
++                              rsbac_mac_category_vector_t * categories_p);
++
++int  rsbac_mac_get_max_level(rsbac_security_level_t * level_p,
++                             rsbac_mac_category_vector_t * categories_p);
++
++int  rsbac_mac_get_min_level(rsbac_security_level_t * level_p,
++                             rsbac_mac_category_vector_t * categories_p);
++
++int rsbac_mac_add_p_tru(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_pid_t pid,
++  rsbac_uid_t uid,
++  rsbac_time_t ttl);
++
++int rsbac_mac_remove_p_tru(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_pid_t pid,
++  rsbac_uid_t uid);
++
++int rsbac_mac_add_f_tru(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_mac_file_t file,
++  rsbac_uid_t uid,
++  rsbac_time_t ttl);
++
++int rsbac_mac_remove_f_tru(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_mac_file_t file,
++  rsbac_uid_t uid);
++
++#endif  /* MAC */
++
++
++/******* PM ********/
++
++#if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
++/* This function is called via sys_rsbac_pm() system call                    */
++/* and serves as a dispatcher for all PM dependant system calls.             */
++
++int rsbac_pm(
++        rsbac_list_ta_number_t ta_number,
++  enum  rsbac_pm_function_type_t,
++  union rsbac_pm_function_param_t,
++        rsbac_pm_tkt_id_t);
++
++int rsbac_pm_change_current_task(rsbac_pm_task_id_t);
++
++int rsbac_pm_create_file(const char *,                /* filename */
++                         int,                         /* creation mode */
++                         rsbac_pm_object_class_id_t); /* class for file */
++#endif  /* PM */
++
++/******* FF ********/
++
++/******* RC ********/
++
++#if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
++/* These functions in adf/rc/syscalls.c are called via sys_* system calls    */
++/* and check for validity before passing the call to the rc_data_structures. */
++
++/* All roles are always there, so instead of creation, we supply a copy for */
++/* initialization. There is always the well-defined role general to copy    */
++extern int rsbac_rc_sys_copy_role (
++  rsbac_list_ta_number_t ta_number,
++  rsbac_rc_role_id_t from_role,
++  rsbac_rc_role_id_t to_role);
++
++extern int rsbac_rc_sys_copy_type (
++        rsbac_list_ta_number_t ta_number,
++  enum  rsbac_rc_target_t      target,
++        rsbac_rc_type_id_t     from_type,
++        rsbac_rc_type_id_t     to_type);
++
++/* Getting item values */
++extern int rsbac_rc_sys_get_item (
++  rsbac_list_ta_number_t ta_number,
++  enum  rsbac_rc_target_t       target,
++  union rsbac_rc_target_id_t    tid,
++  union rsbac_rc_target_id_t    subtid,
++  enum  rsbac_rc_item_t         item,
++  union rsbac_rc_item_value_t * value_p,
++        rsbac_time_t          * ttl_p);
++
++/* Setting item values */
++extern int rsbac_rc_sys_set_item (
++  rsbac_list_ta_number_t ta_number,
++  enum  rsbac_rc_target_t       target,
++  union rsbac_rc_target_id_t    tid,
++  union rsbac_rc_target_id_t    subtid,
++  enum  rsbac_rc_item_t         item,
++  union rsbac_rc_item_value_t   value,
++        rsbac_time_t            ttl);
++
++/* Set own role, if allowed ( = in role_comp vector of current role) */
++extern int rsbac_rc_sys_change_role (rsbac_rc_role_id_t role, char __user * pass);
++
++/* Getting own effective rights */
++int rsbac_rc_sys_get_eff_rights (
++  rsbac_list_ta_number_t ta_number,
++  enum  rsbac_target_t       target,
++  union rsbac_target_id_t    tid,
++        rsbac_rc_request_vector_t * request_vector,
++        rsbac_time_t          * ttl_p);
++
++int rsbac_rc_sys_get_current_role (rsbac_rc_role_id_t * role_p);
++
++#endif  /* RC || RC_MAINT */
++
++/****** AUTH *******/
++
++#if defined(CONFIG_RSBAC_AUTH) || defined(CONFIG_RSBAC_AUTH_MAINT)
++/* This function is called via sys_rsbac_auth_add_p_cap() system call */
++int rsbac_auth_add_p_cap(
++         rsbac_list_ta_number_t ta_number,
++         rsbac_pid_t pid,
++  enum   rsbac_auth_cap_type_t cap_type,
++  struct rsbac_auth_cap_range_t cap_range,
++         rsbac_time_t ttl);
++
++/* This function is called via sys_rsbac_auth_remove_p_cap() system call */
++int rsbac_auth_remove_p_cap(
++         rsbac_list_ta_number_t ta_number,
++         rsbac_pid_t pid,
++  enum   rsbac_auth_cap_type_t cap_type,
++  struct rsbac_auth_cap_range_t cap_range);
++
++/* This function is called via sys_rsbac_auth_add_f_cap() system call */
++int rsbac_auth_add_f_cap(
++         rsbac_list_ta_number_t ta_number,
++         rsbac_auth_file_t file,
++  enum   rsbac_auth_cap_type_t cap_type,
++  struct rsbac_auth_cap_range_t cap_range,
++         rsbac_time_t ttl);
++
++/* This function is called via sys_rsbac_auth_remove_f_cap() system call */
++int rsbac_auth_remove_f_cap(
++         rsbac_list_ta_number_t ta_number,
++         rsbac_auth_file_t file,
++  enum   rsbac_auth_cap_type_t cap_type,
++  struct rsbac_auth_cap_range_t cap_range);
++
++#endif  /* AUTH || AUTH_MAINT */
++
++/****** REG *******/
++
++#if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT)
++/*
++ * System call dispatcher
++ * Returns 0 on success or -EINVALIDTARGET, if handle is invalid.
++ */
++
++int rsbac_reg_syscall(rsbac_reg_handle_t handle,
++                      void __user * arg);
++#endif /* REG || REG_MAINT */
++
++/****** ACL *******/
++
++#if defined(CONFIG_RSBAC_ACL) || defined(CONFIG_RSBAC_ACL_MAINT)
++int rsbac_acl_sys_set_acl_entry(
++         rsbac_list_ta_number_t      ta_number,
++  enum   rsbac_target_t              target,
++  union  rsbac_target_id_t           tid,
++  enum   rsbac_acl_subject_type_t    subj_type,
++         rsbac_acl_subject_id_t      subj_id,
++         rsbac_acl_rights_vector_t   rights,
++         rsbac_time_t                ttl);
++
++int rsbac_acl_sys_remove_acl_entry(
++         rsbac_list_ta_number_t      ta_number,
++  enum   rsbac_target_t              target,
++  union  rsbac_target_id_t           tid,
++  enum   rsbac_acl_subject_type_t    subj_type,
++         rsbac_acl_subject_id_t      subj_id);
++
++int rsbac_acl_sys_remove_acl(
++         rsbac_list_ta_number_t      ta_number,
++  enum   rsbac_target_t              target,
++  union  rsbac_target_id_t           tid);
++
++int rsbac_acl_sys_add_to_acl_entry(
++         rsbac_list_ta_number_t      ta_number,
++  enum   rsbac_target_t              target,
++  union  rsbac_target_id_t           tid,
++  enum   rsbac_acl_subject_type_t    subj_type,
++         rsbac_acl_subject_id_t      subj_id,
++         rsbac_acl_rights_vector_t   rights,
++         rsbac_time_t                ttl);
++
++int rsbac_acl_sys_remove_from_acl_entry(
++         rsbac_list_ta_number_t      ta_number,
++  enum   rsbac_target_t              target,
++  union  rsbac_target_id_t           tid,
++  enum   rsbac_acl_subject_type_t    subj_type,
++         rsbac_acl_subject_id_t      subj_id,
++         rsbac_acl_rights_vector_t   rights);
++
++int rsbac_acl_sys_set_mask(
++         rsbac_list_ta_number_t      ta_number,
++  enum   rsbac_target_t              target,
++  union  rsbac_target_id_t           tid,
++         rsbac_acl_rights_vector_t   mask);
++
++int rsbac_acl_sys_remove_user(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_uid_t uid);
++
++int rsbac_acl_sys_get_mask(
++         rsbac_list_ta_number_t      ta_number,
++  enum   rsbac_target_t              target,
++  union  rsbac_target_id_t           tid,
++         rsbac_acl_rights_vector_t * mask_p);
++
++
++int rsbac_acl_sys_get_rights(
++         rsbac_list_ta_number_t      ta_number,
++  enum   rsbac_target_t              target,
++  union  rsbac_target_id_t           tid,
++  enum   rsbac_acl_subject_type_t    subj_type,
++         rsbac_acl_subject_id_t      subj_id,
++         rsbac_acl_rights_vector_t * rights_p,
++         rsbac_boolean_t             inherit);
++
++int rsbac_acl_sys_get_tlist(
++         rsbac_list_ta_number_t    ta_number,
++  enum   rsbac_target_t            target,
++  union  rsbac_target_id_t         tid,
++  struct rsbac_acl_entry_t      ** entry_pp,
++         rsbac_time_t           ** ttl_pp);
++
++int rsbac_acl_sys_group(
++        rsbac_list_ta_number_t         ta_number,
++  enum  rsbac_acl_group_syscall_type_t call,
++  union rsbac_acl_group_syscall_arg_t  arg);
++
++#endif  /* ACL || ACL_MAINT */
++
++/****** JAIL *******/
++
++#if defined(CONFIG_RSBAC_JAIL)
++/* This function is called via sys_rsbac_jail() system call */
++int rsbac_jail_sys_jail(rsbac_version_t version,
++                        char __user * path,
++                        rsbac_jail_ip_t ip,
++                        rsbac_jail_flags_t flags,
++                        rsbac_cap_vector_t max_caps,
++                        rsbac_jail_scd_vector_t scd_get,
++                        rsbac_jail_scd_vector_t scd_modify);
++#endif
++
++#endif /* End of adf_syshelpers.h */
+diff --git a/include/rsbac/auth.h b/include/rsbac/auth.h
+new file mode 100644
+index 0000000..b213a03
+--- /dev/null
++++ b/include/rsbac/auth.h
+@@ -0,0 +1,154 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2005:          */
++/*   Amon Ott <ao@...>          */
++/* API: Data structures               */
++/* and functions for Access           */
++/* Control Information / AUTH         */
++/* Last modified: 09/Feb/2005         */
++/************************************ */
++
++#ifndef __RSBAC_AUTH_H
++#define __RSBAC_AUTH_H
++
++#include <linux/init.h>
++#include <rsbac/types.h>
++
++/***************************************************/
++/*               General Prototypes                */
++/***************************************************/
++
++/* All functions return 0, if no error occurred, and a negative error code  */
++/* otherwise. The error codes are defined in rsbac_error.h.                 */
++
++/****************************************************************************/
++/* Initialization, including ACI restoration for all mounted devices from   */
++/* disk. After this call, all ACI is kept in memory for performance reasons,*/
++/* but user and file/dir object ACI are written to disk on every change.    */
++
++#ifdef CONFIG_RSBAC_INIT_DELAY
++extern int rsbac_init_auth(void);
++#else
++extern int rsbac_init_auth(void) __init;
++#endif
++
++/* mounting and umounting */
++int rsbac_mount_auth(kdev_t kdev);
++int rsbac_umount_auth(kdev_t kdev);
++
++/* Some information about the current status is also available */
++extern int rsbac_stats_auth(void);
++
++/* Status checking */
++extern int rsbac_check_auth(int correct, int check_inode);
++
++/* RSBAC attribute saving to disk can be triggered from outside
++ * param: call lock_kernel() before writing?
++ */
++#if defined(CONFIG_RSBAC_MAINT) || defined(CONFIG_RSBAC_AUTO_WRITE)
++extern int rsbac_write_auth(rsbac_boolean_t);
++#endif /* CONFIG_RSBAC_AUTO_WRITE */
++
++/************************************************* */
++/*               Access functions                  */
++/************************************************* */
++
++/* All these procedures handle the semaphores to protect the targets during */
++/* access.                                                                  */
++/* Trying to access a never created or removed set returns an error!        */
++
++/* rsbac_auth_add_to_p_capset */
++/* Add a set member to a set sublist. Set behaviour: also returns success, */
++/* if member was already in set! */
++
++int rsbac_auth_add_to_p_capset(
++         rsbac_list_ta_number_t ta_number,
++         rsbac_pid_t pid,
++  enum   rsbac_auth_cap_type_t cap_type,
++  struct rsbac_auth_cap_range_t cap_range,
++         rsbac_time_t ttl);
++
++int rsbac_auth_add_to_f_capset(
++         rsbac_list_ta_number_t ta_number,
++         rsbac_auth_file_t file,
++  enum   rsbac_auth_cap_type_t cap_type,
++  struct rsbac_auth_cap_range_t cap_range,
++         rsbac_time_t ttl);
++
++/* rsbac_auth_remove_from_p_capset */
++/* Remove a set member from a sublist. Set behaviour: Returns no error, if */
++/* member is not in list.                                                  */
++
++int rsbac_auth_remove_from_p_capset(
++         rsbac_list_ta_number_t ta_number,
++         rsbac_pid_t pid,
++  enum   rsbac_auth_cap_type_t cap_type,
++  struct rsbac_auth_cap_range_t cap_range);
++
++int rsbac_auth_remove_from_f_capset(
++        rsbac_list_ta_number_t ta_number,
++        rsbac_auth_file_t file,
++  enum  rsbac_auth_cap_type_t cap_type,
++  struct rsbac_auth_cap_range_t cap_range);
++
++/* rsbac_auth_clear_p_capset */
++/* Remove all set members from a sublist. Set behaviour: Returns no error, */
++/* if list is empty.                                                       */
++
++int rsbac_auth_clear_p_capset(
++       rsbac_list_ta_number_t ta_number,
++       rsbac_pid_t pid,
++  enum rsbac_auth_cap_type_t cap_type);
++
++int rsbac_auth_clear_f_capset(
++       rsbac_list_ta_number_t ta_number,
++       rsbac_auth_file_t file,
++  enum rsbac_auth_cap_type_t cap_type);
++
++/* rsbac_auth_p_capset_member */
++/* Return truth value, whether member is in set */
++
++rsbac_boolean_t  rsbac_auth_p_capset_member(rsbac_pid_t pid,
++                                    enum rsbac_auth_cap_type_t cap_type,
++                                    rsbac_uid_t member);
++
++/* rsbac_auth_remove_p_capset */
++/* Remove a full set. After this call the given id can only be used for */
++/* creating a new set, anything else returns an error.                  */
++/* To empty an existing set use rsbac_auth_clear_p_capset.                */
++
++int rsbac_auth_remove_p_capsets(rsbac_pid_t pid);
++
++int rsbac_auth_remove_f_capsets(rsbac_auth_file_t file);
++
++/* rsbac_auth_copy_fp_capset */
++/* copy a file capset to a process capset */
++int rsbac_auth_copy_fp_capset(rsbac_auth_file_t    file,
++                              rsbac_pid_t p_cap_set_id);
++
++/* rsbac_auth_copy_pp_capset */
++/* copy a process capset to another process capset */
++int rsbac_auth_copy_pp_capset(rsbac_pid_t old_p_set_id,
++                              rsbac_pid_t new_p_set_id);
++
++/* rsbac_auth_get_f_caplist */
++/* copy a file/dir capset to an array of length 2 * maxnum (first+last), */
++/* returns number of caps copied */
++int rsbac_auth_get_f_caplist(
++         rsbac_list_ta_number_t ta_number,
++         rsbac_auth_file_t file,
++  enum   rsbac_auth_cap_type_t cap_type,
++  struct rsbac_auth_cap_range_t **caplist_p,
++         rsbac_time_t **ttllist_p);
++
++/* rsbac_auth_get_p_caplist */
++/* copy a process capset to an array of length 2 * maxnum (first+last), */
++/* returns number of caps copied */
++int rsbac_auth_get_p_caplist(
++         rsbac_list_ta_number_t ta_number,
++         rsbac_pid_t pid,
++  enum   rsbac_auth_cap_type_t cap_type,
++  struct rsbac_auth_cap_range_t **caplist_p,
++         rsbac_time_t **ttllist_p);
++
++#endif
+diff --git a/include/rsbac/auth_data_structures.h b/include/rsbac/auth_data_structures.h
+new file mode 100644
+index 0000000..4ffaa20
+--- /dev/null
++++ b/include/rsbac/auth_data_structures.h
+@@ -0,0 +1,97 @@
++/**************************************/
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2007:          */
++/*   Amon Ott <ao@...> */
++/* Data structures / AUTH             */
++/* Last modified: 16/Sep/2007         */
++/**************************************/
++
++#ifndef __RSBAC_AUTH_DATA_STRUC_H
++#define __RSBAC_AUTH_DATA_STRUC_H
++
++#include <linux/types.h>
++#include <rsbac/aci.h>
++#include <rsbac/types.h>
++
++/**********************************************/
++/* Capability lists                           */
++/**********************************************/
++
++#define RSBAC_AUTH_LIST_KEY 626281
++
++#define RSBAC_AUTH_P_LIST_VERSION 1
++#define RSBAC_AUTH_P_LIST_NAME "authproc"
++#define RSBAC_AUTH_P_EFF_LIST_NAME "authproceff"
++#define RSBAC_AUTH_P_FS_LIST_NAME "authprocfs"
++#define RSBAC_AUTH_P_GROUP_LIST_NAME "authprocgr"
++#define RSBAC_AUTH_P_GROUP_EFF_LIST_NAME "authprocgreff"
++#define RSBAC_AUTH_P_GROUP_FS_LIST_NAME "authprocgrfs"
++
++#define RSBAC_AUTH_FD_FILENAME "authfd"
++#define RSBAC_AUTH_FD_EFF_FILENAME "authfde"
++#define RSBAC_AUTH_FD_FS_FILENAME "authfdf"
++#define RSBAC_AUTH_FD_GROUP_FILENAME "authfg"
++#define RSBAC_AUTH_FD_GROUP_EFF_FILENAME "authfge"
++#define RSBAC_AUTH_FD_GROUP_FS_FILENAME "authfgf"
++#define RSBAC_AUTH_FD_OLD_FILENAME "authfd."
++#define RSBAC_AUTH_FD_OLD_EFF_FILENAME "authfde."
++#define RSBAC_AUTH_FD_OLD_FS_FILENAME "authfdf."
++#define RSBAC_AUTH_FD_OLD_GROUP_FILENAME "authfg."
++#define RSBAC_AUTH_FD_OLD_GROUP_EFF_FILENAME "authfge."
++#define RSBAC_AUTH_FD_OLD_GROUP_FS_FILENAME "authfgf."
++#define RSBAC_AUTH_NR_CAP_FD_LISTS 4
++#define RSBAC_AUTH_NR_CAP_EFF_FD_LISTS 2
++#define RSBAC_AUTH_NR_CAP_FS_FD_LISTS 2
++#define RSBAC_AUTH_NR_CAP_GROUP_FD_LISTS 4
++#define RSBAC_AUTH_NR_CAP_GROUP_EFF_FD_LISTS 2
++#define RSBAC_AUTH_NR_CAP_GROUP_FS_FD_LISTS 2
++
++#define RSBAC_AUTH_FD_LIST_VERSION 2
++#define RSBAC_AUTH_FD_EFF_LIST_VERSION 2
++#define RSBAC_AUTH_FD_FS_LIST_VERSION 2
++#define RSBAC_AUTH_FD_GROUP_LIST_VERSION 2
++#define RSBAC_AUTH_FD_GROUP_EFF_LIST_VERSION 2
++#define RSBAC_AUTH_FD_GROUP_FS_LIST_VERSION 2
++#define RSBAC_AUTH_FD_OLD_LIST_VERSION 1
++#define RSBAC_AUTH_FD_EFF_OLD_LIST_VERSION 1
++#define RSBAC_AUTH_FD_FS_OLD_LIST_VERSION 1
++#define RSBAC_AUTH_FD_GROUP_OLD_LIST_VERSION 1
++#define RSBAC_AUTH_FD_GROUP_EFF_OLD_LIST_VERSION 1
++#define RSBAC_AUTH_FD_GROUP_FS_OLD_LIST_VERSION 1
++
++/* The list of devices is also a double linked list, so we define list    */
++/* items and a list head.                                                 */
++
++struct rsbac_auth_device_list_item_t {
++	kdev_t id;		/* set to 0 before deletion */
++	u_int mount_count;
++	rsbac_list_handle_t handle;
++#ifdef CONFIG_RSBAC_AUTH_DAC_OWNER
++	rsbac_list_handle_t eff_handle;
++	rsbac_list_handle_t fs_handle;
++#endif
++#ifdef CONFIG_RSBAC_AUTH_GROUP
++	rsbac_list_handle_t
++	    group_handle;
++#ifdef CONFIG_RSBAC_AUTH_DAC_OWNER
++	rsbac_list_handle_t
++	    group_eff_handle;
++	rsbac_list_handle_t
++	    group_fs_handle;
++#endif
++#endif
++	struct rsbac_auth_device_list_item_t *prev;
++	struct rsbac_auth_device_list_item_t *next;
++};
++
++/* To provide consistency we use spinlocks for all list accesses. The     */
++/* 'curr' entry is used to avoid repeated lookups for the same item.       */
++
++struct rsbac_auth_device_list_head_t {
++	struct rsbac_auth_device_list_item_t *head;
++	struct rsbac_auth_device_list_item_t *tail;
++	struct rsbac_auth_device_list_item_t *curr;
++	u_int count;
++};
++
++#endif
+diff --git a/include/rsbac/cap_getname.h b/include/rsbac/cap_getname.h
+new file mode 100644
+index 0000000..e5024a4
+--- /dev/null
++++ b/include/rsbac/cap_getname.h
+@@ -0,0 +1,14 @@
++/********************************** */
++/* Rule Set Based Access Control    */
++/* Author and (c) 1999-2005:        */
++/*   Amon Ott <ao@...>        */
++/* Getname functions for CAP module */
++/* Last modified: 28/Jan/2005       */
++/********************************** */
++
++#ifndef __RSBAC_CAP_GETNAME_H
++#define __RSBAC_CAP_GETNAME_H
++
++void rsbac_cap_log_missing_cap(int cap);
++
++#endif
+diff --git a/include/rsbac/daz.h b/include/rsbac/daz.h
+new file mode 100644
+index 0000000..9da0112
+--- /dev/null
++++ b/include/rsbac/daz.h
+@@ -0,0 +1,27 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2005: Amon Ott */
++/* API:                               */
++/* Functions for Access               */
++/* Control Information / DAZ          */
++/* Last modified: 18/Jan/2005         */
++/************************************ */
++
++#ifndef __RSBAC_DAZ_H
++#define __RSBAC_DAZ_H
++
++#include <rsbac/types.h>
++
++/* Get ttl for new cache items in seconds */
++/* This function returns 0, if no cache is available, and the ttl value
++   otherwise */
++rsbac_time_t rsbac_daz_get_ttl(void);
++
++/* Set ttl for new cache items in seconds */
++/* ttl must be positive, values bigger than 10 years in seconds
++   (RSBAC_LIST_MAX_AGE_LIMIT in lists.h) are reduced to this limit */
++void rsbac_daz_set_ttl(rsbac_time_t ttl);
++
++/* Flush DAZuko cache lists */
++int rsbac_daz_flush_cache(void);
++#endif
+diff --git a/include/rsbac/debug.h b/include/rsbac/debug.h
+new file mode 100644
+index 0000000..2c7ab79
+--- /dev/null
++++ b/include/rsbac/debug.h
+@@ -0,0 +1,288 @@
++/******************************* */
++/* Rule Set Based Access Control */
++/* Author and (c) 1999-2009:     */
++/*   Amon Ott <ao@...>     */
++/* debug definitions             */
++/* Last modified: 03/Oct/2009    */
++/******************************* */
++
++#ifndef __RSBAC_DEBUG_H
++#define __RSBAC_DEBUG_H
++
++#include <linux/init.h>
++//#include <rsbac/types.h>
++
++#define set_rsbac_softmode 1
++#define set_rsbac_softmode_once 2
++#define set_rsbac_softmode_never 4
++#define set_rsbac_freeze 8
++#define set_rsbac_um_no_excl 16
++#define set_rsbac_auth_learn 32
++#define set_rsbac_acl_learn_fd 64
++#define set_rsbac_cap_log_missing 128
++#define set_rsbac_jail_log_missing 256
++#define set_rsbac_dac_disable 512
++#define set_rsbac_no_delay_init 1024
++#define set_rsbac_no_defaults 2048
++#define set_rsbac_nosyslog 4096
++#define set_rsbac_cap_process_hiding 8192
++#define set_rsbac_cap_learn 16384
++#define set_rsbac_rc_learn 32768
++
++extern unsigned long int rsbac_flags;
++extern void rsbac_flags_set(unsigned long int);
++
++extern int rsbac_debug_no_write;
++
++#ifdef CONFIG_RSBAC_DEBUG
++extern int rsbac_debug_ds;
++extern int rsbac_debug_write;
++extern int rsbac_debug_stack;
++extern int rsbac_debug_lists;
++extern int rsbac_debug_aef;
++#endif
++
++extern int rsbac_debug_adf_default;
++extern rsbac_log_entry_t  rsbac_log_levels[R_NONE+1];
++
++#define RSBAC_LOG_LEVELS_NAME "log_levels"
++#define RSBAC_LOG_LEVEL_LIST_NAME "ll"
++#define RSBAC_LOG_LEVEL_VERSION 4
++#define RSBAC_LOG_LEVEL_OLD_VERSION 3
++#define RSBAC_LOG_LEVEL_OLD_OLD_VERSION 2
++#define RSBAC_LOG_LEVEL_KEY 13123231
++
++
++extern int rsbac_no_defaults;
++
++#ifdef CONFIG_RSBAC_INIT_DELAY
++extern void rsbac_init_debug(void);
++#else
++extern void rsbac_init_debug(void) __init;
++#endif
++
++extern rsbac_boolean_t rsbac_parse_koptions(char *);
++
++#define RSBAC_WAKEUP_KEY 'w'
++#define RSBAC_WAKEUP_UKEY 'W'
++
++#ifdef CONFIG_RSBAC_SOFTMODE
++#define RSBAC_SOFTMODE_KEY 'x'
++#define RSBAC_SOFTMODE_UKEY 'X'
++extern int rsbac_softmode;
++extern int rsbac_softmode_prohibit;
++static inline int rsbac_in_softmode(void)
++  {
++    return rsbac_softmode;
++  }
++#ifdef CONFIG_RSBAC_SOFTMODE_IND
++extern int  rsbac_ind_softmode[SW_NONE];
++#endif
++#endif
++
++#if defined(CONFIG_RSBAC_FREEZE)
++extern int rsbac_freeze;
++#endif
++
++extern int rsbac_list_recover;
++
++#ifdef CONFIG_RSBAC_FD_CACHE
++extern rsbac_time_t rsbac_fd_cache_ttl;
++extern u_int rsbac_fd_cache_disable;
++#endif
++
++#if defined(CONFIG_RSBAC_AUTO_WRITE) && (CONFIG_RSBAC_AUTO_WRITE > 0)
++extern rsbac_time_t rsbac_list_check_interval;
++#endif
++
++#if defined(CONFIG_RSBAC_CAP_PROC_HIDE)
++extern int rsbac_cap_process_hiding;
++#endif
++#ifdef CONFIG_RSBAC_CAP_LOG_MISSING
++extern int rsbac_cap_log_missing;
++#endif
++#ifdef CONFIG_RSBAC_JAIL_LOG_MISSING
++extern int rsbac_jail_log_missing;
++#endif
++
++#ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_FULL
++extern int rsbac_dac_disable;
++extern int rsbac_dac_is_disabled(void);
++#endif
++
++#ifdef CONFIG_RSBAC_RMSG_NOSYSLOG
++extern int rsbac_nosyslog;
++#endif
++
++#ifdef CONFIG_RSBAC_INIT_DELAY
++extern int rsbac_no_delay_init;
++extern kdev_t rsbac_delayed_root;
++extern char rsbac_delayed_root_str[];
++#endif
++
++/* rsbac_printk(): You must always prepend the loglevel. As sequence numbers
++ * are per rsbac_printk() message, it is strongly recommended to output single
++ * full lines only.
++ * Example:
++ * rsbac_printk(KERN_DEBUG "Test value: %u\n", testval);
++ */
++extern int rsbac_printk(const char *, ...);
++
++#ifdef CONFIG_RSBAC_DEBUG
++#define rsbac_pr_debug(type, fmt, arg...) \
++	do { if (rsbac_debug_##type) \
++		rsbac_printk(KERN_DEBUG "%s(): " fmt, __FUNCTION__, ##arg); \
++	} while (0)
++#else
++#define rsbac_pr_debug(type, fmt, arg...) do { } while (0)
++#endif
++
++#define rsbac_pr_get_error(attr) \
++	do { rsbac_ds_get_error (__FUNCTION__, attr); \
++	} while (0)
++#define rsbac_pr_set_error(attr) \
++	do { rsbac_ds_set_error (__FUNCTION__, attr); \
++	} while (0)
++#define rsbac_pr_get_error_num(attr, num) \
++	do { rsbac_ds_get_error_num (__FUNCTION__, attr, num); \
++	} while (0)
++#define rsbac_pr_set_error_num(attr, num) \
++	do { rsbac_ds_set_error_num (__FUNCTION__, attr, num); \
++	} while (0)
++
++#define rsbac_rc_pr_get_error(item) \
++	do { rsbac_rc_ds_get_error (__FUNCTION__, item); \
++	} while (0)
++#define rsbac_rc_pr_set_error(item) \
++	do { rsbac_rc_ds_set_error (__FUNCTION__, item); \
++	} while (0)
++
++#define RSBAC_LOG_MAXLINE 2040
++
++#if defined(CONFIG_RSBAC_RMSG)
++extern int rsbac_log(int, char *, int);
++
++#define RSBAC_LOG_MAXREADBUF (rsbac_min(8192,RSBAC_MAX_KMALLOC))
++
++struct rsbac_log_list_item_t {
++	struct rsbac_log_list_item_t *next;
++	u16 size;
++	char buffer[0];
++};
++
++struct rsbac_log_list_head_t {
++	struct rsbac_log_list_item_t *head;
++	struct rsbac_log_list_item_t *tail;
++	u_int count;
++	u_long lost;
++};
++#if defined(CONFIG_RSBAC_LOG_REMOTE)
++extern rsbac_pid_t rsbaclogd_pid;
++#endif
++#endif
++
++#ifdef CONFIG_RSBAC_NET
++extern int rsbac_debug_ds_net;
++extern int rsbac_debug_aef_net;
++extern int rsbac_debug_adf_net;
++#endif
++
++extern void wakeup_rsbacd(u_long dummy);
++
++/* switch log level for request */
++void  rsbac_adf_log_switch(rsbac_adf_request_int_t request,
++                           enum rsbac_target_t target,
++                           rsbac_enum_t value);
++
++int rsbac_get_adf_log(rsbac_adf_request_int_t request,
++                      enum rsbac_target_t target,
++                      u_int * value_p);
++
++#ifdef CONFIG_RSBAC_DEBUG
++#if defined(CONFIG_RSBAC_AUTO_WRITE) && (CONFIG_RSBAC_AUTO_WRITE > 0)
++extern int rsbac_debug_auto;
++#endif /* CONFIG_RSBAC_AUTO_WRITE > 0 */
++
++#if defined(CONFIG_RSBAC_MAC)
++extern int rsbac_debug_ds_mac;
++extern int rsbac_debug_aef_mac;
++extern int rsbac_debug_adf_mac;
++#endif
++
++#if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
++extern int rsbac_debug_ds_pm;
++extern int rsbac_debug_aef_pm;
++extern int rsbac_debug_adf_pm;
++#endif
++
++#if defined(CONFIG_RSBAC_DAZ) || defined(CONFIG_RSBAC_DAZ_MAINT)
++extern int rsbac_debug_adf_daz;
++#endif
++
++#if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
++extern int rsbac_debug_ds_rc;
++extern int rsbac_debug_aef_rc;
++extern int rsbac_debug_adf_rc;
++#endif
++
++#if defined(CONFIG_RSBAC_AUTH) || defined(CONFIG_RSBAC_AUTH_MAINT)
++extern int rsbac_debug_ds_auth;
++extern int rsbac_debug_aef_auth;
++extern int rsbac_debug_adf_auth;
++#endif
++
++#if defined(CONFIG_RSBAC_REG) || defined(CONFIG_RSBAC_REG_MAINT)
++extern int rsbac_debug_reg;
++#endif
++
++#if defined(CONFIG_RSBAC_ACL) || defined(CONFIG_RSBAC_ACL_MAINT)
++extern int rsbac_debug_ds_acl;
++extern int rsbac_debug_aef_acl;
++extern int rsbac_debug_adf_acl;
++#endif
++
++#if defined(CONFIG_RSBAC_JAIL)
++extern int rsbac_debug_aef_jail;
++extern int rsbac_debug_adf_jail;
++#endif
++
++#if defined(CONFIG_RSBAC_PAX)
++extern int rsbac_debug_adf_pax;
++#endif
++
++#if defined(CONFIG_RSBAC_UM)
++extern int rsbac_debug_ds_um;
++extern int rsbac_debug_aef_um;
++extern int rsbac_debug_adf_um;
++#endif
++
++#endif /* DEBUG */
++
++#if defined(CONFIG_RSBAC_UM_EXCL)
++extern int rsbac_um_no_excl;
++#endif
++
++#if defined(CONFIG_RSBAC_AUTH) || defined(CONFIG_RSBAC_AUTH_MAINT)
++extern int rsbac_auth_enable_login;
++#if defined(CONFIG_RSBAC_AUTH_LEARN)
++extern int rsbac_auth_learn;
++#define RSBAC_AUTH_LEARN_TA_NAME "AUTH-learn"
++#endif
++#endif
++
++#if defined(CONFIG_RSBAC_RC_LEARN)
++extern int rsbac_rc_learn;
++#define RSBAC_RC_LEARN_TA_NAME "RC-learn"
++#endif
++
++#if defined(CONFIG_RSBAC_CAP_LEARN)
++extern int rsbac_cap_learn;
++#define RSBAC_CAP_LEARN_TA_NAME "CAP-learn"
++#endif
++
++#if defined(CONFIG_RSBAC_ACL_LEARN)
++extern int rsbac_acl_learn_fd;
++#define RSBAC_ACL_LEARN_TA_NAME "ACL-FD-learn"
++#endif
++
++#endif
+diff --git a/include/rsbac/error.h b/include/rsbac/error.h
+new file mode 100644
+index 0000000..33fa1da
+--- /dev/null
++++ b/include/rsbac/error.h
+@@ -0,0 +1,66 @@
++/************************************* */
++/* Rule Set Based Access Control       */
++/* Author and (c) 1999-2008: Amon Ott  */
++/* Helper functions for all parts      */
++/* Last modified: 03/Mar/2008          */
++/************************************* */
++
++#ifndef __RSBAC_ERROR_H
++#define __RSBAC_ERROR_H
++
++#ifdef __KERNEL__
++#include <linux/errno.h>
++#else
++#include <errno.h>
++#endif
++
++/* Error values             */
++
++#define RSBAC_EPERM               1001
++#define RSBAC_EACCESS             1002
++#define RSBAC_EREADFAILED         1003
++#define RSBAC_EWRITEFAILED        1004
++#define RSBAC_EINVALIDPOINTER     1005
++#define RSBAC_ENOROOTDIR          1006
++#define RSBAC_EPATHTOOLONG        1007
++#define RSBAC_ENOROOTDEV          1008
++#define RSBAC_ENOTFOUND           1009
++#define RSBAC_ENOTINITIALIZED     1010
++#define RSBAC_EREINIT             1011
++#define RSBAC_ECOULDNOTADDDEVICE  1012
++#define RSBAC_ECOULDNOTADDITEM    1013
++#define RSBAC_ECOULDNOTCREATEPATH 1014
++#define RSBAC_EINVALIDATTR        1015
++#define RSBAC_EINVALIDDEV         1016
++#define RSBAC_EINVALIDTARGET      1017
++#define RSBAC_EINVALIDVALUE       1018
++#define RSBAC_EEXISTS             1019
++#define RSBAC_EINTERNONLY         1020
++#define RSBAC_EINVALIDREQUEST     1021
++#define RSBAC_ENOTWRITABLE        1022
++#define RSBAC_EMALWAREDETECTED    1023
++#define RSBAC_ENOMEM              1024
++#define RSBAC_EDECISIONMISMATCH   1025
++#define RSBAC_EINVALIDVERSION     1026
++#define RSBAC_EINVALIDMODULE      1027
++#define RSBAC_EEXPIRED            1028
++#define RSBAC_EMUSTCHANGE         1029
++#define RSBAC_EBUSY               1030
++#define RSBAC_EINVALIDTRANSACTION 1031
++#define RSBAC_EWEAKPASSWORD       1032
++#define RSBAC_EINVALIDLIST        1033
++#define RSBAC_EFROMINTERRUPT      1034
++
++#define RSBAC_EMAX 1034
++
++#define RSBAC_ERROR( res ) ((res <= -RSBAC_EPERM) && (res >= -RSBAC_EMAX))
++
++#ifndef __KERNEL__
++/* exit on error */
++void error_exit(int error);
++
++/* show error */
++void show_error(int error);
++#endif
++
++#endif
+diff --git a/include/rsbac/fs.h b/include/rsbac/fs.h
+new file mode 100644
+index 0000000..7855a4f
+--- /dev/null
++++ b/include/rsbac/fs.h
+@@ -0,0 +1,68 @@
++/************************************* */
++/* Rule Set Based Access Control       */
++/* Author and (c) 1999-2009: Amon Ott  */
++/* File system                         */
++/* helper functions for all parts      */
++/* Last modified: 15/Oct/2009          */
++/************************************* */
++
++#ifndef __RSBAC_FS_H
++#define __RSBAC_FS_H
++
++#include <linux/fs.h>
++#include <linux/major.h>
++#include <linux/root_dev.h>
++#include <linux/sched.h>
++
++/* original lookup_dentry function without rsbac patch for adf call */
++
++struct dentry * rsbac_lookup_hash(struct qstr *name, struct dentry * base);
++struct dentry * rsbac_lookup_one_len(const char * name, struct dentry * base, int len);
++
++#ifndef SOCKFS_MAGIC
++#define SOCKFS_MAGIC 0x534F434B
++#endif
++
++#ifndef SYSFS_MAGIC
++#define SYSFS_MAGIC 0x62656572
++#endif
++
++#ifndef OCFS2_SUPER_MAGIC
++#define OCFS2_SUPER_MAGIC 0x7461636f
++#endif
++
++struct vfsmount * rsbac_get_vfsmount(kdev_t kdev);
++
++extern void __fput(struct file *);
++
++#ifndef SHM_FS_MAGIC
++#define SHM_FS_MAGIC 0x02011994
++#endif
++
++static inline int init_private_file(struct file *filp, struct dentry *dentry, int mode)
++{
++	memset(filp, 0, sizeof(*filp));
++	filp->f_mode   = mode;
++	atomic_long_set(&filp->f_count, 1);
++	filp->f_dentry = dentry;
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,29)
++	filp->f_cred = current_cred();
++#else
++	filp->f_uid    = current->fsuid;
++	filp->f_gid    = current->fsgid;
++#endif
++	filp->f_op     = dentry->d_inode->i_fop;
++	filp->f_mapping     = dentry->d_inode->i_mapping;
++	file_ra_state_init(&filp->f_ra, filp->f_mapping);
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25)
++/* TODO	file->f_path.mnt = 
++ * fil me when switch to full 2.6 (need vfsmount passed over)
++ */
++#endif
++	if (filp->f_op->open)
++		return filp->f_op->open(dentry->d_inode, filp);
++	else
++		return 0;
++}
++
++#endif
+diff --git a/include/rsbac/gen_lists.h b/include/rsbac/gen_lists.h
+new file mode 100644
+index 0000000..0a882ae
+--- /dev/null
++++ b/include/rsbac/gen_lists.h
+@@ -0,0 +1,294 @@
++/*************************************************** */
++/* Rule Set Based Access Control                     */
++/* Author and (c) 1999-2010: Amon Ott <ao@...> */
++/* Generic lists - internal structures               */
++/* Last modified: 01/Jul/2010                        */
++/*************************************************** */
++
++#ifndef __RSBAC_GEN_LISTS_H
++#define __RSBAC_GEN_LISTS_H
++
++#include <linux/init.h>
++#include <rsbac/rkmem.h>
++#include <rsbac/lists.h>
++#include <rsbac/repl_lists.h>
++
++/* Sanity limit of list size, regardless of RSBAC_LIST_MAX_NR_ITEMS in lists.h */
++#define RSBAC_LIST_MAX_NR_ITEMS_LIMIT 1000000
++
++#define RSBAC_LIST_DISK_VERSION 10003
++#define RSBAC_LIST_DISK_OLD_VERSION 10002
++#define RSBAC_LIST_NONAME "(no name)"
++#define RSBAC_LIST_PROC_NAME "gen_lists"
++#define RSBAC_LIST_COUNTS_PROC_NAME "gen_lists_counts"
++
++#define RSBAC_LIST_TA_KEY 0xface99
++
++#define RSBAC_LIST_MAX_OLD_HASH 32
++#define RSBAC_LIST_LOL_MAX_OLD_HASH 16
++
++/* If number of items per hashed list is bigger than this and flag
++   RSBAC_LIST_AUTO_HASH_RESIZE is set, rehash */
++#define RSBAC_LIST_AUTO_REHASH_TRIGGER 30
++
++/* Rehashing interval in s - rehashing is triggered by rsbacd, so might happen
++ * less frequently, if rsbacd wakes up later.
++ */
++#define RSBAC_LIST_REHASH_INTERVAL 60
++
++/* Check lists every n seconds. Also called from rsbacd, so might take longer. */
++
++//#define RSBAC_LIST_CHECK_INTERVAL 1800
++
++/* Prototypes */
++
++/* Init */
++#ifdef CONFIG_RSBAC_INIT_DELAY
++int rsbac_list_init(void);
++#else
++int __init rsbac_list_init(void);
++#endif
++
++/* Status checking */
++int rsbac_check_lists(int correct);
++
++#if defined(CONFIG_RSBAC_AUTO_WRITE)
++int rsbac_write_lists(void);
++#endif
++
++/* Data Structures */
++
++/* All items will be organized in double linked lists
++ * However, we do not know the descriptor or item sizes, so we will access them
++   with offsets later and only define the list links here.
++ */
++
++struct rsbac_list_item_t {
++	struct rsbac_list_item_t *prev;
++	struct rsbac_list_item_t *next;
++	rsbac_time_t max_age;
++};
++
++/* lists of lists ds */
++struct rsbac_list_lol_item_t {
++	struct rsbac_list_lol_item_t *prev;
++	struct rsbac_list_lol_item_t *next;
++	struct rsbac_list_item_t *head;
++	struct rsbac_list_item_t *tail;
++	struct rsbac_list_item_t *curr;
++	u_long count;
++	rsbac_time_t max_age;
++};
++
++typedef __u32 rsbac_list_count_t;
++
++struct rsbac_list_hashed_t {
++	struct rsbac_list_item_t *head;
++	struct rsbac_list_item_t *tail;
++	struct rsbac_list_item_t *curr;
++	rsbac_list_count_t count;
++#ifdef CONFIG_RSBAC_LIST_TRANS
++	rsbac_ta_number_t ta_copied;
++	struct rsbac_list_item_t *ta_head;
++	struct rsbac_list_item_t *ta_tail;
++	struct rsbac_list_item_t *ta_curr;
++	rsbac_list_count_t ta_count;
++#endif
++};
++
++struct rsbac_list_lol_hashed_t {
++	struct rsbac_list_lol_item_t *head;
++	struct rsbac_list_lol_item_t *tail;
++	struct rsbac_list_lol_item_t *curr;
++	rsbac_list_count_t count;
++#ifdef CONFIG_RSBAC_LIST_TRANS
++	rsbac_ta_number_t ta_copied;
++	struct rsbac_list_lol_item_t *ta_head;
++	struct rsbac_list_lol_item_t *ta_tail;
++	struct rsbac_list_lol_item_t *ta_curr;
++	rsbac_list_count_t ta_count;
++#endif
++};
++
++/* Since all registrations will be organized in double linked lists, we must
++ * have list items and a list head.
++ * The pointer to this item will also be used as list handle. */
++
++struct rsbac_list_reg_item_t {
++	struct rsbac_list_info_t info;
++	u_int flags;
++	rsbac_list_compare_function_t *compare;
++	rsbac_list_get_conv_t *get_conv;
++	void *def_data;
++	char name[RSBAC_LIST_MAX_FILENAME + 1];
++	kdev_t device;
++	spinlock_t lock;
++	struct rsbac_list_rcu_free_head_t * rcu_free;
++	rsbac_boolean_t dirty;
++	rsbac_boolean_t no_write;
++	struct rsbac_nanotime_t lastchange;
++#ifdef CONFIG_RSBAC_LIST_STATS
++	__u64 read_count;
++	__u64 write_count;
++#endif
++	u_int nr_hashes;
++	u_int max_items_per_hash;
++	rsbac_list_hash_function_t * hash_function;
++	char old_name_base[RSBAC_LIST_MAX_FILENAME + 1];
++	struct kmem_cache * slab;
++	char * slabname;
++#if defined(CONFIG_RSBAC_PROC) && defined(CONFIG_PROC_FS)
++	struct proc_dir_entry *proc_entry_p;
++#endif
++	struct rsbac_list_reg_item_t *prev;
++	struct rsbac_list_reg_item_t *next;
++	struct rsbac_list_reg_item_t *self;
++	/* The hashed list heads are allocated dynamically! */
++	struct rsbac_list_hashed_t * hashed;
++};
++
++struct rsbac_list_lol_reg_item_t {
++	struct rsbac_list_lol_info_t info;
++	u_int flags;
++	rsbac_list_compare_function_t *compare;
++	rsbac_list_compare_function_t *subcompare;
++	rsbac_list_get_conv_t *get_conv;
++	rsbac_list_get_conv_t *get_subconv;
++	void *def_data;
++	void *def_subdata;
++	char name[RSBAC_LIST_MAX_FILENAME + 1];
++	kdev_t device;
++	spinlock_t lock;
++	struct rsbac_list_rcu_free_head_lol_t * rcu_free;
++	rsbac_boolean_t dirty;
++	rsbac_boolean_t no_write;
++	struct rsbac_nanotime_t lastchange;
++#ifdef CONFIG_RSBAC_LIST_STATS
++	__u64 read_count;
++	__u64 write_count;
++#endif
++	u_int nr_hashes;
++	u_int max_items_per_hash;
++	u_int max_subitems;
++	rsbac_list_hash_function_t * hash_function;
++	char old_name_base[RSBAC_LIST_MAX_FILENAME + 1];
++	struct kmem_cache * slab;
++	char * slabname;
++	struct kmem_cache * subslab;
++	char * subslabname;
++#if defined(CONFIG_RSBAC_PROC) && defined(CONFIG_PROC_FS)
++	struct proc_dir_entry *proc_entry_p;
++#endif
++	struct rsbac_list_lol_reg_item_t *prev;
++	struct rsbac_list_lol_reg_item_t *next;
++	struct rsbac_list_lol_reg_item_t *self;
++	/* The hashed list heads are allocated dynamically! */
++	struct rsbac_list_lol_hashed_t * hashed;
++};
++
++/* To provide consistency we use spinlocks for all list accesses. The
++   'curr' entry is used to avoid repeated lookups for the same item. */
++
++struct rsbac_list_reg_head_t {
++	struct rsbac_list_reg_item_t *head;
++	struct rsbac_list_reg_item_t *tail;
++	struct rsbac_list_reg_item_t *curr;
++	spinlock_t lock;
++	struct lock_class_key lock_class;
++	u_int count;
++};
++
++struct rsbac_list_lol_reg_head_t {
++	struct rsbac_list_lol_reg_item_t *head;
++	struct rsbac_list_lol_reg_item_t *tail;
++	struct rsbac_list_lol_reg_item_t *curr;
++	spinlock_t lock;
++	struct lock_class_key lock_class;
++	u_int count;
++};
++
++/* Internal helper list of filled write buffers */
++
++struct rsbac_list_buffer_t {
++	struct rsbac_list_buffer_t * next;
++	u_int len;
++	char data[0];
++};
++
++#define RSBAC_LIST_BUFFER_SIZE 8192
++#define RSBAC_LIST_BUFFER_DATA_SIZE (RSBAC_LIST_BUFFER_SIZE - sizeof(struct rsbac_list_buffer_t))
++
++struct rsbac_list_write_item_t {
++	struct rsbac_list_write_item_t *prev;
++	struct rsbac_list_write_item_t *next;
++	struct rsbac_list_reg_item_t *list;
++	struct rsbac_list_buffer_t *buffer;
++	char name[RSBAC_LIST_MAX_FILENAME + 1];
++	kdev_t device;
++};
++
++struct rsbac_list_write_head_t {
++	struct rsbac_list_write_item_t *head;
++	struct rsbac_list_write_item_t *tail;
++	u_int count;
++};
++
++struct rsbac_list_lol_write_item_t {
++	struct rsbac_list_lol_write_item_t *prev;
++	struct rsbac_list_lol_write_item_t *next;
++	struct rsbac_list_lol_reg_item_t *list;
++	struct rsbac_list_buffer_t *buffer;
++	char name[RSBAC_LIST_MAX_FILENAME + 1];
++	kdev_t device;
++};
++
++struct rsbac_list_lol_write_head_t {
++	struct rsbac_list_lol_write_item_t *head;
++	struct rsbac_list_lol_write_item_t *tail;
++	u_int count;
++};
++
++
++/* Data structs for file timeout book keeping list filelist */
++struct rsbac_list_filelist_desc_t {
++	char filename[RSBAC_LIST_MAX_FILENAME + 1];
++};
++
++struct rsbac_list_filelist_data_t {
++	rsbac_time_t timestamp;
++	rsbac_time_t max_age;
++};
++
++struct rsbac_list_ta_data_t {
++	rsbac_time_t start;
++	rsbac_time_t timeout;
++	rsbac_uid_t commit_uid;
++	char name[RSBAC_LIST_TA_MAX_NAMELEN];
++	char password[RSBAC_LIST_TA_MAX_PASSLEN];
++};
++
++struct rsbac_list_rcu_free_head_t {
++	/* rcu _must_ stay first */
++	struct rcu_head rcu;
++	struct kmem_cache * slab;
++	struct rsbac_list_rcu_free_item_t * head;
++	struct rsbac_list_item_t * item_chain;
++};
++
++struct rsbac_list_rcu_free_head_lol_t {
++	/* rcu _must_ stay first */
++	struct rcu_head rcu;
++	struct kmem_cache * slab;
++	struct kmem_cache * subslab;
++	struct rsbac_list_rcu_free_item_t * head;
++	struct rsbac_list_rcu_free_item_t * subhead;
++	struct rsbac_list_lol_item_t * lol_item_chain;
++	struct rsbac_list_item_t * lol_item_subchain;
++};
++
++struct rsbac_list_rcu_free_item_t {
++	struct rsbac_list_rcu_free_item_t * next;
++	void * mem;
++};
++
++#endif
+diff --git a/include/rsbac/getname.h b/include/rsbac/getname.h
+new file mode 100644
+index 0000000..1a1d577
+--- /dev/null
++++ b/include/rsbac/getname.h
+@@ -0,0 +1,101 @@
++/******************************** */
++/* Rule Set Based Access Control  */
++/* Author and (c) 1999-2007:      */
++/* Amon Ott <ao@...>        */
++/* Getname functions for all parts*/
++/* Last modified: 17/Sep/2007     */
++/******************************** */
++
++#ifndef __RSBAC_GETNAME_H
++#define __RSBAC_GETNAME_H
++
++#include <rsbac/types.h>
++#ifdef CONFIG_RSBAC_XSTATS
++#include <rsbac/syscalls.h>
++#endif
++
++#if defined(__KERNEL__) && defined(CONFIG_RSBAC_LOG_FULL_PATH)
++#include <linux/fs.h>
++#if (CONFIG_RSBAC_MAX_PATH_LEN > 2000)
++#undef CONFIG_RSBAC_MAX_PATH_LEN
++#define CONFIG_RSBAC_MAX_PATH_LEN 2000
++#endif
++#if (CONFIG_RSBAC_MAX_PATH_LEN < RSBAC_MAXNAMELEN)
++#undef CONFIG_RSBAC_MAX_PATH_LEN
++#define CONFIG_RSBAC_MAX_PATH_LEN RSBAC_MAXNAMELEN
++#endif
++#endif
++
++extern char * get_request_name(char * , enum rsbac_adf_request_t);
++
++extern enum rsbac_adf_request_t get_request_nr(const char *);
++
++extern char * get_result_name(char * , enum rsbac_adf_req_ret_t);
++
++extern enum rsbac_adf_req_ret_t get_result_nr(const char *);
++
++extern enum rsbac_switch_target_t get_attr_module(enum rsbac_attribute_t attr);
++
++extern char * get_attribute_name(char * , enum rsbac_attribute_t);
++
++extern char * get_attribute_value_name(     char *            attr_val_name,
++                                       enum rsbac_attribute_t attr,
++                                       union rsbac_attribute_value_t * attr_val_p);
++
++extern enum rsbac_attribute_t get_attribute_nr(const char *);
++
++extern char * get_target_name(char * , enum  rsbac_target_t,
++                              char * , union rsbac_target_id_t);
++
++extern char * get_target_name_only(char * target_type_name,
++                                   enum   rsbac_target_t target);
++
++extern enum rsbac_target_t get_target_nr(const char *);
++
++extern char * get_ipc_target_name(char *,
++                                  enum rsbac_ipc_type_t);
++
++extern enum rsbac_ipc_type_t get_ipc_target_nr(const char *);
++
++extern char * get_scd_type_name(char *,
++                                enum rsbac_scd_type_t);
++
++extern enum rsbac_scd_type_t get_scd_type_nr(const char *);
++
++extern char * get_switch_target_name(char *,
++                                     enum rsbac_switch_target_t);
++
++extern enum rsbac_switch_target_t get_switch_target_nr(const char *);
++
++extern char * get_error_name(char *,
++                             int);
++
++#ifndef __KERNEL__
++extern char * get_attribute_param(char * , enum rsbac_attribute_t);
++#endif
++
++extern char * get_log_level_name(char *,
++                                  enum rsbac_log_level_t);
++
++extern enum rsbac_log_level_t get_log_level_nr(const char *);
++
++#ifdef __KERNEL__
++int rsbac_lookup_full_path(struct dentry * dentry_p, char path[], int maxlen, int pseudonymize);
++
++static inline int rsbac_get_full_path(struct dentry * dentry_p, char path[], int maxlen)
++{
++  return rsbac_lookup_full_path(dentry_p, path, maxlen, 1);
++}
++#endif
++
++char * get_cap_name(char * name,
++                    u_int value);
++
++int get_cap_nr(const char * name);
++
++#ifdef CONFIG_RSBAC_XSTATS
++char *get_syscall_name(char *syscall_name,
++                       enum rsbac_syscall_t syscall);
++#endif
++
++#endif
+diff --git a/include/rsbac/helpers.h b/include/rsbac/helpers.h
+new file mode 100644
+index 0000000..b8b31af
+--- /dev/null
++++ b/include/rsbac/helpers.h
+@@ -0,0 +1,157 @@
++/************************************* */
++/* Rule Set Based Access Control       */
++/* Author and (c) 1999-2012: Amon Ott  */
++/* Helper functions for all parts      */
++/* Last modified:  07/May/2012         */
++/************************************* */
++
++#ifndef __RSBAC_HELPER_H
++#define __RSBAC_HELPER_H
++
++#include <linux/types.h>
++#include <rsbac/types.h>
++#ifdef __KERNEL__
++#include <rsbac/rkmem.h>
++#endif
++
++char * inttostr(char[], int);
++
++char * ulongtostr(char[], u_long);
++
++/* convert u_long_long to binary string representation for MAC module */
++char * u64tostrmac(char[], __u64);
++
++char * u32tostrcap(char * str, __u32 i);
++__u32 strtou32cap(char * str, __u32 * i_p);
++
++int rsbac_get_vset_num(char * sourcename, rsbac_um_set_t * vset_p);
++
++#ifndef __KERNEL__
++void locale_init(void);
++
++int rsbac_lib_version(void);
++int rsbac_u32_compare(__u32 * a, __u32 * b);
++int rsbac_u32_void_compare(const void *a, const void *b);
++
++int rsbac_user_compare(const void * a, const void * b);
++int rsbac_group_compare(const void * a, const void * b);
++int rsbac_nettemp_id_compare(const void * a, const void * b);
++
++int rsbac_dev_compare(const void * desc1,
++                      const void * desc2);
++
++char * get_user_name(rsbac_uid_t user, char * name);
++
++char * get_group_name(rsbac_gid_t group, char * name);
++
++int rsbac_get_uid_name(rsbac_uid_t * uid, char * name, char * sourcename);
++
++int rsbac_get_fullname(char * fullname, rsbac_uid_t uid);
++
++static inline int rsbac_get_uid(rsbac_uid_t * uid, char * sourcename)
++  {
++    return rsbac_get_uid_name(uid, NULL, sourcename);
++  }
++
++int rsbac_get_gid_name(rsbac_gid_t * gid, char * name, char * sourcename);
++
++static inline int rsbac_get_gid(rsbac_gid_t * gid, char * sourcename)
++  {
++    return rsbac_get_gid_name(gid, NULL, sourcename);
++  }
++
++/* covert u_long_long to binary string representation for log array */
++char * u64tostrlog(char[], __u64);
++/* and back */
++__u64 strtou64log(char[], __u64 *);
++
++/* convert u_long_long to binary string representation for MAC module */
++/* and back */
++__u64 strtou64mac(char[], __u64 *);
++
++/* covert u_long_long to binary string representation for RC module */
++char * u64tostrrc(char[], __u64);
++/* and back */
++__u64 strtou64rc(char[], __u64 *);
++
++/* covert u_long_long to binary string representation for RC module / rights */
++char * u64tostrrcr(char[], __u64);
++/* and back */
++__u64 strtou64rcr(char[], __u64 *);
++
++/* ACL back */
++__u64 strtou64acl(char[], __u64 *);
++
++char * devdesctostr(char * str, struct rsbac_dev_desc_t dev);
++
++int strtodevdesc(char * str, struct rsbac_dev_desc_t * dev_p);
++#endif
++
++/* covert u_long_long to binary string representation for ACL module */
++char * u64tostracl(char[], __u64);
++
++char * longtostr(char[], long);
++
++#ifdef __KERNEL__
++#include <asm/uaccess.h>
++
++#ifdef CONFIG_RSBAC_UM_VIRTUAL
++rsbac_um_set_t rsbac_get_vset(void);
++#else
++static inline rsbac_um_set_t rsbac_get_vset(void)
++  {
++    return 0;
++  }
++#endif
++
++int rsbac_get_owner(rsbac_uid_t * user_p);
++
++static inline int rsbac_get_user(void * kern_p, void __user * user_p, int size)
++  {
++    if(kern_p && user_p && (size > 0))
++      {
++        return copy_from_user(kern_p, user_p, size);
++      }
++    return 0;
++  }
++
++
++static inline int rsbac_put_user(void * kern_p, void __user * user_p, int size)
++  {
++    if(kern_p && user_p && (size > 0))
++      {
++        return copy_to_user(user_p,kern_p,size);
++      }
++    return 0;
++  }
++
++static inline char * rsbac_getname(const char * name)
++  {
++    return getname(name);
++  }
++
++static inline void rsbac_putname(const char * name)
++  {
++    putname(name);
++  }
++
++static inline int clear_user_buf(char * ubuf, int len)
++  {
++    return clear_user(ubuf,len);
++  }
++
++void rsbac_get_attr_error(char * , enum rsbac_adf_request_t);
++
++void rsbac_ds_get_error(const char * function, enum rsbac_attribute_t attr);
++void rsbac_ds_get_error_num(const char * function, enum rsbac_attribute_t attr, int err);
++void rsbac_ds_set_error(const char * function, enum rsbac_attribute_t attr);
++void rsbac_ds_set_error_num(const char * function, enum rsbac_attribute_t attr, int err);
++
++#ifdef CONFIG_RSBAC_RC
++void rsbac_rc_ds_get_error(const char * function, enum rsbac_rc_item_t item);
++void rsbac_rc_ds_set_error(const char * function, enum rsbac_rc_item_t item);
++#endif
++
++#endif /* KERNEL */
++
++#endif
+diff --git a/include/rsbac/hooks.h b/include/rsbac/hooks.h
+new file mode 100644
+index 0000000..10cd794
+--- /dev/null
++++ b/include/rsbac/hooks.h
+@@ -0,0 +1,24 @@
++/******************************* */
++/* Rule Set Based Access Control */
++/* Author and (c) 1999-2006:     */
++/*   Amon Ott <ao@...>     */
++/* Common include file set       */
++/* Last modified: 31/Mar/2006    */
++/******************************* */
++
++#ifndef __RSBAC_HOOKS_H
++#define __RSBAC_HOOKS_H
++
++#ifdef CONFIG_RSBAC
++#include <rsbac/adf.h>
++#include <rsbac/aci.h>
++#include <rsbac/helpers.h>
++#include <rsbac/fs.h>
++#include <rsbac/debug.h>
++//#include <rsbac/aci_data_structures.h>
++//#include <rsbac/adf_main.h>
++#else
++#define rsbac_kthreads_init() do {} while(0)
++#endif
++
++#endif
+diff --git a/include/rsbac/jail.h b/include/rsbac/jail.h
+new file mode 100644
+index 0000000..73d321b
+--- /dev/null
++++ b/include/rsbac/jail.h
+@@ -0,0 +1,16 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2007:          */
++/*   Amon Ott <ao@...>          */
++/* Global definitions for JAIL module */
++/* Last modified: 29/Jan/2007         */
++/************************************ */
++
++#ifndef __RSBAC_JAIL_H
++#define __RSBAC_JAIL_H
++
++extern rsbac_jail_id_t rsbac_jail_syslog_jail_id;
++
++rsbac_boolean_t rsbac_jail_exists(rsbac_jail_id_t jail_id);
++
++#endif
+diff --git a/include/rsbac/jail_getname.h b/include/rsbac/jail_getname.h
+new file mode 100644
+index 0000000..01a301f
+--- /dev/null
++++ b/include/rsbac/jail_getname.h
+@@ -0,0 +1,14 @@
++/********************************** */
++/* Rule Set Based Access Control    */
++/* Author and (c) 1999-2005:        */
++/*   Amon Ott <ao@...>        */
++/* Getname functions for JAIL module */
++/* Last modified: 27/May/2005       */
++/********************************** */
++
++#ifndef __RSBAC_JAIL_GETNAME_H
++#define __RSBAC_JAIL_GETNAME_H
++
++void rsbac_jail_log_missing_cap(int cap);
++
++#endif
+diff --git a/include/rsbac/lists.h b/include/rsbac/lists.h
+new file mode 100644
+index 0000000..a432481
+--- /dev/null
++++ b/include/rsbac/lists.h
+@@ -0,0 +1,909 @@
++/*************************************************** */
++/* Rule Set Based Access Control                     */
++/* Author and (c) 1999-2010: Amon Ott <ao@...> */
++/* Generic List Management                           */
++/* Last modified: 31/May/2010                        */
++/*************************************************** */
++
++/* Note: lol = list of lists, a two-level list structure */
++
++#ifndef __RSBAC_LISTS_H
++#define __RSBAC_LISTS_H
++
++#include <linux/init.h>
++#include <linux/vmalloc.h>
++//#include <rsbac/types.h>
++#include <rsbac/rkmem.h>
++
++#define RSBAC_LIST_VERSION 3
++
++typedef void *rsbac_list_handle_t;
++typedef __u32 rsbac_list_key_t;
++
++/* Maximum length for list (file)names */
++#define RSBAC_LIST_MAX_FILENAME 15
++
++/* Limit for max_age_in_seconds: ca. 10 years */
++#define RSBAC_LIST_MAX_AGE_LIMIT (3600 * 24 * 366 * 10)
++
++/* Maximum desc_size + data_size: 8K - some space for metadata */
++#define RSBAC_LIST_MAX_ITEM_SIZE (8192 - 64)
++
++#define RSBAC_LIST_MIN_MAX_HASHES 8
++
++/* standard hash functions */
++u_int rsbac_list_hash_u32(void * desc, __u32 nr_hashes);
++u_int rsbac_list_hash_fd(void * desc, __u32 nr_hashes);
++u_int rsbac_list_hash_pid(void * desc, __u32 nr_hashes);
++u_int rsbac_list_hash_uid(void * desc, __u32 nr_hashes);
++u_int rsbac_list_hash_gid(void * desc, __u32 nr_hashes);
++u_int rsbac_list_hash_ipc(void * desc, __u32 nr_hashes);
++u_int rsbac_list_hash_dev(void * desc, __u32 nr_hashes);
++u_int rsbac_list_hash_nettemp(void * desc, __u32 nr_hashes);
++u_int rsbac_list_hash_netobj(void * desc, __u32 nr_hashes);
++
++/****************************/
++/* List Registration Flags: */
++
++/* Make persistent, i.e., save to and restore from disk */
++#define RSBAC_LIST_PERSIST 1
++
++/* Ignore old list contents (still checks key, if list exists on disk) */
++#define RSBAC_LIST_IGNORE_OLD 2
++
++/* Ignore old list contents, if version upconversion is not supported
++ * (no get_conv, or get_conv returned NULL) - without this flag, registration fails, if
++ * list cannot be converted.
++ */
++#define RSBAC_LIST_IGNORE_UNSUPP_VERSION 4
++
++/* Temporarily disallow writing list to disk, e.g. for upgrade tests */
++#define RSBAC_LIST_NO_WRITE 8
++
++/* Provide a binary backup file as /proc/rsbac-info/backup/filename */
++#define RSBAC_LIST_BACKUP 16
++
++/* Use provided default data, return it for unexisting items and
++   automatically create and cleanup items with default data as necessary.
++   (only items with 0 ttl (unlimited) get removed)
++   (lol items with default data only get removed, if they have no subitems) */
++#define RSBAC_LIST_DEF_DATA 32
++
++/* Use provided default subitem data, return it for unexisting subitems and
++   automatically create and cleanup subitems with default data as necessary.
++   (only subitems with 0 ttl (unlimited) get removed) */
++#define RSBAC_LIST_DEF_SUBDATA 64
++
++/* Replicate list to replication partners.
++   Must be enabled in config. */
++#define RSBAC_LIST_REPLICATE 128
++
++/* Allow automatic online resizing of the list hashing table.
++   Requires that the provided hash function uses the nr_hashes parameter. */
++#define RSBAC_LIST_AUTO_HASH_RESIZE 256
++
++/* Disable limit of RSBAC_LIST_MAX_NR_ITEMS items per single list. */
++#define RSBAC_LIST_NO_MAX 512
++
++/* Disable warning if max_entries prevents adding of items */
++#define RSBAC_LIST_NO_MAX_WARN 1024
++
++/* Use own slab for this list */
++#define RSBAC_LIST_OWN_SLAB 2048
++
++/* Maximum number of items per single list, the total limit is at
++ * RSBAC_LIST_MAX_NR_ITEMS * nr_hashes.
++ * Limits can be disabled per list with RSBAC_LIST_NO_MAX flag and
++ * changed with rsbac_list_max_items() and rsbac_list_lol_max_items().
++ */
++
++#define RSBAC_LIST_MAX_NR_ITEMS 50000
++#define RSBAC_LIST_MAX_NR_SUBITEMS 50000
++
++/****************************/
++/* Function prototypes */
++
++/* Function to compare two descriptors, returns 0, if equal, a negative value,
++ * if desc1 < desc2 and a positive value, if desc1 > desc2 (like memcmp).
++ * Used for lookup and list optimization.
++ * Note: Non-0 values are only used for list optimization and do not necessarily
++ * imply a real order of values.
++ */
++typedef int rsbac_list_compare_function_t(void *desc1, void *desc2);
++
++int rsbac_list_compare_u32(void * desc1, void * desc2);
++
++/* Function to compare two datas, returns 0, if equal, and another value,
++ * if not.
++ * Used for lookup by data.
++ * Note: list optimization is based on descriptors, so data lookup is always
++ * linear search from first to last element in list order.
++ */
++typedef int rsbac_list_data_compare_function_t(void *data1, void *data2);
++
++/* Function to compare two descs with a parameter, returns TRUE,
++ * if item is selected, and FALSE, if not.
++ * Used for selected lists of descriptors.
++ */
++typedef int rsbac_list_desc_selector_function_t(void *desc, void * param);
++
++/* conversion function to upconvert old on-disk descs and datas to actual version */
++/* must return 0 on success or error otherwise */
++/* Attention: if old or new data_size is 0, the respective data pointer is NULL! */
++typedef int rsbac_list_conv_function_t(void *old_desc,
++				       void *old_data,
++				       void *new_desc, void *new_data);
++
++/* callback function to return an upconvert function for on-disk-version, if versions differ */
++/* Note: Lists implementation does not assume anything about your version number apart
++   from being of type rsbac_version_t. Use it as you like. */
++typedef rsbac_list_conv_function_t *rsbac_list_get_conv_t(rsbac_version_t
++							  old_version);
++
++/* hash function to return a hash for the descriptor in the range 0 to nr_hashes-1 */
++typedef u_int rsbac_list_hash_function_t(void * desc, __u32 nr_hashes);
++
++/* get generic list registration version */
++rsbac_version_t rsbac_list_version(void);
++
++
++/* List info: This struct will be written to disk */
++/*
++ * list_version: a simple __u32 version number for the list. If old on-disk version is
++   different, conversion is tried (depending on flags and get_conv function)
++ * key: secret __u32 key, which must be the same as in on-disk version, if persistent
++ * desc_size: size of the descriptor (error is returned, if list exists and value differs)
++              internally reset to sizeof(__u32) for u32 call variants
++ * data_size: size of data (error is returned, if list exists and value differs)
++              set to 0 for sets without data
++ * subdesc_size: size of the descriptor of the sublist (error is returned, if list exists
++              and value differs), internally reset to sizeof(__u32) for u32 call variants
++ * subdata_size: size of sublist data (error is returned, if list exists and value differs)
++              set to 0 for sets without data
++ * max_age: seconds until unchanged list file (no add or remove) will be purged.
++   Maximum value is RSBAC_LIST_MAX_AGE_LIMIT (s.a.), use 0 for unlimited lifetime.
++   (purging not yet implemented - only reused without key, please cleanup by hand)
++ */
++struct rsbac_list_info_t {
++	rsbac_version_t version;
++	rsbac_list_key_t key;
++	__u32 desc_size;
++	__u32 data_size;
++	rsbac_time_t max_age;
++};
++
++struct rsbac_list_lol_info_t {
++	rsbac_version_t version;
++	rsbac_list_key_t key;
++	__u32 desc_size;
++	__u32 data_size;
++	__u32 subdesc_size;
++	__u32 subdata_size;
++	rsbac_time_t max_age;
++};
++
++
++/* register a new list */
++/*
++ * If list with same name exists in memory, error -RSBAC_EEXISTS is returned.
++ * If list with same name and key exists on device, it is restored depending on
++   the flags.
++ * If list with same name, but different key exists on disk, access is denied
++   (error -EPERM).
++ *
++ * ds_version: for binary modules, must be RSBAC_LIST_VERSION. If version
++   differs, return error.
++ * handle_p: for all list accesses, an opaque handle is put into *handle_p.
++ * flags: see flag values
++ * compare: for lookup and list optimization, can be NULL, then
++   memcmp(desc1, desc2, desc_size) is used
++ * subcompare: for item lookup and optimization of sublist, can be NULL, then
++   memcmp(desc1, desc2, desc_size) is used
++ * get_conv: function to deliver conversion function for given version
++ * get_subconv: function to deliver sublist item conversion function for given
++   version
++ * def_data: default data value for flag RSBAC_LIST_DEF_DATA
++   (if NULL, flag is cleared)
++ * def_subdata: default subdata value for flag RSBAC_LIST_DEF_SUBDATA
++   (if NULL, flag is cleared)
++ * name: the on-disk name, should be distinct and max. 7 or 8.2 chars
++   (maxlen of RSBAC_LIST_MAX_FILENAME supported) (only used for statistics, if
++   non-persistent)
++ * device: the device to read list from or to save list to - use 0 for root dev
++   (ignored, if non-persistent)
++ * nr_hashes: Number of hashes for this list, maximum is RSBAC_LIST_MAX_HASHES,
++   which is derived from CONFIG_RSBAC_LIST_MAX_HASHES.
++   If > maximum, it will be reduced to maximum automatically.
++   8 <= RSBAC_LIST_MAX_HASHES <= 256 in all cases, see above.
++   Thus,  it is safe to use nr_hashes <= 8 without checks.
++   Value may vary between registrations.
++ * hash_function: Hash function for desc, must always return a value
++   from 0 to nr_hashes-1.
++ * old_base_name: If not NULL and persistent list with name cannot be read,
++   try to read all old_base_name<n> with n from 0 to 31.
++ */
++
++int rsbac_list_register_hashed(rsbac_version_t ds_version,
++			rsbac_list_handle_t * handle_p,
++			struct rsbac_list_info_t *info_p,
++			u_int flags,
++			rsbac_list_compare_function_t * compare,
++			rsbac_list_get_conv_t * get_conv,
++			void *def_data,
++			char *name, kdev_t device,
++			u_int nr_hashes,
++			rsbac_list_hash_function_t hash_function,
++			char * old_base_name);
++
++int rsbac_list_lol_register_hashed(rsbac_version_t ds_version,
++			rsbac_list_handle_t * handle_p,
++			struct rsbac_list_lol_info_t *info_p,
++			u_int flags,
++			rsbac_list_compare_function_t * compare,
++			rsbac_list_compare_function_t * subcompare,
++			rsbac_list_get_conv_t * get_conv,
++			rsbac_list_get_conv_t * get_subconv,
++			void *def_data,
++			void *def_subdata,
++			char *name, kdev_t device,
++			u_int nr_hashes,
++			rsbac_list_hash_function_t hash_function,
++			char * old_base_name);
++
++/* Old and simpler registration function, sets nr_hashes to 1,
++ * hash_function to NULL and old_base_name to NULL.
++ */
++
++int rsbac_list_register(rsbac_version_t ds_version,
++			rsbac_list_handle_t * handle_p,
++			struct rsbac_list_info_t *info_p,
++			u_int flags,
++			rsbac_list_compare_function_t * compare,
++			rsbac_list_get_conv_t * get_conv,
++			void *def_data, char *name, kdev_t device);
++
++int rsbac_list_lol_register(rsbac_version_t ds_version,
++			    rsbac_list_handle_t * handle_p,
++			    struct rsbac_list_lol_info_t *info_p,
++			    u_int flags,
++			    rsbac_list_compare_function_t * compare,
++			    rsbac_list_compare_function_t * subcompare,
++			    rsbac_list_get_conv_t * get_conv,
++			    rsbac_list_get_conv_t * get_subconv,
++			    void *def_data,
++			    void *def_subdata, char *name, kdev_t device);
++
++/* destroy list */
++/* list is destroyed, disk file is deleted */
++/* list must have been opened with register */
++int rsbac_list_destroy(rsbac_list_handle_t * handle_p,
++		       rsbac_list_key_t key);
++
++int rsbac_list_lol_destroy(rsbac_list_handle_t * handle_p,
++			   rsbac_list_key_t key);
++
++/* detach from list */
++/* list is saved (if persistent) and removed from memory. Call register for new access. */
++/* Must not be called with spinlock held. */
++
++int rsbac_list_detach(rsbac_list_handle_t * handle_p,
++		      rsbac_list_key_t key);
++
++int rsbac_list_lol_detach(rsbac_list_handle_t * handle_p,
++			  rsbac_list_key_t key);
++
++/* set list's no_write flag */
++/* TRUE: do not write to disk, FALSE: writing allowed */
++int rsbac_list_no_write
++    (rsbac_list_handle_t handle, rsbac_list_key_t key,
++     rsbac_boolean_t no_write);
++
++int rsbac_list_lol_no_write
++    (rsbac_list_handle_t handle, rsbac_list_key_t key,
++     rsbac_boolean_t no_write);
++
++/* Set max_items_per_hash */
++int rsbac_list_max_items(rsbac_list_handle_t handle, rsbac_list_key_t key,
++			u_int max_items);
++
++int rsbac_list_lol_max_items(rsbac_list_handle_t handle, rsbac_list_key_t key,
++			u_int max_items, u_int max_subitems);
++
++/* Single list checking, good for cleanup of items with ttl in the past. */
++/* This functionality is also included in the big rsbac_check(). */
++
++int rsbac_list_check(rsbac_list_handle_t handle, int correct);
++
++int rsbac_list_lol_check(rsbac_list_handle_t handle, int correct);
++
++/* Transaction Support */
++#ifdef CONFIG_RSBAC_LIST_TRANS
++int rsbac_list_ta_begin(rsbac_time_t ttl,
++			rsbac_list_ta_number_t * ta_number_p,
++			rsbac_uid_t commit_uid,
++			char * name, char *password);
++
++int rsbac_list_ta_refresh(rsbac_time_t ttl,
++			  rsbac_list_ta_number_t ta_number,
++			  char *password);
++
++int rsbac_list_ta_commit(rsbac_list_ta_number_t ta_number, char *password);
++
++int rsbac_list_ta_forget(rsbac_list_ta_number_t ta_number, char *password);
++
++/* Returns TRUE, if transaction ta_number exists, and FALSE, if not. */
++int rsbac_list_ta_exist(rsbac_list_ta_number_t ta_number);
++#endif
++
++/* add with time-to-live - after this time in seconds the item gets automatically removed */
++/* set to 0 for unlimited (default), RSBAC_LIST_TTL_KEEP to keep previous setting */
++int rsbac_ta_list_add_ttl(rsbac_list_ta_number_t ta_number,
++			  rsbac_list_handle_t handle,
++			  rsbac_time_t ttl, void *desc, void *data);
++
++static inline int rsbac_list_add_ttl(rsbac_list_handle_t handle,
++		       rsbac_time_t ttl, void *desc, void *data)
++{
++	return rsbac_ta_list_add_ttl(0, handle, ttl, desc, data);
++}
++
++static inline int rsbac_list_add(rsbac_list_handle_t handle, void *desc, void *data)
++{
++	return rsbac_ta_list_add_ttl(0, handle, RSBAC_LIST_TTL_KEEP, desc,
++				     data);
++}
++
++/* Add list of lists sublist item, item for desc must exist */
++int rsbac_ta_list_lol_subadd_ttl(rsbac_list_ta_number_t ta_number,
++				 rsbac_list_handle_t handle,
++				 rsbac_time_t ttl,
++				 void *desc, void *subdesc, void *subdata);
++
++static inline int rsbac_list_lol_subadd_ttl(rsbac_list_handle_t handle,
++			      rsbac_time_t ttl,
++			      void *desc, void *subdesc, void *subdata)
++{
++	return rsbac_ta_list_lol_subadd_ttl(0, handle, ttl, desc, subdesc,
++					    subdata);
++}
++
++static inline int rsbac_list_lol_subadd(rsbac_list_handle_t handle,
++			  void *desc, void *subdesc, void *subdata)
++{
++	return rsbac_ta_list_lol_subadd_ttl(0, handle, RSBAC_LIST_TTL_KEEP,
++					    desc, subdesc, subdata);
++}
++
++/* add with time-to-live - after this time in seconds the item gets automatically removed */
++int rsbac_ta_list_lol_add_ttl(rsbac_list_ta_number_t ta_number,
++			      rsbac_list_handle_t handle,
++			      rsbac_time_t ttl, void *desc, void *data);
++
++static inline int rsbac_list_lol_add_ttl(rsbac_list_handle_t handle,
++			   rsbac_time_t ttl, void *desc, void *data)
++{
++	return rsbac_ta_list_lol_add_ttl(0, handle, ttl, desc, data);
++}
++
++static inline int rsbac_list_lol_add(rsbac_list_handle_t handle, void *desc, void *data)
++{
++	return rsbac_ta_list_lol_add_ttl(0, handle, RSBAC_LIST_TTL_KEEP,
++					 desc, data);
++}
++
++/* remove item */
++int rsbac_ta_list_remove(rsbac_list_ta_number_t ta_number,
++			 rsbac_list_handle_t handle, void *desc);
++
++static inline int rsbac_list_remove(rsbac_list_handle_t handle, void *desc)
++{
++	return rsbac_ta_list_remove(0, handle, desc);
++}
++
++/* remove all items */
++int rsbac_ta_list_remove_all(rsbac_list_ta_number_t ta_number,
++			     rsbac_list_handle_t handle);
++
++static inline int rsbac_list_remove_all(rsbac_list_handle_t handle)
++{
++	return rsbac_ta_list_remove_all(0, handle);
++}
++
++/* remove item from sublist - also succeeds, if item for desc or subdesc does not exist */
++int rsbac_ta_list_lol_subremove(rsbac_list_ta_number_t ta_number,
++				rsbac_list_handle_t handle,
++				void *desc, void *subdesc);
++
++static inline int rsbac_list_lol_subremove(rsbac_list_handle_t handle,
++			     void *desc, void *subdesc)
++{
++	return rsbac_ta_list_lol_subremove(0, handle, desc, subdesc);
++}
++
++int rsbac_ta_list_lol_subremove_count(rsbac_list_ta_number_t ta_number,
++				      rsbac_list_handle_t handle,
++				      void *desc, u_long count);
++
++
++/* remove same subitem from all sublists */
++int rsbac_ta_list_lol_subremove_from_all(rsbac_list_ta_number_t ta_number,
++					 rsbac_list_handle_t handle,
++					 void *subdesc);
++
++static inline int rsbac_list_lol_subremove_from_all(rsbac_list_handle_t handle,
++				      void *subdesc)
++{
++	return rsbac_ta_list_lol_subremove_from_all(0, handle, subdesc);
++}
++
++/* remove all subitems from list */
++int rsbac_ta_list_lol_subremove_all(rsbac_list_ta_number_t ta_number,
++				    rsbac_list_handle_t handle,
++				    void *desc);
++
++static inline int rsbac_list_lol_subremove_all(rsbac_list_handle_t handle, void *desc)
++{
++	return rsbac_ta_list_lol_subremove_all(0, handle, desc);
++}
++
++int rsbac_ta_list_lol_remove(rsbac_list_ta_number_t ta_number,
++			     rsbac_list_handle_t handle, void *desc);
++
++static inline int rsbac_list_lol_remove(rsbac_list_handle_t handle, void *desc)
++{
++	return rsbac_ta_list_lol_remove(0, handle, desc);
++}
++
++int rsbac_ta_list_lol_remove_all(rsbac_list_ta_number_t ta_number,
++				 rsbac_list_handle_t handle);
++
++static inline int rsbac_list_lol_remove_all(rsbac_list_handle_t handle)
++{
++	return rsbac_ta_list_lol_remove_all(0, handle);
++}
++
++
++/* get item data */
++/* Item data is copied - we cannot give a pointer, because item could be
++ * removed */
++/* also get time-to-live - after this time in seconds the item gets automatically removed */
++/* both ttl_p and data can be NULL, they are then simply not returned */
++int rsbac_ta_list_get_data_ttl(rsbac_list_ta_number_t ta_number,
++			       rsbac_list_handle_t handle,
++			       rsbac_time_t * ttl_p,
++			       void *desc, void *data);
++
++static inline int rsbac_list_get_data_ttl(rsbac_list_handle_t handle,
++			    rsbac_time_t * ttl_p, void *desc, void *data)
++{
++	return rsbac_ta_list_get_data_ttl(0, handle, ttl_p, desc, data);
++}
++
++static inline int rsbac_list_get_data(rsbac_list_handle_t handle, void *desc, void *data)
++{
++	return rsbac_ta_list_get_data_ttl(0, handle, NULL, desc, data);
++}
++
++/* get data from a subitem */
++/* also get time-to-live - after this time in seconds the item gets automatically removed */
++/* both ttl_p and data can be NULL, they are then simply not returned */
++int rsbac_ta_list_lol_get_subdata_ttl(rsbac_list_ta_number_t ta_number,
++				      rsbac_list_handle_t handle,
++				      rsbac_time_t * ttl_p,
++				      void *desc,
++				      void *subdesc, void *subdata);
++
++static inline int rsbac_list_lol_get_subdata_ttl(rsbac_list_handle_t handle,
++				   rsbac_time_t * ttl_p,
++				   void *desc,
++				   void *subdesc, void *subdata)
++{
++	return rsbac_ta_list_lol_get_subdata_ttl(0, handle,
++						 ttl_p, desc, subdesc,
++						 subdata);
++}
++
++static inline int rsbac_list_lol_get_subdata(rsbac_list_handle_t handle,
++			       void *desc, void *subdesc, void *subdata)
++{
++	return rsbac_ta_list_lol_get_subdata_ttl(0, handle, NULL, desc,
++						 subdesc, subdata);
++}
++
++/* also get time-to-live - after this time in seconds the item gets automatically removed */
++/* both ttl_p and data can be NULL, they are then simply not returned */
++int rsbac_ta_list_lol_get_data_ttl(rsbac_list_ta_number_t ta_number,
++				   rsbac_list_handle_t handle,
++				   rsbac_time_t * ttl_p,
++				   void *desc, void *data);
++
++static inline int rsbac_list_lol_get_data_ttl(rsbac_list_handle_t handle,
++				rsbac_time_t * ttl_p,
++				void *desc, void *data)
++{
++	return rsbac_ta_list_lol_get_data_ttl(0, handle, ttl_p, desc,
++					      data);
++}
++
++static inline int rsbac_list_lol_get_data(rsbac_list_handle_t handle,
++			    void *desc, void *data)
++{
++	return rsbac_ta_list_lol_get_data_ttl(0, handle, NULL, desc, data);
++}
++
++/* get item desc by data */
++/* Item desc is copied - we cannot give a pointer, because item could be
++ * removed.
++ * If no compare function is provided (NULL value), memcmp is used.
++ * Note: The data value given here is always used as second parameter to the
++ *       compare function, so you can use different types for storage and
++ *       lookup.
++ */
++int rsbac_ta_list_get_desc(rsbac_list_ta_number_t ta_number,
++			   rsbac_list_handle_t handle,
++			   void *desc,
++			   void *data,
++			   rsbac_list_data_compare_function_t compare);
++
++static inline int rsbac_list_get_desc(rsbac_list_handle_t handle,
++			void *desc,
++			void *data,
++			rsbac_list_data_compare_function_t compare)
++{
++	return rsbac_ta_list_get_desc(0, handle, desc, data, compare);
++}
++
++int rsbac_ta_list_get_desc_selector(
++	rsbac_list_ta_number_t ta_number,
++	rsbac_list_handle_t handle,
++	void *desc,
++	void *data,
++	rsbac_list_data_compare_function_t compare,
++	rsbac_list_desc_selector_function_t selector,
++	void * param);
++
++int rsbac_ta_list_lol_get_desc(rsbac_list_ta_number_t ta_number,
++			       rsbac_list_handle_t handle,
++			       void *desc,
++			       void *data,
++			       rsbac_list_data_compare_function_t compare);
++
++static inline int rsbac_list_lol_get_desc(rsbac_list_handle_t handle,
++			    void *desc,
++			    void *data,
++			    rsbac_list_data_compare_function_t compare)
++{
++	return rsbac_ta_list_lol_get_desc(0, handle, desc, data, compare);
++}
++
++int rsbac_ta_list_lol_get_desc_selector(
++	rsbac_list_ta_number_t ta_number,
++	rsbac_list_handle_t handle,
++	void *desc,
++	void *data,
++	rsbac_list_data_compare_function_t compare,
++	rsbac_list_desc_selector_function_t selector,
++	void * param);
++
++/* get maximum desc (uses compare function) */
++int rsbac_ta_list_get_max_desc(rsbac_list_ta_number_t ta_number,
++			       rsbac_list_handle_t handle, void *desc);
++
++static inline int rsbac_list_get_max_desc(rsbac_list_handle_t handle, void *desc)
++{
++	return rsbac_ta_list_get_max_desc(0, handle, desc);
++}
++
++int rsbac_ta_list_lol_get_max_subdesc(rsbac_list_ta_number_t ta_number,
++				      rsbac_list_handle_t handle,
++				      void *desc, void *subdesc);
++
++/* get next desc (uses compare function) */
++int rsbac_ta_list_get_next_desc(rsbac_list_ta_number_t ta_number,
++				rsbac_list_handle_t handle,
++				void *old_desc, void *next_desc);
++
++static inline int rsbac_list_get_next_desc(rsbac_list_handle_t handle, void *old_desc,
++			     void *next_desc)
++{
++	return rsbac_ta_list_get_next_desc(0, handle, old_desc, next_desc);
++}
++
++int rsbac_ta_list_get_next_desc_selector(
++		rsbac_list_ta_number_t ta_number,
++		rsbac_list_handle_t handle,
++		void *old_desc,
++		void *next_desc,
++		rsbac_list_desc_selector_function_t selector,
++		void * param);
++
++int rsbac_ta_list_lol_get_next_desc(rsbac_list_ta_number_t ta_number,
++				    rsbac_list_handle_t handle,
++				    void *old_desc, void *next_desc);
++
++static inline int rsbac_list_lol_get_next_desc(rsbac_list_handle_t handle,
++				 void *old_desc, void *next_desc)
++{
++	return rsbac_ta_list_lol_get_next_desc(0, handle, old_desc,
++					       next_desc);
++}
++
++int rsbac_ta_list_lol_get_next_desc_selector(
++		rsbac_list_ta_number_t ta_number,
++		rsbac_list_handle_t handle,
++		void *old_desc,
++		void *next_desc,
++		rsbac_list_desc_selector_function_t selector,
++		void * param);
++
++/* does item exist? */
++/* returns TRUE, if item exists, FALSE, if not or error */
++int rsbac_ta_list_exist(rsbac_list_ta_number_t ta_number,
++			rsbac_list_handle_t handle, void *desc);
++
++static inline int rsbac_list_exist(rsbac_list_handle_t handle, void *desc)
++{
++	return rsbac_ta_list_exist(0, handle, desc);
++}
++
++int rsbac_ta_list_lol_subexist(rsbac_list_ta_number_t ta_number,
++			       rsbac_list_handle_t handle,
++			       void *desc, void *subdesc);
++
++static inline int rsbac_list_lol_subexist(rsbac_list_handle_t handle,
++			    void *desc, void *subdesc)
++{
++	return rsbac_ta_list_lol_subexist(0, handle, desc, subdesc);
++}
++
++int rsbac_ta_list_lol_exist(rsbac_list_ta_number_t ta_number,
++			    rsbac_list_handle_t handle, void *desc);
++
++static inline int rsbac_list_lol_exist(rsbac_list_handle_t handle, void *desc)
++{
++	return rsbac_ta_list_lol_exist(0, handle, desc);
++}
++
++/*
++ * Note: The subdesc/data value given here is always used as second parameter to the
++ *       given subdesc compare function, so you can use different types for storage and
++ *       lookup. If compare is NULL, call is forwarded to rsbac_list_lol_subexist.
++ * Warning: This function does not use the list optimization when searching the sublist!
++ */
++int rsbac_ta_list_lol_subexist_compare(rsbac_list_ta_number_t ta_number,
++				       rsbac_list_handle_t handle,
++				       void *desc,
++				       void *subdesc,
++				       rsbac_list_compare_function_t
++				       compare);
++
++static inline int rsbac_list_lol_subexist_compare(rsbac_list_handle_t handle,
++				    void *desc,
++				    void *subdesc,
++				    rsbac_list_compare_function_t compare)
++{
++	return rsbac_ta_list_lol_subexist_compare(0, handle,
++						  desc, subdesc, compare);
++}
++
++/* count number of elements */
++/* returns number of elements or negative error code */
++long rsbac_ta_list_count(rsbac_list_ta_number_t ta_number,
++			 rsbac_list_handle_t handle);
++
++static inline long rsbac_list_count(rsbac_list_handle_t handle)
++{
++	return rsbac_ta_list_count(0, handle);
++}
++
++long rsbac_ta_list_lol_subcount(rsbac_list_ta_number_t ta_number,
++				rsbac_list_handle_t handle, void *desc);
++
++static inline long rsbac_list_lol_subcount(rsbac_list_handle_t handle, void *desc)
++{
++	return rsbac_ta_list_lol_subcount(0, handle, desc);
++}
++
++long rsbac_ta_list_lol_all_subcount(rsbac_list_ta_number_t ta_number,
++				    rsbac_list_handle_t handle);
++
++static inline long rsbac_list_lol_all_subcount(rsbac_list_handle_t handle)
++{
++	return rsbac_ta_list_lol_all_subcount(0, handle);
++}
++
++long rsbac_ta_list_lol_count(rsbac_list_ta_number_t ta_number,
++			     rsbac_list_handle_t handle);
++
++static inline long rsbac_list_lol_count(rsbac_list_handle_t handle)
++{
++	return rsbac_ta_list_lol_count(0, handle);
++}
++
++
++/* Get array of all descriptors */
++/* Returns number of elements or negative error code */
++/* If return value > 0, *array_p contains a pointer to a rsbac_kmalloc'd array
++   of descs, otherwise *array_p is set to NULL. If *array_p has been set,
++   caller must call rsbac_kfree(*array_p) after use! */
++
++long rsbac_ta_list_get_all_desc(rsbac_list_ta_number_t ta_number,
++				rsbac_list_handle_t handle,
++				void **array_p);
++
++static inline long rsbac_list_get_all_desc(rsbac_list_handle_t handle, void **array_p)
++{
++	return rsbac_ta_list_get_all_desc(0, handle, array_p);
++}
++
++long rsbac_ta_list_get_all_desc_selector (
++	rsbac_list_ta_number_t ta_number,
++	rsbac_list_handle_t handle, void **array_p,
++	rsbac_list_desc_selector_function_t selector,
++	void * param);
++
++long rsbac_ta_list_lol_get_all_subdesc_ttl(rsbac_list_ta_number_t
++					   ta_number,
++					   rsbac_list_handle_t handle,
++					   void *desc, void **array_p,
++					   rsbac_time_t ** ttl_array_p);
++
++static inline long rsbac_list_lol_get_all_subdesc(rsbac_list_handle_t handle,
++				void *desc,
++				void **array_p)
++{
++	return rsbac_ta_list_lol_get_all_subdesc_ttl(0, handle,
++						     desc, array_p, NULL);
++}
++
++static inline long rsbac_list_lol_get_all_subdesc_ttl(rsbac_list_handle_t handle,
++					void *desc,
++					void **array_p,
++					rsbac_time_t ** ttl_array_p)
++{
++	return rsbac_ta_list_lol_get_all_subdesc_ttl(0,
++						     handle,
++						     desc,
++						     array_p, ttl_array_p);
++}
++
++long rsbac_ta_list_lol_get_all_desc(rsbac_list_ta_number_t ta_number,
++				    rsbac_list_handle_t handle,
++				    void **array_p);
++
++static inline long rsbac_list_lol_get_all_desc(rsbac_list_handle_t handle,
++				 void **array_p)
++{
++	return rsbac_ta_list_lol_get_all_desc(0, handle, array_p);
++}
++
++long rsbac_ta_list_lol_get_all_desc_selector (
++        rsbac_list_ta_number_t ta_number,
++        rsbac_list_handle_t handle,
++        void **array_p,
++        rsbac_list_desc_selector_function_t selector,
++        void * param);
++
++/* Get array of all datas */
++/* Returns number of elements or negative error code */
++/* If return value > 0, *array_p contains a pointer to a rsbac_kmalloc'd array
++   of datas, otherwise *array_p is set to NULL. If *array_p has been set,
++   caller must call rsbac_kfree(*array_p) after use! */
++
++long rsbac_ta_list_get_all_data(rsbac_list_ta_number_t ta_number,
++				rsbac_list_handle_t handle,
++				void **array_p);
++
++static inline long rsbac_list_get_all_data(rsbac_list_handle_t handle, void **array_p)
++{
++	return rsbac_ta_list_get_all_data(0, handle, array_p);
++}
++
++long rsbac_ta_list_lol_get_all_subdata(rsbac_list_ta_number_t ta_number,
++				       rsbac_list_handle_t handle,
++				       void *desc, void **array_p);
++
++static inline long rsbac_list_lol_get_all_subdata(rsbac_list_handle_t handle,
++				    void *desc, void **array_p)
++{
++	return rsbac_ta_list_lol_get_all_subdata(0, handle, desc, array_p);
++}
++
++long rsbac_ta_list_lol_get_all_data(rsbac_list_ta_number_t ta_number,
++				    rsbac_list_handle_t handle,
++				    void **array_p);
++
++static inline long rsbac_list_lol_get_all_data(rsbac_list_handle_t handle,
++				 void **array_p)
++{
++	return rsbac_ta_list_lol_get_all_data(0, handle, array_p);
++}
++
++/* Get item size */
++
++int rsbac_list_get_item_size(rsbac_list_handle_t handle);
++
++int rsbac_list_lol_get_subitem_size(rsbac_list_handle_t handle);
++
++int rsbac_list_lol_get_item_size(rsbac_list_handle_t handle);
++
++/* Get array of all items */
++/* Returns number of items or negative error code */
++/* If return value > 0, *array_p contains a pointer to a rsbac_kmalloc'd array
++   of items, where desc and data are placed directly behind each other.
++   If *array_p has been set, caller must call rsbac_kfree(*array_p) after use! */
++
++long rsbac_ta_list_get_all_items_ttl(rsbac_list_ta_number_t ta_number,
++				     rsbac_list_handle_t handle,
++				     void **array_p,
++				     rsbac_time_t ** ttl_array_p);
++
++static inline long rsbac_list_get_all_items_ttl(rsbac_list_handle_t handle,
++				  void **array_p,
++				  rsbac_time_t ** ttl_array_p)
++{
++	return rsbac_ta_list_get_all_items_ttl(0, handle, array_p,
++					       ttl_array_p);
++}
++
++static inline long rsbac_list_get_all_items(rsbac_list_handle_t handle, void **array_p)
++{
++	return rsbac_ta_list_get_all_items_ttl(0, handle, array_p, NULL);
++}
++
++long rsbac_ta_list_lol_get_all_subitems_ttl(rsbac_list_ta_number_t
++					    ta_number,
++					    rsbac_list_handle_t handle,
++					    void *desc, void **array_p,
++					    rsbac_time_t ** ttl_array_p);
++
++static inline long rsbac_list_lol_get_all_subitems_ttl(rsbac_list_handle_t handle,
++					 void *desc,
++					 void **array_p,
++					 rsbac_time_t ** ttl_array_p)
++{
++	return rsbac_ta_list_lol_get_all_subitems_ttl(0, handle, desc,
++						      array_p,
++						      ttl_array_p);
++}
++
++static inline long rsbac_list_lol_get_all_subitems(rsbac_list_handle_t handle,
++				     void *desc, void **array_p)
++{
++	return rsbac_ta_list_lol_get_all_subitems_ttl(0, handle, desc,
++						      array_p, NULL);
++}
++
++long rsbac_ta_list_lol_get_all_items(rsbac_list_ta_number_t ta_number,
++				     rsbac_list_handle_t handle,
++				     void **array_p);
++
++static inline long rsbac_list_lol_get_all_items(rsbac_list_handle_t handle,
++				  void **array_p)
++{
++	return rsbac_ta_list_lol_get_all_items(0, handle, array_p);
++}
++
++/* Copy a complete list
++ * Both lists must have been registered with same desc and data sizes,
++ * nr_hashes may differ. Old target list items are removed before copying.
++ * If ta_number is set and transactions are enabled, the complete
++ * target list content is in the same transaction. Forgetting the
++ * transaction will restore the old to_list.
++ */
++
++long rsbac_list_copy(rsbac_list_ta_number_t ta_number,
++			rsbac_list_handle_t from_handle,
++			rsbac_list_handle_t to_handle);
++
++long rsbac_list_lol_copy(rsbac_list_ta_number_t ta_number,
++			rsbac_list_handle_t from_handle,
++			rsbac_list_handle_t to_handle);
++
++/* Get the current number of hashes - may vary when resized */
++long rsbac_list_get_nr_hashes(rsbac_list_handle_t handle);
++
++long rsbac_list_lol_get_nr_hashes(rsbac_list_handle_t handle);
++
++#endif
++/* end of lists.h */
+diff --git a/include/rsbac/log_cap.h b/include/rsbac/log_cap.h
+new file mode 100644
+index 0000000..82195bf
+--- /dev/null
++++ b/include/rsbac/log_cap.h
+@@ -0,0 +1,14 @@
++/********************************** */
++/* Rule Set Based Access Control    */
++/* Author and (c) 2005:             */
++/*   Amon Ott <ao@...>        */
++/* Missing Cap logging              */
++/* Last modified: 27/May/2005       */
++/********************************** */
++
++#ifndef __RSBAC_LOG_CAP_H
++#define __RSBAC_LOG_CAP_H
++
++void rsbac_log_missing_cap(int cap);
++
++#endif
+diff --git a/include/rsbac/lsm.h b/include/rsbac/lsm.h
+new file mode 100644
+index 0000000..1136dc0
+--- /dev/null
++++ b/include/rsbac/lsm.h
+@@ -0,0 +1,16 @@
++/************************************* */
++/* Rule Set Based Access Control       */
++/* Author and (c) 2003: Amon Ott       */
++/* file system                         */
++/* Helper functions for all parts      */
++/* Last modified: 28/Jul/2003          */
++/************************************* */
++
++#ifndef __RSBAC_LSM_H
++#define __RSBAC_LSM_H
++
++#include <linux/security.h>
++
++int rsbac_lsm_register(void);
++
++#endif
+diff --git a/include/rsbac/mac.h b/include/rsbac/mac.h
+new file mode 100644
+index 0000000..dbcf8a3
+--- /dev/null
++++ b/include/rsbac/mac.h
+@@ -0,0 +1,134 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2005:          */
++/*   Amon Ott <ao@...>          */
++/* API: Data structures               */
++/* and functions for Access           */
++/* Control Information / MAC          */
++/* Last modified: 09/Feb/2005         */
++/************************************ */
++
++#ifndef __RSBAC_MAC_H
++#define __RSBAC_MAC_H
++
++#include <linux/init.h>
++#include <rsbac/types.h>
++
++/***************************************************/
++/*               General Prototypes                */
++/***************************************************/
++
++/* All functions return 0, if no error occurred, and a negative error code  */
++/* otherwise. The error codes are defined in rsbac_error.h.                 */
++
++/****************************************************************************/
++/* Initialization, including ACI restoration for all mounted devices from   */
++/* disk. After this call, all ACI is kept in memory for performance reasons,*/
++/* but user and file/dir object ACI are written to disk on every change.    */
++
++#ifdef CONFIG_RSBAC_INIT_DELAY
++extern int rsbac_init_mac(void);
++#else
++extern int rsbac_init_mac(void) __init;
++#endif
++
++/* mounting and umounting */
++int rsbac_mount_mac(kdev_t kdev);
++int rsbac_umount_mac(kdev_t kdev);
++
++/* Some information about the current status is also available */
++extern int rsbac_stats_mac(void);
++
++/* Status checking */
++extern int rsbac_check_mac(int correct, int check_inode);
++
++/* RSBAC attribute saving to disk can be triggered from outside
++ * param: call lock_kernel() before writing?
++ */
++#if defined(CONFIG_RSBAC_MAINT) || defined(CONFIG_RSBAC_AUTO_WRITE)
++extern int rsbac_write_mac(rsbac_boolean_t);
++#endif /* CONFIG_RSBAC_AUTO_WRITE */
++
++/************************************************* */
++/*               Access functions                  */
++/************************************************* */
++
++/* All these procedures handle the semaphores to protect the targets during */
++/* access.                                                                  */
++/* Trying to access a never created or removed set returns an error!        */
++
++/* rsbac_mac_add_to_truset */
++/* Add a set member to a set sublist. Set behaviour: also returns success, */
++/* if member was already in set! */
++
++int rsbac_mac_add_to_p_truset(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_pid_t pid,
++  rsbac_uid_t member,
++  rsbac_time_t ttl);
++
++int rsbac_mac_add_to_f_truset(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_mac_file_t file,
++  rsbac_uid_t member,
++  rsbac_time_t ttl);
++
++/* rsbac_mac_remove_from_truset */
++/* Remove a set member from a sublist. Set behaviour: Returns no error, if */
++/* member is not in list.                                                  */
++
++int rsbac_mac_remove_from_p_truset(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_pid_t pid,
++  rsbac_uid_t member);
++
++int rsbac_mac_remove_from_f_truset(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_mac_file_t file,
++  rsbac_uid_t member);
++
++/* rsbac_mac_clear_truset */
++/* Remove all set members from a sublist. Set behaviour: Returns no error, */
++/* if list is empty.                                                       */
++
++int rsbac_mac_clear_p_truset(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_pid_t pid);
++
++int rsbac_mac_clear_f_truset(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_mac_file_t file);
++
++/* rsbac_mac_truset_member */
++/* Return truth value, whether member is in set */
++
++rsbac_boolean_t  rsbac_mac_p_truset_member(rsbac_pid_t pid,
++                                   rsbac_uid_t member);
++
++/* rsbac_mac_remove_truset */
++/* Remove a full set. For cleanup, if object is deleted. */
++/* To empty an existing set use rsbac_mac_clear_truset. */
++
++int rsbac_mac_remove_p_trusets(rsbac_pid_t pid);
++
++int rsbac_mac_remove_f_trusets(rsbac_mac_file_t file);
++
++int rsbac_mac_copy_fp_truset(rsbac_mac_file_t    file,
++                              rsbac_pid_t p_tru_set_id);
++
++int rsbac_mac_copy_pp_truset(rsbac_pid_t old_p_set_id,
++                              rsbac_pid_t new_p_set_id);
++
++int rsbac_mac_get_f_trulist(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_mac_file_t file,
++  rsbac_uid_t **trulist_p,
++  rsbac_time_t **ttllist_p);
++
++int rsbac_mac_get_p_trulist(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_pid_t pid,
++  rsbac_uid_t **trulist_p,
++  rsbac_time_t **ttllist_p);
++
++#endif
+diff --git a/include/rsbac/mac_data_structures.h b/include/rsbac/mac_data_structures.h
+new file mode 100644
+index 0000000..a06584b
+--- /dev/null
++++ b/include/rsbac/mac_data_structures.h
+@@ -0,0 +1,54 @@
++/**************************************/
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2006:          */
++/*   Amon Ott <ao@...> */
++/* Data structures / MAC              */
++/* Last modified: 12/Jan/2006         */
++/**************************************/
++
++#ifndef __RSBAC_MAC_DATA_STRUC_H
++#define __RSBAC_MAC_DATA_STRUC_H
++
++#include <linux/types.h>
++#include <rsbac/aci.h>
++#include <rsbac/types.h>
++
++/**********************************************/
++/* Capability lists                           */
++/**********************************************/
++
++#define RSBAC_MAC_LIST_KEY 626281
++
++#define RSBAC_MAC_P_LIST_VERSION 1
++#define RSBAC_MAC_P_LIST_NAME "macptru"
++
++#define RSBAC_MAC_FD_FILENAME "macfdtru"
++#define RSBAC_MAC_FD_OLD_FILENAME "macfdtru."
++#define RSBAC_MAC_NR_TRU_FD_LISTS 4
++#define RSBAC_MAC_FD_LIST_VERSION 2
++#define RSBAC_MAC_FD_OLD_LIST_VERSION 1
++
++/* The list of devices is also a double linked list, so we define list    */
++/* items and a list head.                                                 */
++
++struct rsbac_mac_device_list_item_t {
++	kdev_t id;		/* set to 0 before deletion */
++	u_int mount_count;
++	rsbac_list_handle_t handle;
++	struct rsbac_mac_device_list_item_t *prev;
++	struct rsbac_mac_device_list_item_t *next;
++};
++
++/* To provide consistency we use spinlocks for all list accesses. The     */
++/* 'curr' entry is used to avoid repeated lookups for the same item.       */
++
++struct rsbac_mac_device_list_head_t {
++	struct rsbac_mac_device_list_item_t *head;
++	struct rsbac_mac_device_list_item_t *tail;
++	struct rsbac_mac_device_list_item_t *curr;
++	spinlock_t lock;
++	struct lock_class_key lock_class;
++	u_int count;
++};
++
++#endif
+diff --git a/include/rsbac/net_getname.h b/include/rsbac/net_getname.h
+new file mode 100644
+index 0000000..e0c7a70
+--- /dev/null
++++ b/include/rsbac/net_getname.h
+@@ -0,0 +1,50 @@
++/********************************** */
++/* Rule Set Based Access Control    */
++/* Author and (c) 1999-2003:        */
++/*   Amon Ott <ao@...>        */
++/* Getname functions for CAP module */
++/* Last modified: 22/Dec/2003       */
++/********************************** */
++
++#ifndef __RSBAC_NET_GETNAME_H
++#define __RSBAC_NET_GETNAME_H
++
++#include <rsbac/types.h>
++
++#define RSBAC_NET_PROTO_MAX 256
++#define RSBAC_NET_TYPE_MAX 11
++
++#ifdef __KERNEL__
++extern int rsbac_net_str_to_inet(char * str, __u32 * addr);
++#else
++#ifndef AF_MAX
++#define AF_MAX 32
++#endif
++#endif
++
++extern char * rsbac_get_net_temp_syscall_name(char * name,
++                                        enum rsbac_net_temp_syscall_t value);
++
++extern char * rsbac_get_net_family_name(char * name,
++                                  u_int value);
++
++extern char * rsbac_get_net_netlink_family_name(char * name,
++                                  u_int value);
++
++extern char * rsbac_get_net_protocol_name(char * name,
++                                    u_int value);
++
++extern char * rsbac_get_net_type_name(char * name,
++                                u_int value);
++
++#ifndef __KERNEL__
++enum rsbac_net_temp_syscall_t rsbac_get_net_temp_syscall_nr(const char * name);
++
++int rsbac_get_net_family_nr(const char * name);
++
++int rsbac_get_net_protocol_nr(const char * name);
++
++int rsbac_get_net_type_nr(const char * name);
++#endif
++
++#endif
+diff --git a/include/rsbac/network.h b/include/rsbac/network.h
+new file mode 100644
+index 0000000..fbf3a89
+--- /dev/null
++++ b/include/rsbac/network.h
+@@ -0,0 +1,91 @@
++/************************************* */
++/* Rule Set Based Access Control       */
++/* Author and (c) 1999-2004:           */
++/*   Amon Ott <ao@...>           */
++/* Network helper functions            */
++/* Last modified: 07/Dec/2004          */
++/************************************* */
++
++#ifndef __RSBAC_NETWORK_H
++#define __RSBAC_NETWORK_H
++
++#include <rsbac/types.h>
++#include <rsbac/network_types.h>
++#include <linux/net.h>
++#include <linux/in.h>
++#include <linux/un.h>
++#include <net/sock.h>
++#include <net/inet_sock.h>
++#include <net/af_unix.h>
++#include <net/route.h>
++
++/* functions */
++
++int rsbac_ta_net_list_all_netdev(rsbac_list_ta_number_t ta_number, rsbac_netdev_id_t ** id_pp);
++
++static inline int rsbac_net_list_all_netdev(rsbac_netdev_id_t ** id_pp)
++  {
++    return rsbac_ta_net_list_all_netdev(0, id_pp);
++  }
++
++//__u32 rsbac_net_make_mask_u32(__u8 valid_bits);
++
++int rsbac_net_compare_data(void * data1, void * data2);
++
++int rsbac_net_get_id(
++         rsbac_list_ta_number_t ta_number,
++  struct rsbac_net_description_t * desc_p,
++         rsbac_net_temp_id_t * id_p);
++
++// void rsbac_net_obj_cleanup(rsbac_net_obj_id_t netobj);
++
++int rsbac_ta_net_lookup_templates(
++         rsbac_list_ta_number_t ta_number,
++  struct rsbac_net_obj_desc_t * netobj_p,
++         rsbac_net_temp_id_t * local_temp_p,
++         rsbac_net_temp_id_t * remote_temp_p);
++
++static inline int rsbac_net_lookup_templates(
++  struct rsbac_net_obj_desc_t * netobj_p,
++         rsbac_net_temp_id_t * local_temp_p,
++         rsbac_net_temp_id_t * remote_temp_p)
++  {
++    return rsbac_ta_net_lookup_templates(0, netobj_p, local_temp_p, remote_temp_p);
++  }
++
++/* Does template exist? Returns TRUE if yes, FALSE if no */
++int rsbac_ta_net_template_exists(rsbac_list_ta_number_t ta_number,
++	rsbac_net_temp_id_t id);
++
++int rsbac_ta_net_template(
++  rsbac_list_ta_number_t ta_number,
++  enum rsbac_net_temp_syscall_t call,
++  rsbac_net_temp_id_t id,
++  union rsbac_net_temp_syscall_data_t * data_p);
++
++static inline int rsbac_net_template(enum rsbac_net_temp_syscall_t call,
++                       rsbac_net_temp_id_t id,
++                       union rsbac_net_temp_syscall_data_t * data_p)
++  {
++    return rsbac_ta_net_template(0, call, id, data_p);
++  }
++
++int rsbac_ta_net_list_all_template(rsbac_list_ta_number_t ta_number,
++                                   rsbac_net_temp_id_t ** id_pp);
++
++static inline int rsbac_net_list_all_template(rsbac_net_temp_id_t ** id_pp)
++  {
++    return rsbac_ta_net_list_all_template(0, id_pp);
++  }
++
++int rsbac_ta_net_template_exist(rsbac_list_ta_number_t ta_number, rsbac_net_temp_id_t temp);
++
++static inline int rsbac_net_template_exist(rsbac_net_temp_id_t temp)
++  {
++    return rsbac_ta_net_template_exist(0, temp);
++  }
++
++/* Whether request should be checked for remote endpoint */
++int rsbac_net_remote_request(enum rsbac_adf_request_t request);
++
++#endif
+diff --git a/include/rsbac/network_types.h b/include/rsbac/network_types.h
+new file mode 100644
+index 0000000..c8a0ab8
+--- /dev/null
++++ b/include/rsbac/network_types.h
+@@ -0,0 +1,154 @@
++/************************************* */
++/* Rule Set Based Access Control       */
++/* Author and (c) 1999-2009:           */
++/*   Amon Ott <ao@...>           */
++/* Network access control data structs */
++/* Last modified: 03/Feb/2009          */
++/************************************* */
++
++#ifndef __RSBAC_NETWORK_TYPES_H
++#define __RSBAC_NETWORK_TYPES_H
++
++#define RSBAC_NET_ANY 0
++#define RSBAC_NET_NETLINK_PROTO_ANY 255
++
++#define RSBAC_NET_UNKNOWN 0
++
++#define RSBAC_NET_TEMP_VERSION 2
++#define RSBAC_NET_TEMP_OLD_VERSION 1
++#define RSBAC_NET_TEMP_KEY 0x815affe
++#define RSBAC_NET_TEMP_NAME "nettemp"
++
++typedef __u32 rsbac_net_temp_id_t;
++
++#define RSBAC_NET_MAX_ADDRESS_LEN 128
++#define RSBAC_NET_TEMP_NAMELEN 16
++
++#define RSBAC_NET_MAX_PORT 65535
++
++#define RSBAC_NET_NR_INET_ADDR 25
++#define RSBAC_NET_NR_PORTS 10
++
++struct rsbac_net_temp_port_range_t {
++	__u16 min;
++	__u16 max;
++};
++
++struct rsbac_net_temp_inet_addr_t {
++	__u32 addr[RSBAC_NET_NR_INET_ADDR];
++	__u8 valid_bits[RSBAC_NET_NR_INET_ADDR];
++	__u8 nr_addr;
++};
++
++struct rsbac_net_temp_other_addr_t {
++	char addr[RSBAC_NET_MAX_ADDRESS_LEN];
++	__u8 valid_len;
++};
++
++struct rsbac_net_temp_ports_t {
++	struct rsbac_net_temp_port_range_t ports[RSBAC_NET_NR_PORTS];
++	__u8 nr_ports;
++};
++
++union rsbac_net_temp_addr_t {
++	struct rsbac_net_temp_inet_addr_t inet;
++	struct rsbac_net_temp_other_addr_t other;
++};
++
++struct rsbac_net_temp_data_t {
++	/* must be first for alignment */
++	union rsbac_net_temp_addr_t address;
++	__u8 address_family;
++	__u8 type;
++	__u8 protocol;
++	rsbac_netdev_id_t netdev;
++	struct rsbac_net_temp_ports_t ports;	/* for those address families that support them */
++	char name[RSBAC_NET_TEMP_NAMELEN];
++};
++
++struct rsbac_net_temp_old_data_t {
++	/* must be first for alignment */
++	char address[RSBAC_NET_MAX_ADDRESS_LEN];
++	__u8 address_family;
++	__u8 valid_len;		/* Bytes for AF_UNIX, Bits for all others */
++	__u8 type;
++	__u8 protocol;
++	rsbac_netdev_id_t netdev;
++	__u16 min_port;		/* for those address families that support them */
++	__u16 max_port;
++	char name[RSBAC_NET_TEMP_NAMELEN];
++};
++
++#define RSBAC_NET_TEMP_LNET_ID 100101
++#define RSBAC_NET_TEMP_LNET_ADDRESS "127.0.0.0"
++#define RSBAC_NET_TEMP_LAN_ID 100102
++#define RSBAC_NET_TEMP_LAN_ADDRESS "192.168.0.0"
++#define RSBAC_NET_TEMP_AUTO_ID 100105
++#define RSBAC_NET_TEMP_AUTO_ADDRESS "0.0.0.0"
++#define RSBAC_NET_TEMP_INET_ID 100110
++#define RSBAC_NET_TEMP_ALL_ID ((rsbac_net_temp_id_t) -1)
++
++/* default templates moved into aci_data_structures.c */
++
++struct rsbac_net_description_t {
++	__u8 address_family;
++	void *address;
++	__u8 address_len;
++	__u8 type;
++	__u8 protocol;
++	rsbac_netdev_id_t netdev;
++	__u16 port;
++};
++
++enum rsbac_net_temp_syscall_t {
++	NTS_new_template,
++	NTS_copy_template,
++	NTS_delete_template,
++	NTS_check_id,
++	NTS_get_address,
++	NTS_get_address_family,
++	NTS_get_type,
++	NTS_get_protocol,
++	NTS_get_netdev,
++	NTS_get_ports,
++	NTS_get_name,
++	NTS_set_address,
++	NTS_set_address_family,
++	NTS_set_type,
++	NTS_set_protocol,
++	NTS_set_netdev,
++	NTS_set_ports,
++	NTS_set_name,
++	NTS_none
++};
++
++union rsbac_net_temp_syscall_data_t {
++	rsbac_net_temp_id_t id;
++	union rsbac_net_temp_addr_t address;
++	__u8 address_family;
++	__u8 type;
++	__u8 protocol;
++	rsbac_netdev_id_t netdev;
++	struct rsbac_net_temp_ports_t ports;	/* for those address families that support them */
++	char name[RSBAC_NET_TEMP_NAMELEN];
++};
++
++/*
++ *      Display an IP address in readable format.
++ */
++
++#ifndef NIPQUAD
++#define NIPQUAD(addr) \
++	((unsigned char *)&addr)[0], \
++	((unsigned char *)&addr)[1], \
++	((unsigned char *)&addr)[2], \
++	((unsigned char *)&addr)[3]
++
++#define HIPQUAD(addr) \
++	((unsigned char *)&addr)[3], \
++	((unsigned char *)&addr)[2], \
++	((unsigned char *)&addr)[1], \
++	((unsigned char *)&addr)[0]
++#endif
++
++#endif
+diff --git a/include/rsbac/pax.h b/include/rsbac/pax.h
+new file mode 100644
+index 0000000..a4bacc7
+--- /dev/null
++++ b/include/rsbac/pax.h
+@@ -0,0 +1,21 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2004: Amon Ott */
++/* API:                               */
++/* Functions for Access               */
++/* Control Information / PAX          */
++/* Last modified: 12/Jan/2004         */
++/************************************ */
++
++#ifndef __RSBAC_PAX_H
++#define __RSBAC_PAX_H
++
++#include <rsbac/types.h>
++
++/***************************************************/
++/*               General Prototypes                */
++/***************************************************/
++
++void rsbac_pax_set_flags_func(struct linux_binprm * bprm);
++
++#endif
+diff --git a/include/rsbac/pax_getname.h b/include/rsbac/pax_getname.h
+new file mode 100644
+index 0000000..e6611d7
+--- /dev/null
++++ b/include/rsbac/pax_getname.h
+@@ -0,0 +1,20 @@
++/********************************** */
++/* Rule Set Based Access Control    */
++/* Author and (c) 1999-2004:        */
++/*   Amon Ott <ao@...>        */
++/* Getname functions for CAP module */
++/* Last modified: 06/Jan/2004       */
++/********************************** */
++
++#ifndef __RSBAC_PAX_GETNAME_H
++#define __RSBAC_PAX_GETNAME_H
++
++#include <rsbac/types.h>
++
++char * pax_print_flags(char * string, rsbac_pax_flags_t flags);
++
++#ifndef __KERNEL__
++rsbac_pax_flags_t pax_strtoflags(char * string, rsbac_pax_flags_t init_flags);
++#endif
++
++#endif
+diff --git a/include/rsbac/pm.h b/include/rsbac/pm.h
+new file mode 100644
+index 0000000..b251290
+--- /dev/null
++++ b/include/rsbac/pm.h
+@@ -0,0 +1,232 @@
++/******************************* */
++/* Rule Set Based Access Control */
++/* Author and (c) 1999-2005:     */
++/*   Amon Ott <ao@...>     */
++/* API: Data structures          */
++/* and functions for Access      */
++/* Control Information / PM      */
++/* Last modified: 09/Feb/2005    */
++/******************************* */
++
++#ifndef __RSBAC_PM_H
++#define __RSBAC_PM_H
++
++#include <linux/init.h>
++#include <rsbac/pm_types.h>
++
++/***************************************************/
++/*               General Prototypes                */
++/***************************************************/
++
++/* All functions return 0, if no error occurred, and a negative error code  */
++/* otherwise. The error codes are defined in rsbac_error.h.                 */
++
++/****************************************************************************/
++/* Initialization, including ACI restoration for all mounted devices from   */
++/* disk. After this call, all ACI is kept in memory for performance reasons,*/
++/* but user and file/dir object ACI are written to disk on every change.    */
++
++#ifdef CONFIG_RSBAC_INIT_DELAY
++extern int rsbac_init_pm(void);
++#else
++extern int rsbac_init_pm(void) __init;
++#endif
++
++/* Some information about the current status is also available              */
++
++extern int rsbac_stats_pm(void);
++
++/* RSBAC attribute saving to disk can be triggered from outside
++ * param: call lock_kernel() before writing?
++ */
++
++#ifdef CONFIG_RSBAC_AUTO_WRITE
++extern int rsbac_write_pm(rsbac_boolean_t);
++#endif /* CONFIG_RSBAC_AUTO_WRITE */
++
++/************************************************* */
++/*               Access functions                  */
++/************************************************* */
++
++/***********************/
++/* Helper lists / sets */
++/***********************/
++
++/* All these procedures handle the semaphores to protect the targets during */
++/* access.                                                                  */
++/* Trying to access a never created or removed set returns an error!        */
++
++/* rsbac_pm_add_to_set */
++/* Add a set member to a set sublist. Set behaviour: also returns success,  */
++/* if member was already in set! */
++
++int rsbac_pm_add_to_set(
++        rsbac_list_ta_number_t,
++  enum  rsbac_pm_set_t,          /* set type          */
++  union rsbac_pm_set_id_t,       /* set id            */
++  union rsbac_pm_set_member_t);  /* set member to add */
++
++
++/* rsbac_pm_remove_from_set */
++/* Remove a set member from a sublist. Set behaviour: Returns no error, if */
++/* member is not in list.                                                  */
++
++int rsbac_pm_remove_from_set(
++        rsbac_list_ta_number_t,
++  enum  rsbac_pm_set_t,          /* see above */
++  union rsbac_pm_set_id_t,
++  union rsbac_pm_set_member_t);
++
++
++/* rsbac_pm_clear_set */
++/* Remove all members from a set. Set behaviour: Returns no error, */
++/* if list is empty.                                               */
++
++int rsbac_pm_clear_set(
++        rsbac_list_ta_number_t,
++  enum  rsbac_pm_set_t,          /* set type     */
++  union rsbac_pm_set_id_t);      /* set id       */
++
++
++/* rsbac_pm_set_member */
++/* Return truth value, whether member is in set */
++
++rsbac_boolean_t rsbac_pm_set_member(
++        rsbac_list_ta_number_t,
++  enum  rsbac_pm_set_t,          /* set type */
++  union rsbac_pm_set_id_t,       /* set id   */
++  union rsbac_pm_set_member_t);  /* member   */
++
++
++/* rsbac_pm_pp_subset */
++/* Return truth value, whether pp_set is subset of in_pp_set */
++
++rsbac_boolean_t rsbac_pm_pp_subset(
++  rsbac_pm_pp_set_id_t,
++  rsbac_pm_in_pp_set_id_t);
++
++
++/* rsbac_pm_pp_superset */
++/* Return truth value, whether pp_set is superset of out_pp_set */
++
++rsbac_boolean_t rsbac_pm_pp_superset(
++  rsbac_pm_pp_set_id_t,
++  rsbac_pm_out_pp_set_id_t);
++
++
++/* rsbac_pm_pp_only */
++/* Return truth value, if there is not other item in out_pp_set than purpose */
++
++rsbac_boolean_t rsbac_pm_pp_only(
++  rsbac_pm_purpose_id_t,
++  rsbac_pm_out_pp_set_id_t);
++
++
++/* rsbac_pm_pp_intersec */
++/* Create intersection of pp_set and in_pp_set in in_pp_set */
++/* If in_pp_set does not exist, it is created with all members of pp_set */
++/* If pp_set does not exist or one of them is invalid, an error is returned */
++
++int rsbac_pm_pp_intersec (rsbac_pm_pp_set_id_t,
++                          rsbac_pm_in_pp_set_id_t);
++
++
++/* rsbac_pm_pp_union */
++/* Create union of pp_set and out_pp_set in out_pp_set */
++/* If out_pp_set does not exist, it is created with all members of pp_set */
++/* If pp_set does not exist or one of them is invalid, an error is returned */
++
++int rsbac_pm_pp_union (rsbac_pm_pp_set_id_t,
++                       rsbac_pm_out_pp_set_id_t);
++
++
++/* rsbac_pm_create_set */
++/* Create a new set of given type, using id id. Using any other set     */
++/* function for a set id without creating this set returns an error.    */
++/* To empty an existing set use rsbac_pm_clear_set.                     */
++
++int rsbac_pm_create_set(
++  rsbac_list_ta_number_t,
++  enum  rsbac_pm_set_t,          /* set type */
++  union rsbac_pm_set_id_t);      /* set id   */
++
++
++/* rsbac_pm_set_exist */
++/* Return truth value whether set exists, returns FALSE for invalid */
++/* values. */
++
++rsbac_boolean_t rsbac_pm_set_exist(
++        rsbac_list_ta_number_t,
++  enum  rsbac_pm_set_t,          /* set type */
++  union rsbac_pm_set_id_t);      /* set id   */
++
++
++/* rsbac_pm_remove_set */
++/* Remove a full set. After this call the given id can only be used for */
++/* creating a new set, anything else returns an error.                  */
++/* To empty an existing set use rsbac_pm_clear_set.                     */
++
++int rsbac_pm_remove_set(
++        rsbac_list_ta_number_t,
++  enum  rsbac_pm_set_t,          /* set type */
++  union rsbac_pm_set_id_t);      /* set id   */
++
++
++/**************/
++/* Main lists */
++/**************/
++
++/* rsbac_pm_get_data() and rsbac_pm_set_data() change single data values.   */
++/* rsbac_pm_add_target() adds a new list item and sets all data values as   */
++/* given. rsbac_pm_remove_target() removes an item.                         */
++
++/* A rsbac_pm_[sg]et_data() call for a non-existing target will return an   */
++/* error.*/
++/* Invalid parameter combinations return an error.                          */
++
++/* All these procedures handle the semaphores to protect the targets during */
++/* access.                                                                  */
++
++int rsbac_pm_get_data(
++        rsbac_list_ta_number_t,
++  enum  rsbac_pm_target_t,          /* list type */
++  union rsbac_pm_target_id_t,      /* item id in list */
++  enum  rsbac_pm_data_t,            /* data item */
++  union rsbac_pm_data_value_t *);  /* for return value */
++
++
++int rsbac_pm_get_all_data(
++        rsbac_list_ta_number_t,
++  enum  rsbac_pm_target_t,          /* list type */
++  union rsbac_pm_target_id_t,      /* item id in list */
++  union rsbac_pm_all_data_value_t *);  /* for return value */
++
++
++rsbac_boolean_t rsbac_pm_exists(
++        rsbac_list_ta_number_t,
++  enum  rsbac_pm_target_t,          /* list type */
++  union rsbac_pm_target_id_t);     /* item id in list */
++
++
++int rsbac_pm_set_data(
++        rsbac_list_ta_number_t,
++  enum  rsbac_pm_target_t,          /* list type */
++  union rsbac_pm_target_id_t,      /* item id in list */
++  enum  rsbac_pm_data_t,            /* data item */
++  union rsbac_pm_data_value_t);    /* data value */
++
++
++int rsbac_pm_add_target(
++        rsbac_list_ta_number_t,
++  enum  rsbac_pm_target_t,            /* list type */
++  union rsbac_pm_all_data_value_t);  /* values for all */
++                                     /* data items,    */
++                                     /* incl. item id  */
++
++
++int rsbac_pm_remove_target(
++        rsbac_list_ta_number_t,
++  enum  rsbac_pm_target_t,        /* list type */
++  union rsbac_pm_target_id_t);   /* item id in list */
++
++#endif
+diff --git a/include/rsbac/pm_data_structures.h b/include/rsbac/pm_data_structures.h
+new file mode 100644
+index 0000000..8179994
+--- /dev/null
++++ b/include/rsbac/pm_data_structures.h
+@@ -0,0 +1,77 @@
++/**************************************/
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2009: Amon Ott */
++/* Data structures / PM               */
++/* Last modified: 26/Mar/2009         */
++/**************************************/
++
++#ifndef __RSBAC_PM_DATA_STRUC_H
++#define __RSBAC_PM_DATA_STRUC_H
++
++#include <linux/types.h>
++#include <rsbac/aci.h>
++#include <rsbac/types.h>
++#include <rsbac/pm_types.h>
++
++#define RSBAC_PM_TASK_SET_LIST_NAME "pm_ta_s"
++#define RSBAC_PM_TASK_SET_LIST_PROC_NAME "task_set"
++
++#define RSBAC_PM_TP_SET_LIST_NAME   "pm_tp_s"
++#define RSBAC_PM_TP_SET_LIST_PROC_NAME   "tp_set"
++
++#define RSBAC_PM_RU_SET_LIST_NAME   "pm_ru_s"
++#define RSBAC_PM_RU_SET_LIST_PROC_NAME   "responsible_user_set"
++
++#define RSBAC_PM_PP_SET_LIST_NAME   "pm_pp_s"
++#define RSBAC_PM_PP_SET_LIST_PROC_NAME   "purpose_set"
++
++#define RSBAC_PM_IN_PP_SET_LIST_NAME "input_pp_set"
++#define RSBAC_PM_IN_PP_SET_LIST_PROC_NAME "input_purpose_set"
++
++#define RSBAC_PM_OUT_PP_SET_LIST_NAME "output_pp_set"
++#define RSBAC_PM_OUT_PP_SET_LIST_PROC_NAME "output_purpose_set"
++
++
++#define RSBAC_PM_TASK_LIST_NAME     "pm_task"
++#define RSBAC_PM_TASK_LIST_PROC_NAME     "task"
++
++#define RSBAC_PM_CLASS_LIST_NAME    "pm_clas"
++#define RSBAC_PM_CLASS_LIST_PROC_NAME    "object_class"
++
++#define RSBAC_PM_NA_LIST_NAME       "pm_na"
++#define RSBAC_PM_NA_LIST_PROC_NAME       "necessary_accesses"
++
++#define RSBAC_PM_CS_LIST_NAME       "pm_cs"
++#define RSBAC_PM_CS_LIST_PROC_NAME       "consent"
++
++#define RSBAC_PM_TP_LIST_NAME       "pm_tp"
++#define RSBAC_PM_TP_LIST_PROC_NAME       "tp"
++
++#define RSBAC_PM_PP_LIST_NAME       "pm_pp"
++#define RSBAC_PM_PP_LIST_PROC_NAME       "purpose"
++
++#define RSBAC_PM_TKT_LIST_NAME      "pm_tkt"
++#define RSBAC_PM_TKT_LIST_PROC_NAME      "ticket"
++
++
++#define RSBAC_PM_NO_VERSION 1
++
++#define RSBAC_PM_TASK_SET_LIST_VERSION   1
++#define RSBAC_PM_TP_SET_LIST_VERSION     1
++#define RSBAC_PM_RU_SET_LIST_VERSION     2
++#define RSBAC_PM_PP_SET_LIST_VERSION     1
++
++#define RSBAC_PM_TASK_LIST_VERSION       1
++#define RSBAC_PM_CLASS_LIST_VERSION      1
++#define RSBAC_PM_NA_LIST_VERSION         1
++#define RSBAC_PM_CS_LIST_VERSION         1
++#define RSBAC_PM_TP_LIST_VERSION         1
++#define RSBAC_PM_PP_LIST_VERSION         1
++#define RSBAC_PM_TKT_LIST_VERSION        2
++
++#define RSBAC_PM_LIST_KEY 19990820
++
++#define RSBAC_PM_PROC_STATS_NAME "stats_pm"
++#define RSBAC_PM_PROC_DIR_NAME "pm"
++
++#endif
+diff --git a/include/rsbac/pm_getname.h b/include/rsbac/pm_getname.h
+new file mode 100644
+index 0000000..af667f8
+--- /dev/null
++++ b/include/rsbac/pm_getname.h
+@@ -0,0 +1,81 @@
++/******************************** */
++/* Rule Set Based Access Control  */
++/* Author and (c) 1999: Amon Ott  */
++/* Getname functions for PM parts */
++/* Last modified: 08/Feb/99       */
++/******************************** */
++
++#ifndef __RSBAC_PM_GETNAME_H
++#define __RSBAC_PM_GETNAME_H
++
++#include <rsbac/types.h>
++
++#ifndef NULL
++#define NULL ((void *) 0)
++#endif
++
++#include <rsbac/helpers.h>
++#include <rsbac/error.h>
++
++char * get_pm_list_name(char *,
++                        enum  rsbac_pm_list_t);
++
++enum   rsbac_pm_list_t get_pm_list_nr(const char *);
++
++char * get_pm_all_list_name(char *,
++                            enum  rsbac_pm_all_list_t);
++
++enum   rsbac_pm_all_list_t get_pm_all_list_nr(const char *);
++
++char * get_pm_role_name(char *,
++                        enum  rsbac_pm_role_t);
++
++enum   rsbac_pm_role_t get_pm_role_nr(const char *);
++
++char * get_pm_process_type_name(char *,
++                        enum  rsbac_pm_process_type_t);
++
++enum   rsbac_pm_process_type_t get_pm_process_type_nr(const char *);
++
++char * get_pm_object_type_name(char *,
++                        enum  rsbac_pm_object_type_t);
++
++enum   rsbac_pm_object_type_t get_pm_object_type_nr(const char *);
++
++#ifdef __KERNEL__
++char * get_pm_set_name(char *,
++                        enum  rsbac_pm_set_t);
++
++enum   rsbac_pm_set_t get_pm_set_nr(const char *);
++
++char * get_pm_target_name(char *,
++                        enum  rsbac_pm_target_t);
++
++enum   rsbac_pm_target_t get_pm_target_nr(const char *);
++
++char * get_pm_data_name(char *,
++                        enum  rsbac_pm_data_t);
++
++enum   rsbac_pm_data_t get_pm_data_nr(const char *);
++#endif
++
++char * get_pm_function_type_name(char *,
++                        enum  rsbac_pm_function_type_t);
++
++enum   rsbac_pm_function_type_t get_pm_function_type_nr(const char *);
++
++#ifndef __KERNEL__
++char * get_pm_function_param(char *,
++                        enum  rsbac_pm_function_type_t);
++
++char * get_pm_tkt_function_param(char *,
++                        enum  rsbac_pm_tkt_function_type_t);
++#endif
++
++char * get_pm_tkt_function_type_name(char *,
++                        enum  rsbac_pm_tkt_function_type_t);
++
++enum   rsbac_pm_tkt_function_type_t
++    get_pm_tkt_function_type_nr(const char *);
++
++#endif
+diff --git a/include/rsbac/pm_ticket.h b/include/rsbac/pm_ticket.h
+new file mode 100644
+index 0000000..8989398
+--- /dev/null
++++ b/include/rsbac/pm_ticket.h
+@@ -0,0 +1,409 @@
++/******************************* */
++/* Rule Set Based Access Control */
++/* Author and (c) 1999-2012:     */
++/*   Amon Ott <ao@...>     */
++/* API: Data types for privacy   */
++/*      model calls / tickets    */
++/* Last modified: 07/May/2012    */
++/******************************* */
++
++#ifndef __RSBAC_PM_TICKET_H
++#define __RSBAC_PM_TICKET_H
++
++#include <linux/types.h>
++
++enum    rsbac_pm_tkt_function_type_t {/* issued by data_prot_officer */
++                                      PTF_add_na, PTF_delete_na, PTF_add_task,
++                                      PTF_delete_task, PTF_add_object_class,
++                                      PTF_delete_object_class,
++                                      PTF_add_authorized_tp,
++                                      PTF_delete_authorized_tp,
++                                      PTF_add_consent, PTF_delete_consent,
++                                      PTF_add_purpose, PTF_delete_purpose,
++                                      PTF_add_responsible_user,
++                                      PTF_delete_responsible_user,
++                                      PTF_delete_user_aci,
++                                      PTF_set_role,
++                                      PTF_set_object_class,
++                                      PTF_switch_pm,
++                                      PTF_switch_auth,
++                                      PTF_set_device_object_type,
++                                      PTF_set_auth_may_setuid,
++                                      PTF_set_auth_may_set_cap,
++                                      /* issued by user also */
++                                      PTF_add_authorized_task,
++                                      PTF_delete_authorized_task,
++                                      /* never issued, internal */
++                                      PTF_none};
++
++struct rsbac_pm_add_na_t
++  {
++    rsbac_pm_task_id_t            task;
++    rsbac_pm_object_class_id_t    object_class;
++    rsbac_pm_tp_id_t              tp;
++    rsbac_pm_accesses_t           accesses;
++  };
++
++struct rsbac_pm_delete_na_t
++  {
++    rsbac_pm_task_id_t            task;
++    rsbac_pm_object_class_id_t    object_class;
++    rsbac_pm_tp_id_t              tp;
++    rsbac_pm_accesses_t           accesses;
++  };
++
++struct rsbac_pm_add_task_t
++  {
++    rsbac_pm_task_id_t            id;
++    rsbac_pm_purpose_id_t         purpose;
++  };
++
++struct rsbac_pm_delete_task_t
++  {
++    rsbac_pm_task_id_t            id;
++  };
++
++#ifdef __KERNEL__
++struct rsbac_pm_tkt_add_object_class_t
++  {
++    rsbac_pm_object_class_id_t            id;
++    rsbac_pm_pp_set_id_t                  pp_set;
++  };
++#endif
++
++struct rsbac_pm_add_object_class_t
++  {
++    rsbac_pm_object_class_id_t            id;
++    struct rsbac_pm_purpose_list_item_t __user * pp_list_p;
++  };
++
++struct rsbac_pm_delete_object_class_t
++  {
++    rsbac_pm_object_class_id_t    id;
++  };
++
++struct rsbac_pm_add_authorized_tp_t
++  {
++    rsbac_pm_task_id_t            task;
++    rsbac_pm_tp_id_t              tp;
++  };
++
++struct rsbac_pm_delete_authorized_tp_t
++  {
++    rsbac_pm_task_id_t            task;
++    rsbac_pm_tp_id_t              tp;
++  };
++
++#ifdef __KERNEL__
++struct rsbac_pm_tkt_add_consent_t
++  {
++    struct rsbac_fs_file_t        file;
++    rsbac_pm_purpose_id_t         purpose;
++  };
++#endif
++
++struct rsbac_pm_add_consent_t
++  {
++    char                          __user * filename;
++           rsbac_pm_purpose_id_t  purpose;
++  };
++
++#ifdef __KERNEL__
++struct rsbac_pm_tkt_delete_consent_t
++  {
++    struct rsbac_fs_file_t        file;
++    rsbac_pm_purpose_id_t         purpose;
++  };
++#endif
++
++struct rsbac_pm_delete_consent_t
++  {
++    char                          __user * filename;
++    rsbac_pm_purpose_id_t         purpose;
++  };
++
++struct rsbac_pm_add_purpose_t
++  {
++    rsbac_pm_purpose_id_t         id;
++    rsbac_pm_object_class_id_t    def_class;
++  };
++
++struct rsbac_pm_delete_purpose_t
++  {
++    rsbac_pm_purpose_id_t         id;
++  };
++
++struct rsbac_pm_add_responsible_user_t
++  {
++    rsbac_uid_t                   user;
++    rsbac_pm_task_id_t            task;
++  };
++
++struct rsbac_pm_delete_responsible_user_t
++  {
++    rsbac_uid_t                   user;
++    rsbac_pm_task_id_t            task;
++  };
++
++struct rsbac_pm_delete_user_aci_t
++  {
++    rsbac_uid_t                   id;
++  };
++
++struct rsbac_pm_set_role_t
++  {
++    rsbac_uid_t                   user;
++    enum rsbac_pm_role_t          role;
++  };
++
++#ifdef __KERNEL__
++struct rsbac_pm_tkt_set_object_class_t
++  {
++    struct rsbac_fs_file_t        file;
++    rsbac_pm_object_class_id_t    object_class;
++  };
++#endif
++
++struct rsbac_pm_set_object_class_t
++  {
++    char                          __user * filename;
++    rsbac_pm_object_class_id_t    object_class;
++  };
++
++struct rsbac_pm_switch_pm_t
++  {
++    rsbac_boolean_t               value;
++  };
++
++struct rsbac_pm_switch_auth_t
++  {
++    rsbac_boolean_t               value;
++  };
++
++#ifdef __KERNEL__
++struct rsbac_pm_tkt_set_device_object_type_t
++  {
++    struct rsbac_dev_desc_t       dev;
++    enum rsbac_pm_object_type_t   object_type;
++    rsbac_pm_object_class_id_t    object_class;
++  };
++#endif
++
++struct rsbac_pm_set_device_object_type_t
++  {
++    char                          __user * filename;
++    enum rsbac_pm_object_type_t   object_type;
++    rsbac_pm_object_class_id_t    object_class;
++  };
++
++#ifdef __KERNEL__
++struct rsbac_pm_tkt_set_auth_may_setuid_t
++  {
++    struct rsbac_fs_file_t        file;
++    rsbac_boolean_t               value;
++  };
++#endif
++
++struct rsbac_pm_set_auth_may_setuid_t
++  {
++    char                          __user * filename;
++    rsbac_boolean_t               value;
++  };
++
++#ifdef __KERNEL__
++struct rsbac_pm_tkt_set_auth_may_set_cap_t
++  {
++    struct rsbac_fs_file_t        file;
++    rsbac_boolean_t               value;
++  };
++#endif
++
++struct rsbac_pm_set_auth_may_set_cap_t
++  {
++    char                          __user * filename;
++    rsbac_boolean_t               value;
++  };
++
++/***************/
++
++struct rsbac_pm_add_authorized_task_t
++  {
++    rsbac_uid_t                   user;
++    rsbac_pm_task_id_t            task;
++  };
++
++struct rsbac_pm_delete_authorized_task_t
++  {
++    rsbac_uid_t                   user;
++    rsbac_pm_task_id_t            task;
++  };
++
++/***************/
++
++struct rsbac_pm_create_tp_t
++  {
++    rsbac_pm_tp_id_t              id;
++  };
++
++struct rsbac_pm_delete_tp_t
++  {
++    rsbac_pm_tp_id_t              id;
++  };
++
++struct rsbac_pm_set_tp_t
++  {
++    char                          __user * filename;
++    rsbac_pm_tp_id_t              tp;
++  };
++
++/***************/
++
++#ifdef __KERNEL__
++union   rsbac_pm_tkt_internal_function_param_t
++         {
++           struct rsbac_pm_add_na_t                   add_na;
++           struct rsbac_pm_delete_na_t                delete_na;
++           struct rsbac_pm_add_task_t                 add_task;
++           struct rsbac_pm_delete_task_t              delete_task;
++           struct rsbac_pm_tkt_add_object_class_t     tkt_add_object_class;
++           struct rsbac_pm_delete_object_class_t      delete_object_class;
++           struct rsbac_pm_add_authorized_tp_t        add_authorized_tp;
++           struct rsbac_pm_delete_authorized_tp_t     delete_authorized_tp;
++           struct rsbac_pm_tkt_add_consent_t          tkt_add_consent;
++           struct rsbac_pm_tkt_delete_consent_t       tkt_delete_consent;
++           struct rsbac_pm_add_purpose_t              add_purpose;
++           struct rsbac_pm_delete_purpose_t           delete_purpose;
++           struct rsbac_pm_add_responsible_user_t     add_responsible_user;
++           struct rsbac_pm_delete_responsible_user_t  delete_responsible_user;
++           struct rsbac_pm_delete_user_aci_t          delete_user_aci;
++           struct rsbac_pm_set_role_t                 set_role;
++           struct rsbac_pm_tkt_set_object_class_t     tkt_set_object_class;
++           struct rsbac_pm_switch_pm_t                switch_pm;
++           struct rsbac_pm_switch_pm_t                switch_auth;
++           struct rsbac_pm_tkt_set_device_object_type_t tkt_set_device_object_type;
++           struct rsbac_pm_tkt_set_auth_may_setuid_t  tkt_set_auth_may_setuid;
++           struct rsbac_pm_tkt_set_auth_may_set_cap_t tkt_set_auth_may_set_cap;
++           struct rsbac_pm_add_authorized_task_t      add_authorized_task;
++           struct rsbac_pm_delete_authorized_task_t   delete_authorized_task;
++           int                                        dummy;
++         };
++#endif
++
++union   rsbac_pm_tkt_function_param_t
++         {
++           struct rsbac_pm_add_na_t                   add_na;
++           struct rsbac_pm_delete_na_t                delete_na;
++           struct rsbac_pm_add_task_t                 add_task;
++           struct rsbac_pm_delete_task_t              delete_task;
++           struct rsbac_pm_add_object_class_t         add_object_class;
++           struct rsbac_pm_delete_object_class_t      delete_object_class;
++           struct rsbac_pm_add_authorized_tp_t        add_authorized_tp;
++           struct rsbac_pm_delete_authorized_tp_t     delete_authorized_tp;
++           struct rsbac_pm_add_consent_t              add_consent;
++           struct rsbac_pm_delete_consent_t           delete_consent;
++           struct rsbac_pm_add_purpose_t              add_purpose;
++           struct rsbac_pm_delete_purpose_t           delete_purpose;
++           struct rsbac_pm_add_responsible_user_t     add_responsible_user;
++           struct rsbac_pm_delete_responsible_user_t  delete_responsible_user;
++           struct rsbac_pm_delete_user_aci_t          delete_user_aci;
++           struct rsbac_pm_set_role_t                 set_role;
++           struct rsbac_pm_set_object_class_t         set_object_class;
++           struct rsbac_pm_switch_pm_t                switch_pm;
++           struct rsbac_pm_switch_pm_t                switch_auth;
++           struct rsbac_pm_set_device_object_type_t   set_device_object_type;
++           struct rsbac_pm_set_auth_may_setuid_t      set_auth_may_setuid;
++           struct rsbac_pm_set_auth_may_set_cap_t     set_auth_may_set_cap;
++           struct rsbac_pm_add_authorized_task_t      add_authorized_task;
++           struct rsbac_pm_delete_authorized_task_t   delete_authorized_task;
++           int                                        dummy;
++         };
++
++/***********************/
++
++enum    rsbac_pm_function_type_t     {/* tkt issued by data_prot_officer, */
++                                      /* called by security_officer */
++                                      PF_add_na, PF_delete_na, PF_add_task,
++                                      PF_delete_task, PF_add_object_class,
++                                      PF_delete_object_class,
++                                      PF_add_authorized_tp,
++                                      PF_delete_authorized_tp,
++                                      PF_add_consent, PF_delete_consent,
++                                      PF_add_purpose, PF_delete_purpose,
++                                      PF_add_responsible_user,
++                                      PF_delete_responsible_user,
++                                      PF_delete_user_aci,
++                                      PF_set_role,
++                                      PF_set_object_class,
++                                      PF_switch_pm,
++                                      PF_switch_auth,
++                                      PF_set_device_object_type,
++                                      PF_set_auth_may_setuid,
++                                      PF_set_auth_may_set_cap,
++                                      /* tkt issued by data_prot_officer and */
++                                      /* resp. user, called by security_officer */
++                                      PF_add_authorized_task,
++                                      PF_delete_authorized_task,
++                                      /* called by tp_manager, no ticket */
++                                      PF_create_tp, PF_delete_tp, PF_set_tp,
++                                      /* called by data_prot_officer and */
++                                      /* responsible user */
++                                      PF_create_ticket,
++                                      /* never to be called, internal */
++                                      PF_none};
++
++struct rsbac_pm_create_ticket_t
++  {
++           rsbac_pm_tkt_id_t              id;
++           rsbac_pm_time_stamp_t          valid_for;  /* validity in secs */
++    enum   rsbac_pm_tkt_function_type_t   function_type;
++    union  rsbac_pm_tkt_function_param_t  function_param;
++  };
++
++union   rsbac_pm_function_param_t
++         {
++           struct rsbac_pm_add_na_t                   add_na;
++           struct rsbac_pm_delete_na_t                delete_na;
++           struct rsbac_pm_add_task_t                 add_task;
++           struct rsbac_pm_delete_task_t              delete_task;
++           struct rsbac_pm_add_object_class_t         add_object_class;
++           struct rsbac_pm_delete_object_class_t      delete_object_class;
++           struct rsbac_pm_add_authorized_tp_t        add_authorized_tp;
++           struct rsbac_pm_delete_authorized_tp_t     delete_authorized_tp;
++           struct rsbac_pm_add_consent_t              add_consent;
++           struct rsbac_pm_delete_consent_t           delete_consent;
++           struct rsbac_pm_add_purpose_t              add_purpose;
++           struct rsbac_pm_delete_purpose_t           delete_purpose;
++           struct rsbac_pm_add_responsible_user_t     add_responsible_user;
++           struct rsbac_pm_delete_responsible_user_t  delete_responsible_user;
++           struct rsbac_pm_delete_user_aci_t          delete_user_aci;
++           struct rsbac_pm_set_role_t                 set_role;
++           struct rsbac_pm_set_object_class_t         set_object_class;
++           struct rsbac_pm_switch_pm_t                switch_pm;
++           struct rsbac_pm_switch_pm_t                switch_auth;
++           struct rsbac_pm_set_device_object_type_t   set_device_object_type;
++           struct rsbac_pm_set_auth_may_setuid_t      set_auth_may_setuid;
++           struct rsbac_pm_set_auth_may_set_cap_t     set_auth_may_set_cap;
++           struct rsbac_pm_add_authorized_task_t      add_authorized_task;
++           struct rsbac_pm_delete_authorized_task_t   delete_authorized_task;
++           struct rsbac_pm_create_tp_t                create_tp;
++           struct rsbac_pm_delete_tp_t                delete_tp;
++           struct rsbac_pm_set_tp_t                   set_tp;
++           struct rsbac_pm_create_ticket_t            create_ticket;
++           int                                        dummy;
++         };
++
++
++/*******************/
++
++#ifdef __KERNEL__
++struct rsbac_pm_tkt_data_t
++    {
++             rsbac_pm_tkt_id_t                       id;
++             rsbac_uid_t                             issuer;
++      enum   rsbac_pm_tkt_function_type_t            function_type;
++      union  rsbac_pm_tkt_internal_function_param_t  function_param;
++             rsbac_pm_time_stamp_t                   valid_until;
++    };
++#endif
++
++#endif
+diff --git a/include/rsbac/pm_types.h b/include/rsbac/pm_types.h
+new file mode 100644
+index 0000000..ee70a67
+--- /dev/null
++++ b/include/rsbac/pm_types.h
+@@ -0,0 +1,240 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2001:          */
++/*   Amon Ott <ao@...>          */
++/* API: Data types for privacy        */
++/*      model calls                   */
++/* Last modified: 06/Sep/2001         */
++/************************************ */
++
++#ifndef __RSBAC_PM_TYPES_H
++#define __RSBAC_PM_TYPES_H
++
++#include <linux/types.h>
++
++/* Basic types */
++
++typedef __u32 rsbac_pm_task_id_t;
++typedef __u32 rsbac_pm_task_set_id_t;
++typedef __u32 rsbac_pm_tp_id_t;       /* transformation procedure id */
++typedef __u32 rsbac_pm_tp_set_id_t;   /* transformation procedure set id */
++typedef __u32 rsbac_pm_ru_set_id_t;   /* responsible user set id */
++typedef __u32 rsbac_pm_purpose_id_t;
++typedef __s32 rsbac_pm_pp_set_id_t;   /* purpose set id */
++typedef rsbac_pid_t rsbac_pm_in_pp_set_id_t; /* input purpose set id */
++typedef rsbac_pm_in_pp_set_id_t rsbac_pm_out_pp_set_id_t;
++                                            /* output purpose set id */
++typedef __u32 rsbac_pm_object_class_id_t;
++typedef __u32 rsbac_pm_tkt_id_t;      /* ticket id */
++typedef rsbac_time_t rsbac_pm_time_stamp_t; /* for ticket time stamps, same as */
++                                      /* parameter for sys_time */
++typedef __u8 rsbac_pm_accesses_t;   /* for necessary accesses */
++#define RSBAC_PM_A_READ   1
++#define RSBAC_PM_A_WRITE  2
++#define RSBAC_PM_A_DELETE 4
++#define RSBAC_PM_A_CREATE 8
++#define RSBAC_PM_A_APPEND 16
++#define RSBAC_PM_A_ALL    31
++#define RSBAC_PM_A_WRITING (RSBAC_PM_A_WRITE | RSBAC_PM_A_DELETE \
++                            | RSBAC_PM_A_CREATE | RSBAC_PM_A_APPEND)
++#define RSBAC_PM_A_WRITE_TO_FILE (RSBAC_PM_A_WRITE | RSBAC_PM_A_APPEND)
++
++#define RSBAC_PM_ROOT_TASK_SET_ID     (rsbac_pm_task_set_id_t) -1
++#define RSBAC_PM_IPC_OBJECT_CLASS_ID  (rsbac_pm_object_class_id_t) 60000
++#define RSBAC_PM_DEV_OBJECT_CLASS_ID  (rsbac_pm_object_class_id_t) 60001
++
++/* enum attributes */
++
++enum    rsbac_pm_list_t {PL_task,PL_class,PL_na,PL_cs,PL_tp,PL_pp,PL_tkt,PL_none};
++
++enum    rsbac_pm_all_list_t {PA_task,PA_class,PA_na,PA_cs,PA_tp,PA_pp,PA_tkt,
++                             PA_task_set,PA_tp_set,PA_ru_set,PA_pp_set,
++                             PA_in_pp_set,PA_out_pp_set,PA_none};
++
++enum    rsbac_pm_role_t {PR_user, PR_security_officer,
++                         PR_data_protection_officer,
++                         PR_tp_manager, PR_system_admin,
++                         PR_none};
++typedef rsbac_enum_t rsbac_pm_role_int_t;
++
++enum    rsbac_pm_process_type_t {PP_none, PP_TP};
++typedef rsbac_enum_t rsbac_pm_process_type_int_t;
++
++enum    rsbac_pm_object_type_t {PO_none, PO_TP, PO_personal_data,
++                                PO_non_personal_data, PO_ipc, PO_dir};
++typedef rsbac_enum_t rsbac_pm_object_type_int_t;
++
++typedef rsbac_pm_process_type_int_t rsbac_pm_program_type_int_t;
++
++#ifdef __KERNEL__
++enum    rsbac_pm_set_t  {PS_TASK,PS_TP,PS_RU,PS_PP,PS_IN_PP,PS_OUT_PP,PS_NONE};
++
++/* unions */
++
++union rsbac_pm_set_id_t
++  {
++    rsbac_pm_task_set_id_t   task_set;
++    rsbac_pm_tp_set_id_t     tp_set;
++    rsbac_pm_ru_set_id_t     ru_set;
++    rsbac_pm_pp_set_id_t     pp_set;
++    rsbac_pm_in_pp_set_id_t  in_pp_set;
++    rsbac_pm_out_pp_set_id_t out_pp_set;
++  };
++
++union rsbac_pm_set_member_t
++  {
++    rsbac_pm_task_id_t      task;
++    rsbac_pm_tp_id_t        tp;
++    rsbac_uid_t             ru;
++    rsbac_pm_purpose_id_t   pp;
++  };
++
++struct  rsbac_pm_na_id_t
++  {
++      rsbac_pm_task_id_t                 task;
++      rsbac_pm_object_class_id_t         object_class;
++      rsbac_pm_tp_id_t                   tp;
++  };
++
++struct  rsbac_pm_cs_id_t
++  {
++      rsbac_pm_purpose_id_t              purpose;
++      struct rsbac_fs_file_t             file;
++  };
++
++/*****************/
++/* api types     */
++/*****************/
++
++struct rsbac_pm_task_data_t
++    {
++      rsbac_pm_task_id_t                 id;
++      rsbac_pm_purpose_id_t              purpose;
++      rsbac_pm_tp_set_id_t               tp_set;
++      rsbac_pm_ru_set_id_t               ru_set;
++    };
++
++struct rsbac_pm_class_data_t
++    {
++      rsbac_pm_object_class_id_t            id;
++      rsbac_pm_pp_set_id_t                  pp_set;
++    };
++
++struct rsbac_pm_na_data_t
++    {
++      rsbac_pm_task_id_t                 task;
++      rsbac_pm_object_class_id_t         object_class;
++      rsbac_pm_tp_id_t                   tp;
++      rsbac_pm_accesses_t                accesses;
++    };
++
++struct rsbac_pm_cs_data_t
++    {
++      rsbac_pm_purpose_id_t              purpose;
++      struct rsbac_fs_file_t             file;
++    };
++
++struct rsbac_pm_tp_data_t
++    {
++      rsbac_pm_tp_id_t                   id;
++    };
++
++struct rsbac_pm_pp_data_t
++    {
++      rsbac_pm_purpose_id_t              id;
++      rsbac_pm_object_class_id_t         def_class;
++    };
++#endif /* __KERNEL__ */
++
++struct rsbac_pm_purpose_list_item_t
++    {
++      rsbac_pm_purpose_id_t                 id;
++      struct rsbac_pm_purpose_list_item_t * next;
++    };
++
++/******* ticket ********/
++
++#include <rsbac/pm_ticket.h>
++
++#ifdef __KERNEL__
++/****************************************************************************/
++/* For all pm lists all manipulation is encapsulated by the function calls  */
++/* rsbac_pm_set_data, rsbac_pm_get_data and rsbac_pm_remove_target.   */
++
++/* For those, we declare some extra types to specify target and attribute.  */
++
++enum   rsbac_pm_target_t {PMT_TASK,
++                          PMT_CLASS,
++                          PMT_NA,
++                          PMT_CS,
++                          PMT_TP,
++                          PMT_PP,
++                          PMT_TKT,
++                          PMT_NONE};
++typedef rsbac_enum_t rsbac_pm_target_int_t;
++
++union  rsbac_pm_target_id_t
++       {
++          rsbac_pm_task_id_t          task;
++          rsbac_pm_object_class_id_t  object_class;
++          struct rsbac_pm_na_id_t     na;
++          struct rsbac_pm_cs_id_t     cs;
++          rsbac_pm_tp_id_t            tp;
++          rsbac_pm_purpose_id_t       pp;
++          rsbac_pm_tkt_id_t           tkt;
++          int                         dummy;
++       };
++
++enum   rsbac_pm_data_t
++       {                  PD_purpose,
++                          PD_tp_set,
++                          PD_ru_set,
++                          PD_pp_set,
++                          PD_task,
++                          PD_class,
++                          PD_tp,
++                          PD_accesses,
++                          PD_file,
++                          PD_issuer,
++                          PD_function_type,
++                          PD_function_param,
++                          PD_valid_until,
++                          PD_def_class,
++                          PD_none
++       };
++typedef rsbac_enum_t rsbac_pm_data_int_t;
++
++union  rsbac_pm_data_value_t
++       {
++          rsbac_pm_purpose_id_t         purpose;
++          rsbac_pm_tp_set_id_t          tp_set;
++          rsbac_pm_ru_set_id_t          ru_set;
++          rsbac_pm_pp_set_id_t          pp_set;
++          rsbac_pm_task_id_t            task;
++          rsbac_pm_object_class_id_t    object_class;
++          rsbac_pm_tp_id_t              tp;
++          rsbac_pm_accesses_t           accesses;
++          struct rsbac_fs_file_t        file;
++          rsbac_uid_t                   issuer;
++          enum   rsbac_pm_tkt_function_type_t   function_type;
++          union  rsbac_pm_tkt_internal_function_param_t  function_param;
++          rsbac_pm_time_stamp_t         valid_until;
++          rsbac_pm_object_class_id_t    def_class;
++          int                           dummy;
++       };
++
++
++union  rsbac_pm_all_data_value_t
++       {
++          struct rsbac_pm_task_data_t   task;
++          struct rsbac_pm_class_data_t  object_class;
++          struct rsbac_pm_na_data_t     na;
++          struct rsbac_pm_cs_data_t     cs;
++          struct rsbac_pm_tp_data_t     tp;
++          struct rsbac_pm_pp_data_t     pp;
++          struct rsbac_pm_tkt_data_t    tkt;
++          int                           dummy;
++       };
++#endif
++
++#endif
+diff --git a/include/rsbac/proc_fs.h b/include/rsbac/proc_fs.h
+new file mode 100644
+index 0000000..8b1e39b
+--- /dev/null
++++ b/include/rsbac/proc_fs.h
+@@ -0,0 +1,20 @@
++/************************************* */
++/* Rule Set Based Access Control       */
++/* Author and (c) 1999-2001: Amon Ott  */
++/* proc fs functions                   */
++/* Last modified: 17/Jul/2001          */
++/************************************* */
++
++#ifndef __RSBAC_PROC_FS_H
++#define __RSBAC_PROC_FS_H
++
++#include <linux/proc_fs.h>
++
++#ifndef PROC_BLOCK_SIZE
++#define PROC_BLOCK_SIZE	(3*1024)  /* 4K page size but our output routines use some slack for overruns */
++#endif
++
++extern struct proc_dir_entry * proc_rsbac_root_p;
++extern struct proc_dir_entry * proc_rsbac_backup_p;
++
++#endif
+diff --git a/include/rsbac/rc.h b/include/rsbac/rc.h
+new file mode 100644
+index 0000000..8efdbbb
+--- /dev/null
++++ b/include/rsbac/rc.h
+@@ -0,0 +1,104 @@
++/******************************* */
++/* Rule Set Based Access Control */
++/* Author and (c) 1999-2009:     */
++/*   Amon Ott <ao@...>     */
++/* API: Data structures          */
++/* and functions for Access      */
++/* Control Information / RC      */
++/* Last modified: 15/Oct/2009    */
++/******************************* */
++
++#ifndef __RSBAC_RC_H
++#define __RSBAC_RC_H
++
++#include <linux/init.h>
++#include <rsbac/rc_types.h>
++
++/***************************************************/
++/*               General Prototypes                */
++/***************************************************/
++
++/* All functions return 0, if no error occurred, and a negative error code  */
++/* otherwise. The error codes are defined in rsbac_error.h.                 */
++
++/****************************************************************************/
++/* Initialization, including ACI restoration for all mounted devices from   */
++/* disk. After this call, all ACI is kept in memory for performance reasons.*/
++
++#ifdef CONFIG_RSBAC_INIT_DELAY
++int rsbac_init_rc(void);
++#else
++int rsbac_init_rc(void) __init;
++#endif
++
++/* Find the boot role */
++#ifdef CONFIG_RSBAC_INIT_DELAY
++int rsbac_rc_get_boot_role(rsbac_rc_role_id_t * role_p);
++#else
++int rsbac_rc_get_boot_role(rsbac_rc_role_id_t * role_p) __init;
++#endif
++
++/* Some information about the current status is also available              */
++
++int rsbac_stats_rc(void);
++
++/************************************************* */
++/*               Access functions                  */
++/************************************************* */
++
++/* All these procedures handle the spinlocks to protect the targets during  */
++/* access.                                                                  */
++
++/* All roles are always there, so instead of creation, we supply a copy for */
++/* initialization. There is always the well-defined role general to copy    */
++int rsbac_rc_copy_role(rsbac_list_ta_number_t ta_number,
++		       rsbac_rc_role_id_t from_role,
++		       rsbac_rc_role_id_t to_role);
++
++int rsbac_rc_copy_type(rsbac_list_ta_number_t ta_number,
++		       enum rsbac_rc_target_t target,
++		       rsbac_rc_type_id_t from_type,
++		       rsbac_rc_type_id_t to_type);
++
++/* Getting item values */
++int rsbac_rc_get_item(rsbac_list_ta_number_t ta_number,
++		      enum rsbac_rc_target_t target,
++		      union rsbac_rc_target_id_t tid,
++		      union rsbac_rc_target_id_t subtid,
++		      enum rsbac_rc_item_t item,
++		      union rsbac_rc_item_value_t *value_p,
++		      rsbac_time_t * ttl_p);
++
++/* Setting item values */
++int rsbac_rc_set_item(rsbac_list_ta_number_t ta_number,
++		      enum rsbac_rc_target_t target,
++		      union rsbac_rc_target_id_t tid,
++		      union rsbac_rc_target_id_t subtid,
++		      enum rsbac_rc_item_t item,
++		      union rsbac_rc_item_value_t value, rsbac_time_t ttl);
++
++/* Checking role's compatibility */
++rsbac_boolean_t rsbac_rc_check_comp(rsbac_rc_role_id_t role,
++				    union rsbac_rc_target_id_t subtid,
++				    enum rsbac_rc_item_t item,
++				    enum rsbac_rc_special_rights_t right);
++
++/* Checking whether role exists */
++rsbac_boolean_t rsbac_rc_role_exists(rsbac_list_ta_number_t ta_number,
++				     rsbac_rc_role_id_t role);
++
++rsbac_boolean_t rsbac_rc_type_exists(rsbac_list_ta_number_t ta_number,
++				     enum rsbac_target_t target,
++				     rsbac_rc_type_id_t type);
++
++/* Get list of defined items. Returns number or negative error.
++ * Allocates array via rsbac_kmalloc, if number > 0 - rsbac_kfree after use! */
++int rsbac_rc_get_list(rsbac_list_ta_number_t ta_number,
++		      enum rsbac_rc_target_t target,
++		      union rsbac_rc_target_id_t tid,
++		      enum rsbac_rc_item_t item,
++		      __u32 ** array_pp, rsbac_time_t ** ttl_array_pp);
++
++int rsbac_rc_select_fd_create_type(rsbac_rc_type_id_t type);
++
++#endif
+diff --git a/include/rsbac/rc_data_structures.h b/include/rsbac/rc_data_structures.h
+new file mode 100644
+index 0000000..a297b16
+--- /dev/null
++++ b/include/rsbac/rc_data_structures.h
+@@ -0,0 +1,352 @@
++/*********************************/
++/* Rule Set Based Access Control */
++/* Author and (c) 1999-2005:     */
++/*   Amon Ott <ao@...>     */
++/* Data structures for Role      */
++/* Compatibility module          */
++/* Last modified: 21/Dec/2005    */
++/*********************************/
++
++
++#ifndef __RSBAC_RC_DATA_STRUC_H
++#define __RSBAC_RC_DATA_STRUC_H
++
++#ifdef __KERNEL__		/* only include in kernel code */
++#include <linux/types.h>
++#include <rsbac/types.h>
++#endif				/* __KERNEL__ */
++
++/* First of all we define dirname and filenames for saving the roles to disk. */
++/* The path must be a valid single dir name! Each mounted device gets its    */
++/* own file set, residing in 'DEVICE_ROOT/RSBAC_ACI_PATH/'.                  */
++/* All user access to these files will be denied.                            */
++/* Backups are kept in FILENAMEb.                                            */
++
++#ifdef __KERNEL__
++#define RSBAC_RC_LIST_KEY 77788855
++
++#define RSBAC_RC_NR_ROLE_LISTS 4
++#define RSBAC_RC_NR_TYPE_LISTS 4
++
++/* roles */
++#define RSBAC_RC_ROLE_FILENAME "rc_r"
++
++/* roles we are compatible with ( = we can change to) */
++#define RSBAC_RC_ROLE_RC_FILENAME "rc_rc"
++
++/* roles we may administrate (replaces admin_type) */
++#define RSBAC_RC_ROLE_ADR_FILENAME "rc_adr"
++
++/* roles we may read and assign to users, if they were in one of these before. */
++#define RSBAC_RC_ROLE_ASR_FILENAME "rc_asr"
++
++/* file/dir/fifo/symlink types for new items, by parent efftype */
++/* If not found, use old global value def_fd_create_type */
++#define RSBAC_RC_ROLE_DFDC_FILENAME "rc_dfdc"
++
++/* file/dir/fifo/symlink types and requests we are compatible with */
++#define RSBAC_RC_ROLE_TCFD_FILENAME "rc_tcfd"
++
++/* dev types and requests we are compatible with */
++#define RSBAC_RC_ROLE_TCDV_FILENAME "rc_tcdv"
++
++/* user types and requests we are compatible with */
++#define RSBAC_RC_ROLE_TCUS_FILENAME "rc_tcus"
++
++/* process types and requests we are compatible with */
++#define RSBAC_RC_ROLE_TCPR_FILENAME "rc_tcpr"
++
++/* IPC types and requests we are compatible with */
++#define RSBAC_RC_ROLE_TCIP_FILENAME "rc_tcip"
++
++/* SCD types and requests we are compatible with */
++#define RSBAC_RC_ROLE_TCSC_FILENAME "rc_tcsc"
++
++/* group types and requests we are compatible with */
++#define RSBAC_RC_ROLE_TCGR_FILENAME "rc_tcgr"
++
++/* NETDEV types and requests we are compatible with */
++#define RSBAC_RC_ROLE_TCND_FILENAME "rc_tcnd"
++
++/* NETTEMP types and requests we are compatible with */
++#define RSBAC_RC_ROLE_TCNT_FILENAME "rc_tcnt"
++
++/* NETOBJ types and requests we are compatible with */
++#define RSBAC_RC_ROLE_TCNO_FILENAME "rc_tcno"
++
++#define RSBAC_RC_ROLE_LIST_VERSION 5
++#define RSBAC_RC_ROLE_OLD_LIST_VERSION 4
++#define RSBAC_RC_ROLE_OLD_OLD_LIST_VERSION 3
++#define RSBAC_RC_ROLE_OLD_OLD_OLD_LIST_VERSION 2
++#define RSBAC_RC_ROLE_OLD_OLD_OLD_OLD_LIST_VERSION 1
++#define RSBAC_RC_ROLE_RC_LIST_VERSION 1
++#define RSBAC_RC_ROLE_ADR_LIST_VERSION 1
++#define RSBAC_RC_ROLE_ASR_LIST_VERSION 1
++#define RSBAC_RC_ROLE_DFDC_LIST_VERSION 1
++#define RSBAC_RC_ROLE_TCFD_LIST_VERSION 2
++#define RSBAC_RC_ROLE_TCDV_LIST_VERSION 2
++#define RSBAC_RC_ROLE_TCUS_LIST_VERSION 2
++#define RSBAC_RC_ROLE_TCPR_LIST_VERSION 2
++#define RSBAC_RC_ROLE_TCIP_LIST_VERSION 2
++#define RSBAC_RC_ROLE_TCSC_LIST_VERSION 2
++#define RSBAC_RC_ROLE_TCGR_LIST_VERSION 2
++#define RSBAC_RC_ROLE_TCND_LIST_VERSION 2
++#define RSBAC_RC_ROLE_TCNT_LIST_VERSION 2
++#define RSBAC_RC_ROLE_TCNO_LIST_VERSION 2
++#define RSBAC_RC_ROLE_TCFD_OLD_LIST_VERSION 1
++#define RSBAC_RC_ROLE_TCDV_OLD_LIST_VERSION 1
++#define RSBAC_RC_ROLE_TCUS_OLD_LIST_VERSION 1
++#define RSBAC_RC_ROLE_TCPR_OLD_LIST_VERSION 1
++#define RSBAC_RC_ROLE_TCIP_OLD_LIST_VERSION 1
++#define RSBAC_RC_ROLE_TCSC_OLD_LIST_VERSION 1
++#define RSBAC_RC_ROLE_TCGR_OLD_LIST_VERSION 1
++#define RSBAC_RC_ROLE_TCND_OLD_LIST_VERSION 1
++#define RSBAC_RC_ROLE_TCNT_OLD_LIST_VERSION 1
++#define RSBAC_RC_ROLE_TCNO_OLD_LIST_VERSION 1
++
++#define RSBAC_RC_TYPE_FD_FILENAME "rc_tfd"
++#define RSBAC_RC_TYPE_DEV_FILENAME "rc_tdv"
++#define RSBAC_RC_TYPE_IPC_FILENAME "rc_tip"
++#define RSBAC_RC_TYPE_USER_FILENAME "rc_tus"
++#define RSBAC_RC_TYPE_PROCESS_FILENAME "rc_tpr"
++#define RSBAC_RC_TYPE_GROUP_FILENAME "rc_tgr"
++#define RSBAC_RC_TYPE_NETDEV_FILENAME "rc_tnd"
++#define RSBAC_RC_TYPE_NETTEMP_FILENAME "rc_tnt"
++#define RSBAC_RC_TYPE_NETOBJ_FILENAME "rc_tno"
++
++#define RSBAC_RC_TYPE_FD_LIST_VERSION 1
++#define RSBAC_RC_TYPE_DEV_LIST_VERSION 1
++#define RSBAC_RC_TYPE_IPC_LIST_VERSION 1
++#define RSBAC_RC_TYPE_USER_LIST_VERSION 1
++#define RSBAC_RC_TYPE_PROCESS_LIST_VERSION 1
++#define RSBAC_RC_TYPE_GROUP_LIST_VERSION 1
++#define RSBAC_RC_TYPE_NETDEV_LIST_VERSION 1
++#define RSBAC_RC_TYPE_NETTEMP_LIST_VERSION 1
++#define RSBAC_RC_TYPE_NETOBJ_LIST_VERSION 1
++#endif				/* __KERNEL__ */
++
++/*
++ * The following structures provide the role model data structures.
++ * All RSBAC_RC_NR_ROLES roles and RSBAC_RC_NR_TYPES x target-no. types
++ * and SCD-type definitions are kept in arrays and saved to disk as such.
++ */
++
++/***************************************
++ *               Roles                 *
++ ***************************************/
++
++/* Caution: whenever role struct changes, version and old_version must be increased! */
++
++struct rsbac_rc_role_entry_t {
++	rsbac_enum_t admin_type;	/* role admin: none, system or role admin? */
++	char name[RSBAC_RC_NAME_LEN];
++	rsbac_rc_type_id_t def_fd_create_type;
++	rsbac_rc_type_id_t def_user_create_type;
++	rsbac_rc_type_id_t def_process_create_type;
++	rsbac_rc_type_id_t def_process_chown_type;
++	rsbac_rc_type_id_t def_process_execute_type;
++	rsbac_rc_type_id_t def_ipc_create_type;
++	rsbac_rc_type_id_t def_group_create_type;
++	rsbac_rc_type_id_t def_unixsock_create_type;
++	rsbac_enum_t boot_role;
++	rsbac_enum_t req_reauth;
++};
++
++struct rsbac_rc_old_role_entry_t {
++	rsbac_enum_t admin_type;	/* role admin: none, system or role admin? */
++	char name[RSBAC_RC_NAME_LEN];
++	rsbac_rc_type_id_t def_fd_create_type;
++	rsbac_rc_type_id_t def_user_create_type;
++	rsbac_rc_type_id_t def_process_create_type;
++	rsbac_rc_type_id_t def_process_chown_type;
++	rsbac_rc_type_id_t def_process_execute_type;
++	rsbac_rc_type_id_t def_ipc_create_type;
++	rsbac_rc_type_id_t def_group_create_type;
++	rsbac_enum_t boot_role;
++	rsbac_enum_t req_reauth;
++};
++
++struct rsbac_rc_old_old_role_entry_t {
++	rsbac_enum_t admin_type;	/* role admin: none, system or role admin? */
++	char name[RSBAC_RC_NAME_LEN];
++	rsbac_rc_type_id_t def_fd_create_type;
++	rsbac_rc_type_id_t def_user_create_type;
++	rsbac_rc_type_id_t def_process_create_type;
++	rsbac_rc_type_id_t def_process_chown_type;
++	rsbac_rc_type_id_t def_process_execute_type;
++	rsbac_rc_type_id_t def_ipc_create_type;
++	rsbac_rc_type_id_t def_group_create_type;
++	rsbac_enum_t boot_role;
++};
++
++struct rsbac_rc_old_old_old_role_entry_t {
++	rsbac_enum_t admin_type;	/* role admin: none, system or role admin? */
++	char name[RSBAC_RC_NAME_LEN];
++	rsbac_rc_type_id_t def_fd_create_type;
++	rsbac_rc_type_id_t def_user_create_type;
++	rsbac_rc_type_id_t def_process_create_type;
++	rsbac_rc_type_id_t def_process_chown_type;
++	rsbac_rc_type_id_t def_process_execute_type;
++	rsbac_rc_type_id_t def_ipc_create_type;
++	rsbac_enum_t boot_role;
++};
++
++struct rsbac_rc_old_old_old_old_role_entry_t {
++	rsbac_enum_t admin_type;	/* role admin: none, system or role admin? */
++	char name[RSBAC_RC_NAME_LEN];
++	rsbac_rc_type_id_t def_fd_create_type;
++	rsbac_rc_type_id_t def_process_create_type;
++	rsbac_rc_type_id_t def_process_chown_type;
++	rsbac_rc_type_id_t def_process_execute_type;
++	rsbac_rc_type_id_t def_ipc_create_type;
++};
++
++#define RSBAC_RC_NR_ROLE_ENTRY_ITEMS 25
++#define RSBAC_RC_ROLE_ENTRY_ITEM_LIST { \
++      RI_role_comp, \
++      RI_admin_roles, \
++      RI_assign_roles, \
++      RI_type_comp_fd, \
++      RI_type_comp_dev, \
++      RI_type_comp_user, \
++      RI_type_comp_process, \
++      RI_type_comp_ipc, \
++      RI_type_comp_scd, \
++      RI_type_comp_group, \
++      RI_type_comp_netdev, \
++      RI_type_comp_nettemp, \
++      RI_type_comp_netobj, \
++      RI_admin_type, \
++      RI_name, \
++      RI_def_fd_create_type, \
++      RI_def_fd_ind_create_type, \
++      RI_def_user_create_type, \
++      RI_def_process_create_type, \
++      RI_def_process_chown_type, \
++      RI_def_process_execute_type, \
++      RI_def_ipc_create_type, \
++      RI_def_group_create_type, \
++      RI_boot_role, \
++      RI_req_reauth \
++      }
++
++/***************************************
++ *             Type names              *
++ ***************************************/
++
++/* Caution: whenever role struct changes, version and old_version must be increased! */
++
++/* #define RSBAC_RC_OLD_TYPE_VERSION 1 */
++#define RSBAC_RC_TYPE_VERSION 1
++
++struct rsbac_rc_type_fd_entry_t {
++	char name[RSBAC_RC_NAME_LEN];
++	__u8 need_secdel;	/* rsbac_boolean_t */
++};
++
++#define RSBAC_RC_NR_TYPE_ENTRY_ITEMS 10
++#define RSBAC_RC_TYPE_ENTRY_ITEM_LIST { \
++      RI_type_fd_name, \
++      RI_type_dev_name, \
++      RI_type_ipc_name, \
++      RI_type_scd_name, \
++      RI_type_process_name, \
++      RI_type_group_name, \
++      RI_type_netdev_name, \
++      RI_type_nettemp_name, \
++      RI_type_netobj_name, \
++      RI_type_fd_need_secdel \
++      }
++
++/**********************************************/
++/*              Default values                */
++/**********************************************/
++
++#define RSBAC_RC_GENERAL_ROLE_ENTRY \
++    { \
++      .admin_type = RC_no_admin, \
++      .name = "General User", \
++      .def_fd_create_type = RC_type_inherit_parent, \
++      .def_user_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_process_create_type = RC_type_inherit_parent, \
++      .def_process_chown_type = RC_type_use_new_role_def_create, \
++      .def_process_execute_type = RC_type_inherit_parent, \
++      .def_ipc_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_group_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_unixsock_create_type = RC_type_use_fd, \
++      .boot_role = FALSE, \
++      .req_reauth = FALSE, \
++    }
++
++#define RSBAC_RC_ROLE_ADMIN_ROLE_ENTRY \
++    { \
++      .admin_type = RC_role_admin, \
++      .name = "Role Admin", \
++      .def_fd_create_type = RC_type_inherit_parent, \
++      .def_user_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_process_create_type = RC_type_inherit_parent, \
++      .def_process_chown_type = RC_type_use_new_role_def_create, \
++      .def_process_execute_type = RC_type_inherit_parent, \
++      .def_ipc_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_group_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_unixsock_create_type = RC_type_use_fd, \
++      .boot_role = FALSE, \
++      .req_reauth = FALSE, \
++    }
++
++#define RSBAC_RC_SYSTEM_ADMIN_ROLE_ENTRY \
++    { \
++      .admin_type = RC_system_admin, \
++      .name = "System Admin", \
++      .def_fd_create_type = RC_type_inherit_parent, \
++      .def_user_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_process_create_type = RC_type_inherit_parent, \
++      .def_process_chown_type = RC_type_use_new_role_def_create, \
++      .def_process_execute_type = RC_type_inherit_parent, \
++      .def_ipc_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_group_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_unixsock_create_type = RC_type_use_fd, \
++      .boot_role = FALSE, \
++      .req_reauth = FALSE, \
++    }
++
++#define RSBAC_RC_BOOT_ROLE_ENTRY \
++    { \
++      .admin_type = RC_no_admin, \
++      .name = "System Boot", \
++      .def_fd_create_type = RC_type_inherit_parent, \
++      .def_user_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_process_create_type = RC_type_inherit_parent, \
++      .def_process_chown_type = RC_type_use_new_role_def_create, \
++      .def_process_execute_type = RC_type_inherit_parent, \
++      .def_ipc_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_group_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_unixsock_create_type = RC_type_use_fd, \
++      .boot_role = TRUE, \
++      .req_reauth = FALSE, \
++    }
++
++#define RSBAC_RC_AUDITOR_ROLE_ENTRY \
++    { \
++      .admin_type = RC_no_admin, \
++      .name = "Auditor", \
++      .def_fd_create_type = RC_type_inherit_parent, \
++      .def_user_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_process_create_type = RC_type_inherit_parent, \
++      .def_process_chown_type = RC_type_use_new_role_def_create, \
++      .def_process_execute_type = RC_type_inherit_parent, \
++      .def_ipc_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_group_create_type = RSBAC_RC_GENERAL_TYPE, \
++      .def_unixsock_create_type = RC_type_use_fd, \
++      .boot_role = FALSE, \
++      .req_reauth = FALSE, \
++    }
++
++/**********************************************/
++/*              Declarations                  */
++/**********************************************/
++
++#ifdef __KERNEL__
++#endif				/* __KERNEL__ */
++
++#endif				/* __RSBAC_RC_DATA_STRUC_H */
+diff --git a/include/rsbac/rc_getname.h b/include/rsbac/rc_getname.h
+new file mode 100644
+index 0000000..562fa20
+--- /dev/null
++++ b/include/rsbac/rc_getname.h
+@@ -0,0 +1,44 @@
++/******************************** */
++/* Rule Set Based Access Control  */
++/* Author and (c) 1999: Amon Ott  */
++/* Getname functions for RC parts */
++/* Last modified: 18/Jan/99       */
++/******************************** */
++
++#ifndef __RSBAC_RC_GETNAME_H
++#define __RSBAC_RC_GETNAME_H
++
++#include <rsbac/rc_types.h>
++
++#ifndef NULL
++#define NULL ((void *) 0)
++#endif
++
++char *get_rc_target_name(char *name, enum rsbac_rc_target_t value);
++
++enum rsbac_rc_target_t get_rc_target_nr(const char *name);
++
++char *get_rc_admin_name(char *name, enum rsbac_rc_admin_type_t value);
++
++enum rsbac_rc_admin_type_t get_rc_admin_nr(const char *name);
++
++char *get_rc_scd_type_name(char *name, enum rsbac_rc_scd_type_t value);
++
++enum rsbac_rc_scd_type_t get_rc_scd_type_nr(const char *name);
++
++char *get_rc_item_name(char *name, enum rsbac_rc_item_t value);
++
++enum rsbac_rc_item_t get_rc_item_nr(const char *name);
++
++#ifndef __KERNEL__
++char *get_rc_item_param(char *name, enum rsbac_rc_item_t value);
++#endif
++
++char *get_rc_special_right_name(char *name,
++				enum rsbac_rc_special_rights_t value);
++
++#ifndef __KERNEL__
++enum rsbac_rc_special_rights_t get_rc_special_right_nr(const char *name);
++#endif
++
++#endif
+diff --git a/include/rsbac/rc_types.h b/include/rsbac/rc_types.h
+new file mode 100644
+index 0000000..c8207fe
+--- /dev/null
++++ b/include/rsbac/rc_types.h
+@@ -0,0 +1,376 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2005: Amon Ott */
++/* API: Data types for                */
++/*    Role Compatibility Module       */
++/* Last modified: 21/Dec/2005         */
++/************************************ */
++
++#ifndef __RSBAC_RC_TYPES_H
++#define __RSBAC_RC_TYPES_H
++
++#include <linux/types.h>
++
++/***** RC *****/
++
++#define RSBAC_RC_GENERAL_ROLE 0
++#define RSBAC_RC_ROLE_ADMIN_ROLE 1
++#define RSBAC_RC_SYSTEM_ADMIN_ROLE 2
++#define RSBAC_RC_AUDITOR_ROLE 3
++#define RSBAC_RC_BOOT_ROLE 999999
++#define RSBAC_RC_GENERAL_TYPE 0
++#define RSBAC_RC_SEC_TYPE 1
++#define RSBAC_RC_SYS_TYPE 2
++#define RSBAC_RC_KERNEL_P_TYPE 999999
++
++#define RSBAC_RC_NAME_LEN 16
++#define RSBAC_RC_ALL_REQUESTS ((rsbac_rc_request_vector_t) -1)
++
++#define RSBAC_RC_OLD_SPECIAL_RIGHT_BASE 48
++#define RSBAC_RC_SPECIAL_RIGHT_BASE 56
++
++enum rsbac_rc_special_rights_t { RCR_ADMIN = RSBAC_RC_SPECIAL_RIGHT_BASE,
++	RCR_ASSIGN,
++	RCR_ACCESS_CONTROL,
++	RCR_SUPERVISOR,
++	RCR_MODIFY_AUTH,
++	RCR_CHANGE_AUTHED_OWNER,
++	RCR_SELECT,
++	RCR_NONE
++};
++
++typedef __u64 rsbac_rc_rights_vector_t;
++
++/* backwards compatibility only! */
++typedef __u64 rsbac_rc_role_vector_t;
++
++#define RSBAC_RC_RIGHTS_VECTOR(x) ((rsbac_rc_rights_vector_t) 1 << (x))
++#define RSBAC_RC_ROLE_VECTOR(x) ((rsbac_rc_role_vector_t) 1 << (x))
++#define RSBAC_RC_TYPE_VECTOR(x) ((rsbac_rc_type_vector_t) 1 << (x))
++
++#define RSBAC_RC_SPECIAL_RIGHTS_VECTOR (\
++  RSBAC_RC_RIGHTS_VECTOR(RCR_ADMIN) | \
++  RSBAC_RC_RIGHTS_VECTOR(RCR_ASSIGN) | \
++  RSBAC_RC_RIGHTS_VECTOR(RCR_ACCESS_CONTROL) | \
++  RSBAC_RC_RIGHTS_VECTOR(RCR_SUPERVISOR) | \
++  RSBAC_RC_RIGHTS_VECTOR(RCR_MODIFY_AUTH) | \
++  RSBAC_RC_RIGHTS_VECTOR(RCR_CHANGE_AUTHED_OWNER) | \
++  RSBAC_RC_RIGHTS_VECTOR(RCR_SELECT) \
++  )
++
++#define RSBAC_RC_SUPERVISOR_RIGHT_VECTOR (\
++    RSBAC_RC_RIGHTS_VECTOR(RCR_SUPERVISOR) | \
++  )
++
++#define RSBAC_RC_ALL_RIGHTS_VECTOR (RSBAC_ALL_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR)
++
++#define RSBAC_RC_PROCESS_RIGHTS_VECTOR (RSBAC_PROCESS_REQUEST_VECTOR | \
++  RSBAC_RC_RIGHTS_VECTOR(R_CONNECT) | \
++  RSBAC_RC_RIGHTS_VECTOR(R_ACCEPT) | \
++  RSBAC_RC_RIGHTS_VECTOR(R_SEND) | \
++  RSBAC_RC_RIGHTS_VECTOR(R_RECEIVE) \
++)
++
++#define RSBAC_RC_DEFAULT_RIGHTS_VECTOR 0
++
++#define RSBAC_RC_GEN_RIGHTS_VECTOR RSBAC_RC_DEFAULT_RIGHTS_VECTOR
++
++typedef __u32 rsbac_rc_role_id_t;
++typedef __u32 rsbac_rc_type_id_t;
++typedef rsbac_request_vector_t rsbac_rc_request_vector_t;
++
++enum rsbac_rc_admin_type_t { RC_no_admin, RC_role_admin, RC_system_admin,
++	    RC_none };
++
++/*
++ * System Control Types, including general SCD types
++ * (start at 32 to allow future SCD types, max is 63)
++ */
++#define RST_min 32
++enum rsbac_rc_scd_type_t { RST_auth_administration = RST_min,
++	RST_none
++};
++
++/* what should always be there to keep system functional */
++#ifdef CONFIG_RSBAC_USER_MOD_IOPERM
++#define RSBAC_RC_GENERAL_COMP_SCD { \
++                          0, \
++                          0, \
++                          0, \
++                          0, \
++         /* ST_ioports */ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA), \
++         /* ST_rlimit */ RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \
++         /* ST_swap */              0, \
++         /* ST_syslog */            0, \
++         /* ST_rsbac */             0, \
++         /* ST_rsbac_log */         0, \
++         /* ST_other */             ( \
++                                       ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
++                                    ), \
++         /* ST_kmem */              0, \
++         /* ST_network */           ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \
++         /* 13 = ST_none */         0 \
++          }
++#else
++#define RSBAC_RC_GENERAL_COMP_SCD { \
++                          0, \
++                          0, \
++                          0, \
++                          0, \
++                          0, \
++         /* ST_rlimit */ RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \
++         /* ST_swap */              0, \
++         /* ST_syslog */            0, \
++         /* ST_rsbac */             0, \
++         /* ST_rsbac_log */         0, \
++         /* ST_other */             ( \
++                                       ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
++                                    ), \
++         /* ST_kmem */              0, \
++         /* ST_network */           ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \
++         /* ST_firewall */          0, \
++         /* ST_priority */          0, \
++         /* 15 = ST_none */         0 \
++          }
++#endif
++
++#define RSBAC_RC_ROLEADM_COMP_SCD { \
++         /* 0 = ST_time_structs */  0, \
++         /* ST_clock */             0, \
++         /* ST_host_id */           0, \
++         /* ST_net_id */            0, \
++         /* ST_ioports */           0, \
++         /* ST_rlimit */            RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
++         /* ST_swap */              0, \
++         /* ST_syslog */            0, \
++         /* ST_rsbac */             RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
++         /* ST_rsbac_log */         RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
++         /* ST_other */             ( \
++                                       ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
++                                     | ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) \
++                                     | ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) \
++                                     | ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) \
++                                     | ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) \
++                                    ) | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
++         /* ST_kmem */              0, \
++         /* ST_network */           ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
++         /* ST_firewall */          ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
++         /* ST_nice */              0, \
++         /* 15 = ST_none */         0, \
++                                    0, \
++                                    0, \
++                                    0, \
++                                    0, \
++         /* 20 */                   0, \
++                                    0, \
++                                    0, \
++                                    0, \
++                                    0, \
++                                    0, \
++                                    0, \
++                                    0, \
++                                    0, \
++                                    0, \
++         /* 30 */                   0, \
++                                    0, \
++         /* 32 = RST_auth_admin */  RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
++         /* 33 = RST_none */        0 \
++          }
++
++#define RSBAC_RC_SYSADM_COMP_SCD { \
++         /* 0 = ST_time_structs */  RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
++         /* ST_clock */             RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
++         /* ST_host_id */           RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
++         /* ST_net_id */            RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
++         /* ST_ioports */           RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
++         /* ST_rlimit */            RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
++         /* ST_swap */              RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
++         /* ST_syslog */            RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
++         /* ST_rsbac */             RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
++         /* ST_rsbac_log */         0, \
++         /* ST_other */             ( \
++                                       ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) \
++                                     | ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) \
++                                     | ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
++                                     | ((rsbac_request_vector_t) 1 << R_MOUNT) \
++                                     | ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) \
++                                     | ((rsbac_request_vector_t) 1 << R_UMOUNT) \
++                                     | ((rsbac_request_vector_t) 1 << R_SHUTDOWN) \
++                                    ), \
++         /* ST_kmem */              RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
++         /* ST_network */           RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
++         /* ST_firewall */          RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
++         /* ST_priority */          RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
++         /* 15 = ST_none */         0, \
++                                    0, \
++                                    0, \
++                                    0, \
++                                    0, \
++         /* 20 */                   0, \
++                                    0, \
++                                    0, \
++                                    0, \
++                                    0, \
++                                    0, \
++                                    0, \
++                                    0, \
++                                    0, \
++                                    0, \
++         /* 30 */                   0, \
++                                    0, \
++         /* 32 = RST_auth_admin */  0, \
++         /* 33 = RST_none */        0 \
++          }
++#ifdef CONFIG_RSBAC_USER_MOD_IOPERM
++#define RSBAC_RC_AUDITOR_COMP_SCD { \
++                          0, \
++                          0, \
++                          0, \
++                          0, \
++         /* ST_ioports */ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA), \
++         /* ST_rlimit */  RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \
++         /* ST_swap */              0, \
++         /* ST_syslog */            0, \
++         /* ST_rsbac */             0, \
++         /* ST_rsbac_log */         ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA), \
++         /* ST_other */             ( \
++                                       ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
++                                    ), \
++         /* ST_kmem */              0, \
++         /* ST_network */           ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \
++         /* ST_firewall */          0, \
++         /* ST_priority */          0, \
++         /* 15 = ST_none */         0 \
++          }
++#else
++#define RSBAC_RC_AUDITOR_COMP_SCD { \
++                          0, \
++                          0, \
++                          0, \
++                          0, \
++                          0, \
++         /* ST_rlimit */  RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \
++         /* ST_swap */              0, \
++         /* ST_syslog */            0, \
++         /* ST_rsbac */             0, \
++         /* ST_rsbac_log */         ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA), \
++         /* ST_other */             ( \
++                                       ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
++                                    ), \
++         /* ST_kmem */              0, \
++         /* ST_network */           ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \
++         /* ST_firewall */          0, \
++         /* ST_priority */          0, \
++         /* 15 = ST_none */         0 \
++          }
++#endif
++
++
++#define RC_type_inherit_process ((rsbac_rc_type_id_t) -1)
++#define RC_type_inherit_parent ((rsbac_rc_type_id_t) -2)
++#define RC_type_no_create ((rsbac_rc_type_id_t) -3)
++#define RC_type_no_execute ((rsbac_rc_type_id_t) -4)
++#define RC_type_use_new_role_def_create ((rsbac_rc_type_id_t) -5)	/* for process chown (setuid) */
++#define RC_type_no_chown ((rsbac_rc_type_id_t) -6)
++#define RC_type_use_fd ((rsbac_rc_type_id_t) -7)
++#define RC_type_min_special ((rsbac_rc_type_id_t) -7)
++#define RC_type_max_value ((rsbac_rc_type_id_t) -32)
++
++#define RC_role_inherit_user ((rsbac_rc_role_id_t) -1)
++#define RC_role_inherit_process ((rsbac_rc_role_id_t) -2)
++#define RC_role_inherit_parent ((rsbac_rc_role_id_t) -3)
++#define RC_role_inherit_up_mixed ((rsbac_rc_role_id_t) -4)
++#define RC_role_use_force_role ((rsbac_rc_role_id_t) -5)
++#define RC_role_min_special ((rsbac_rc_role_id_t) -5)
++#define RC_role_max_value ((rsbac_rc_role_id_t) -32)
++
++#define RC_default_force_role RC_role_inherit_parent
++#define RC_default_root_dir_force_role RC_role_inherit_up_mixed
++#define RC_default_init_force_role RC_role_inherit_user
++#define RC_default_initial_role RC_role_inherit_parent
++#define RC_default_root_dir_initial_role RC_role_use_force_role
++
++/****************************************************************************/
++/* RC ACI types                                                             */
++/****************************************************************************/
++
++enum rsbac_rc_target_t { RT_ROLE, RT_TYPE, RT_NONE };
++
++union rsbac_rc_target_id_t {
++	rsbac_rc_role_id_t role;
++	rsbac_rc_type_id_t type;
++};
++
++enum rsbac_rc_item_t { RI_role_comp,
++	RI_admin_roles,
++	RI_assign_roles,
++	RI_type_comp_fd,
++	RI_type_comp_dev,
++	RI_type_comp_user,
++	RI_type_comp_process,
++	RI_type_comp_ipc,
++	RI_type_comp_scd,
++	RI_type_comp_group,
++	RI_type_comp_netdev,
++	RI_type_comp_nettemp,
++	RI_type_comp_netobj,
++	RI_admin_type,
++	RI_name,
++	RI_def_fd_create_type,
++	RI_def_fd_ind_create_type,
++	RI_def_user_create_type,
++	RI_def_process_create_type,
++	RI_def_process_chown_type,
++	RI_def_process_execute_type,
++	RI_def_ipc_create_type,
++	RI_def_group_create_type,
++	RI_def_unixsock_create_type,
++	RI_boot_role,
++	RI_req_reauth,
++	RI_type_fd_name,
++	RI_type_dev_name,
++	RI_type_ipc_name,
++	RI_type_user_name,
++	RI_type_process_name,
++	RI_type_group_name,
++	RI_type_netdev_name,
++	RI_type_nettemp_name,
++	RI_type_netobj_name,
++	RI_type_fd_need_secdel,
++	RI_type_scd_name,	/* Pseudo, using get_rc_scd_name() */
++	RI_remove_role,
++	RI_def_fd_ind_create_type_remove,
++	RI_type_fd_remove,
++	RI_type_dev_remove,
++	RI_type_ipc_remove,
++	RI_type_user_remove,
++	RI_type_process_remove,
++	RI_type_group_remove,
++	RI_type_netdev_remove,
++	RI_type_nettemp_remove,
++	RI_type_netobj_remove,
++#ifdef __KERNEL__
++#endif
++	RI_none
++};
++
++union rsbac_rc_item_value_t {
++	rsbac_rc_rights_vector_t rights;
++	enum rsbac_rc_admin_type_t admin_type;
++	char name[RSBAC_RC_NAME_LEN];
++	rsbac_rc_role_id_t role_id;
++	rsbac_rc_type_id_t type_id;
++	rsbac_boolean_t need_secdel;
++	rsbac_boolean_t comp;
++	rsbac_boolean_t boot_role;
++	rsbac_boolean_t req_reauth;
++#ifdef __KERNEL__
++#endif
++	u_char u_char_dummy;
++	int dummy;
++	u_int u_dummy;
++	long long_dummy;
++	long long long_long_dummy;
++};
++
++#endif
+diff --git a/include/rsbac/reg.h b/include/rsbac/reg.h
+new file mode 100644
+index 0000000..cd276a5
+--- /dev/null
++++ b/include/rsbac/reg.h
+@@ -0,0 +1,152 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2012: Amon Ott */
++/* API: for REG                       */
++/*      Module Registration           */
++/* Last modified: 07/May/2012         */
++/************************************ */
++
++#ifndef __RSBAC_REG_H
++#define __RSBAC_REG_H
++
++#include <rsbac/types.h>
++#include <rsbac/debug.h>
++
++#define RSBAC_REG_VERSION 1
++
++/***************************************************/
++/*                   Types                         */
++/***************************************************/
++
++#define RSBAC_REG_NAME_LEN 30
++
++/* Decision function */
++typedef \
++  int rsbac_reg_request_func_t     ( enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++/* Attribute setting / notification function */
++typedef \
++  int rsbac_reg_set_attr_func_t    ( enum  rsbac_adf_request_t,
++                                           rsbac_pid_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_target_t,
++                                     union rsbac_target_id_t,
++                                     enum  rsbac_attribute_t,
++                                     union rsbac_attribute_value_t,
++                                           rsbac_uid_t); /* process owner */
++
++/* Whether module wants this file to be overwritten on delete / truncate */
++typedef rsbac_boolean_t rsbac_reg_need_overwrite_func_t(struct dentry * dentry_p);
++
++/*
++ * rsbac_reg_write_func_t
++ *
++ * Called by rsbac_write function to save all dirty lists, must return number
++ * of files written or negative error. If auto_write is active, this function
++ * will be called regularly and allows for asynchronous data writing to disk.
++ *
++ * If need_lock is TRUE, a lock_kernel() / unlock_kernel() pair must be used
++ * around the write function.
++ */
++typedef int rsbac_reg_write_func_t(rsbac_boolean_t need_lock);
++
++/* Called on every mount, allows updating of fs based data */
++typedef int rsbac_reg_mount_func_t(kdev_t kdev);
++
++/* Called on every umount, allows updating of fs based data */
++typedef int rsbac_reg_umount_func_t(kdev_t kdev);
++
++/* Called on rsbac_reg syscalls for handle syscall_handle */
++/* Generic Syscall interface - note: data is a user space pointer! */
++typedef int rsbac_reg_syscall_func_t(void __user * data);
++
++/* Status and data structures integrity checking, called from sys_rsbac_check */
++/* correct: if TRUE, errors are corrected, else just report */
++/* check_inode: for inode number based data, check, if inode still exists */
++typedef int rsbac_reg_check_func_t(int correct, int check_inode);
++
++/*********/
++
++struct rsbac_reg_entry_t
++  {
++    rsbac_reg_handle_t                handle;
++    char                              name[RSBAC_REG_NAME_LEN+1];
++    rsbac_reg_request_func_t        * request_func;
++    rsbac_reg_set_attr_func_t       * set_attr_func;
++    rsbac_reg_need_overwrite_func_t * need_overwrite_func;
++    rsbac_reg_write_func_t          * write_func;
++    rsbac_reg_mount_func_t          * mount_func;
++    rsbac_reg_umount_func_t         * umount_func;
++    rsbac_reg_check_func_t          * check_func;
++    rsbac_boolean_t                           switch_on; /* turned on initially? */
++  };
++
++struct rsbac_reg_syscall_entry_t
++  {
++    rsbac_reg_handle_t                registration_handle;
++    rsbac_reg_handle_t                dispatcher_handle;
++    char                              name[RSBAC_REG_NAME_LEN+1];
++    rsbac_reg_syscall_func_t        * syscall_func;
++  };
++
++/***************************************************/
++/*                   Prototypes                    */
++/***************************************************/
++
++/* See rsbac/types.h for types */
++
++/*
++ * Register an ADF decision module
++ * Returns given positive handle or negative error code from rsbac/error.h
++ * Errors: -RSBAC_EINVALIDVALUE    (all functions are empty or handle is not positive)
++ *         -RSBAC_EEXISTS          (handle exists - choose another one)
++ *         -RSBAC_ECOULDNOTADDITEM (no entry available)
++ *         -RSBAC_EINVALIDVERSION  (wrong REG version)
++ */
++
++rsbac_reg_handle_t rsbac_reg_register(        rsbac_version_t    version,
++                                       struct rsbac_reg_entry_t  entry);
++
++/*
++ * Switch module on or off - for 'normal' modules this is done by general
++ * function. This is a dummy, if module switching is disabled.
++ * Returns 0 on success or -EINVALIDTARGET, if handle is invalid.
++ */
++
++int rsbac_reg_switch (rsbac_reg_handle_t handle, rsbac_boolean_t value);
++
++/*
++ * Unregister an ADF decision module
++ * Returns 0 on success or -EINVALIDTARGET, if handle is invalid.
++ */
++
++int rsbac_reg_unregister(rsbac_reg_handle_t handle);
++
++
++/*
++ * Register a system call
++ * Returns given positive handle or negative error code from rsbac/error.h
++ * Errors: -RSBAC_EINVALIDVALUE    (function is empty or handle is not positive)
++ *         -RSBAC_EEXISTS          (handle exists - choose another one)
++ *         -RSBAC_ECOULDNOTADDITEM (no entry available)
++ *         -RSBAC_EINVALIDVERSION  (wrong REG version)
++ */
++
++rsbac_reg_handle_t rsbac_reg_register_syscall(       rsbac_version_t            version,
++                                              struct rsbac_reg_syscall_entry_t  entry);
++
++/*
++ * Unregister a system call
++ * Returns 0 on success or -EINVALIDTARGET, if handle is invalid.
++ */
++
++int rsbac_reg_unregister_syscall(rsbac_reg_handle_t handle);
++
++#endif
+diff --git a/include/rsbac/reg_main.h b/include/rsbac/reg_main.h
+new file mode 100644
+index 0000000..c6fe1c4
+--- /dev/null
++++ b/include/rsbac/reg_main.h
+@@ -0,0 +1,70 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2005: Amon Ott */
++/* REG - Module Registration          */
++/* Internal declarations and types    */
++/* Last modified: 22/Jul/2005         */
++/************************************ */
++
++#ifndef __RSBAC_REG_MAIN_H
++#define __RSBAC_REG_MAIN_H
++
++#include <rsbac/types.h>
++#include <rsbac/debug.h>
++#include <rsbac/reg.h>
++
++#define RSBAC_REG_PROC_NAME "reg_entries"
++
++/***************************************************/
++/*                   Types                         */
++/***************************************************/
++
++#ifdef __KERNEL__
++
++/* Since all registrations will be organized in double linked lists, we must  */
++/* have list items and a list head.                                        */
++
++struct rsbac_reg_list_item_t
++    {
++      struct rsbac_reg_entry_t       entry;
++      struct rsbac_reg_list_item_t * prev;
++      struct rsbac_reg_list_item_t * next;
++    };
++    
++struct rsbac_reg_sc_list_item_t
++    {
++      struct rsbac_reg_syscall_entry_t  entry;
++      struct rsbac_reg_sc_list_item_t * prev;
++      struct rsbac_reg_sc_list_item_t * next;
++    };
++    
++/* To provide consistency we use spinlocks for all list accesses. The     */
++/* 'curr' entry is used to avoid repeated lookups for the same item.       */    
++    
++struct rsbac_reg_list_head_t
++    {
++      struct rsbac_reg_list_item_t * head;
++      struct rsbac_reg_list_item_t * tail;
++      struct rsbac_reg_list_item_t * curr;
++      spinlock_t                     lock;
++      int                            readers;
++      u_int                          count;
++    };
++
++struct rsbac_reg_sc_list_head_t
++    {
++      struct rsbac_reg_sc_list_item_t * head;
++      struct rsbac_reg_sc_list_item_t * tail;
++      struct rsbac_reg_sc_list_item_t * curr;
++      spinlock_t                        lock;
++      int                               readers;
++      u_int                             count;
++    };
++
++#endif /* __KERNEL__ */
++
++/***************************************************/
++/*                   Prototypes                    */
++/***************************************************/
++
++#endif
+diff --git a/include/rsbac/repl_lists.h b/include/rsbac/repl_lists.h
+new file mode 100644
+index 0000000..a377685
+--- /dev/null
++++ b/include/rsbac/repl_lists.h
+@@ -0,0 +1,18 @@
++/*************************************************** */
++/* Rule Set Based Access Control                     */
++/* Author and (c) 1999-2005: Amon Ott <ao@...> */
++/* Generic lists - internal structures               */
++/* Last modified: 04/Apr/2005                        */
++/*************************************************** */
++
++#ifndef __RSBAC_REPL_LISTS_H
++#define __RSBAC_REPL_LISTS_H
++
++#include <rsbac/repl_types.h>
++
++#define RSBAC_LIST_REPL_PROC_NAME "repl_lists"
++#define RSBAC_LIST_REPL_PARTNER_VERSION 1
++#define RSBAC_LIST_REPL_PARTNER_KEY 0x3632f7ae
++#define RSBAC_LIST_REPL_PARTNER_FILENAME "replpar"
++
++#endif
+diff --git a/include/rsbac/repl_types.h b/include/rsbac/repl_types.h
+new file mode 100644
+index 0000000..860d258
+--- /dev/null
++++ b/include/rsbac/repl_types.h
+@@ -0,0 +1,28 @@
++/*************************************************** */
++/* Rule Set Based Access Control                     */
++/* Author and (c) 1999-2005: Amon Ott <ao@...> */
++/* Generic lists - internal structures               */
++/* Last modified: 04/Apr/2005                        */
++/*************************************************** */
++
++#ifndef __RSBAC_REPL_TYPES_H
++#define __RSBAC_REPL_TYPES_H
++
++#include <rsbac/types.h>
++
++#define RSBAC_LIST_REPL_NAME_LEN 16
++#define RSBAC_LIST_REPL_CRYPTKEY_LEN 256
++#define RSBAC_LIST_REPL_CRYPTALGO_LEN 64
++
++typedef __u32 rsbac_list_repl_partner_number_t;
++
++struct rsbac_list_repl_partner_entry_t
++  {
++    char          name[RSBAC_LIST_REPL_NAME_LEN];
++    __u32         ip_addr;
++    char          crypt_algo[RSBAC_LIST_REPL_CRYPTALGO_LEN];
++    char          crypt_key[RSBAC_LIST_REPL_CRYPTKEY_LEN];
++    __u32         crypt_key_len;
++  };
++
++#endif
+diff --git a/include/rsbac/request_groups.h b/include/rsbac/request_groups.h
+new file mode 100644
+index 0000000..a45c83b
+--- /dev/null
++++ b/include/rsbac/request_groups.h
+@@ -0,0 +1,420 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2008: Amon Ott */
++/* Groups of ADF request for          */
++/* administration                     */
++/* Last modified: 21/Jan/2008         */
++/************************************ */
++
++#ifndef __RSBAC_REQUEST_GROUPS_H
++#define __RSBAC_REQUEST_GROUPS_H
++
++#define RSBAC_READ_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_CHDIR) | \
++  ((rsbac_request_vector_t) 1 << R_CLOSE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_SEARCH) | \
++  ((rsbac_request_vector_t) 1 << R_TERMINATE) | \
++  ((rsbac_request_vector_t) 1 << R_AUTHENTICATE) \
++  )
++
++#define RSBAC_WRITE_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_ALTER) | \
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CLONE) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_RENAME) | \
++  ((rsbac_request_vector_t) 1 << R_SEND_SIGNAL) | \
++  ((rsbac_request_vector_t) 1 << R_TRACE) | \
++  ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_IOCTL) | \
++  ((rsbac_request_vector_t) 1 << R_LOCK) \
++  )
++
++#define RSBAC_READ_WRITE_REQUEST_VECTOR (\
++  RSBAC_READ_REQUEST_VECTOR | \
++  ((rsbac_request_vector_t) 1 << R_ALTER) | \
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CLONE) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_RENAME) | \
++  ((rsbac_request_vector_t) 1 << R_SEND_SIGNAL) | \
++  ((rsbac_request_vector_t) 1 << R_TRACE) | \
++  ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_BIND) | \
++  ((rsbac_request_vector_t) 1 << R_LISTEN) | \
++  ((rsbac_request_vector_t) 1 << R_ACCEPT) | \
++  ((rsbac_request_vector_t) 1 << R_CONNECT) | \
++  ((rsbac_request_vector_t) 1 << R_SEND) | \
++  ((rsbac_request_vector_t) 1 << R_RECEIVE) | \
++  ((rsbac_request_vector_t) 1 << R_NET_SHUTDOWN) | \
++  ((rsbac_request_vector_t) 1 << R_IOCTL) | \
++  ((rsbac_request_vector_t) 1 << R_LOCK) \
++  )
++
++#define RSBAC_READ_WRITE_OPEN_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) \
++  )
++
++#define RSBAC_EXECUTE_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
++  )
++
++
++#define RSBAC_SYSTEM_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_SHUTDOWN) | \
++  ((rsbac_request_vector_t) 1 << R_UMOUNT) \
++  )
++
++#define RSBAC_SECURITY_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) \
++  )
++
++#define RSBAC_FD_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHDIR) | \
++  ((rsbac_request_vector_t) 1 << R_CLOSE) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_RENAME) | \
++  ((rsbac_request_vector_t) 1 << R_SEARCH) | \
++  ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \
++  ((rsbac_request_vector_t) 1 << R_UMOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_MAP_EXEC) | \
++  ((rsbac_request_vector_t) 1 << R_LISTEN) | \
++  ((rsbac_request_vector_t) 1 << R_ACCEPT) | \
++  ((rsbac_request_vector_t) 1 << R_CONNECT) | \
++  ((rsbac_request_vector_t) 1 << R_SEND) | \
++  ((rsbac_request_vector_t) 1 << R_RECEIVE) | \
++  ((rsbac_request_vector_t) 1 << R_NET_SHUTDOWN) | \
++  ((rsbac_request_vector_t) 1 << R_IOCTL) | \
++  ((rsbac_request_vector_t) 1 << R_LOCK) \
++  )
++
++#define RSBAC_DEV_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CLOSE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_UMOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_SEND) | \
++  ((rsbac_request_vector_t) 1 << R_IOCTL) \
++  )
++
++#define RSBAC_IPC_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_ALTER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CLOSE) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_NET_SHUTDOWN) | \
++  ((rsbac_request_vector_t) 1 << R_BIND) | \
++  ((rsbac_request_vector_t) 1 << R_LISTEN) | \
++  ((rsbac_request_vector_t) 1 << R_ACCEPT) | \
++  ((rsbac_request_vector_t) 1 << R_CONNECT) | \
++  ((rsbac_request_vector_t) 1 << R_SEND) | \
++  ((rsbac_request_vector_t) 1 << R_RECEIVE) | \
++  ((rsbac_request_vector_t) 1 << R_IOCTL) | \
++  ((rsbac_request_vector_t) 1 << R_LOCK) \
++  )
++
++#define RSBAC_SCD_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) \
++  )
++
++#define RSBAC_USER_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_RENAME) | \
++  ((rsbac_request_vector_t) 1 << R_SEARCH) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_AUTHENTICATE) \
++  )
++
++#define RSBAC_GROUP_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_RENAME) | \
++  ((rsbac_request_vector_t) 1 << R_SEARCH) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) \
++  )
++
++#define RSBAC_PROCESS_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CLONE) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_SEND_SIGNAL) | \
++  ((rsbac_request_vector_t) 1 << R_TERMINATE) | \
++  ((rsbac_request_vector_t) 1 << R_TRACE) \
++  )
++
++#define RSBAC_NETDEV_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_BIND) \
++  )
++
++#define RSBAC_NETTEMP_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) \
++  )
++
++#define RSBAC_NETOBJ_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_CLOSE) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_NET_SHUTDOWN) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_BIND) | \
++  ((rsbac_request_vector_t) 1 << R_LISTEN) | \
++  ((rsbac_request_vector_t) 1 << R_ACCEPT) | \
++  ((rsbac_request_vector_t) 1 << R_CONNECT) | \
++  ((rsbac_request_vector_t) 1 << R_SEND) | \
++  ((rsbac_request_vector_t) 1 << R_RECEIVE) | \
++  ((rsbac_request_vector_t) 1 << R_IOCTL) \
++  )
++
++#define RSBAC_NONE_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_SHUTDOWN) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) | \
++  ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
++  )
++
++#define RSBAC_ALL_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_ALTER) | \
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHDIR) | \
++  ((rsbac_request_vector_t) 1 << R_CLONE) | \
++  ((rsbac_request_vector_t) 1 << R_CLOSE) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) | \
++  ((rsbac_request_vector_t) 1 << R_DELETE) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_READ_ATTRIBUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_READ_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) | \
++  ((rsbac_request_vector_t) 1 << R_RENAME) | \
++  ((rsbac_request_vector_t) 1 << R_SEARCH) | \
++  ((rsbac_request_vector_t) 1 << R_SEND_SIGNAL) | \
++  ((rsbac_request_vector_t) 1 << R_SHUTDOWN) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) | \
++  ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) | \
++  ((rsbac_request_vector_t) 1 << R_TERMINATE) | \
++  ((rsbac_request_vector_t) 1 << R_TRACE) | \
++  ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \
++  ((rsbac_request_vector_t) 1 << R_UMOUNT) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_MAP_EXEC) | \
++  ((rsbac_request_vector_t) 1 << R_BIND) | \
++  ((rsbac_request_vector_t) 1 << R_LISTEN) | \
++  ((rsbac_request_vector_t) 1 << R_ACCEPT) | \
++  ((rsbac_request_vector_t) 1 << R_CONNECT) | \
++  ((rsbac_request_vector_t) 1 << R_SEND) | \
++  ((rsbac_request_vector_t) 1 << R_RECEIVE) | \
++  ((rsbac_request_vector_t) 1 << R_NET_SHUTDOWN) | \
++  ((rsbac_request_vector_t) 1 << R_IOCTL) | \
++  ((rsbac_request_vector_t) 1 << R_LOCK) \
++  )
++
++/* NW specials */
++
++/* NWS == RSBAC_ACL_SUPERVISOR_RIGHT_VECTOR in ACL types */
++
++#define RSBAC_NWR_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_CLOSE) | \
++  ((rsbac_request_vector_t) 1 << R_EXECUTE) | \
++  ((rsbac_request_vector_t) 1 << R_READ_OPEN) \
++  )
++
++#define RSBAC_NWW_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_ALTER) | \
++  ((rsbac_request_vector_t) 1 << R_APPEND_OPEN) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CLOSE) | \
++  ((rsbac_request_vector_t) 1 << R_TRUNCATE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE) | \
++  ((rsbac_request_vector_t) 1 << R_WRITE_OPEN) \
++  )
++
++#define RSBAC_NWC_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_CLOSE) | \
++  ((rsbac_request_vector_t) 1 << R_CREATE) \
++  )
++
++#define RSBAC_NWE_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_DELETE) \
++  )
++
++/* NWA == RSBAC_ACL_ACCESS_CONTROL_RIGHT_VECTOR in ACL types */
++
++#define RSBAC_NWF_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_CHDIR) | \
++  ((rsbac_request_vector_t) 1 << R_CLOSE) | \
++  ((rsbac_request_vector_t) 1 << R_GET_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_READ) | \
++  ((rsbac_request_vector_t) 1 << R_SEARCH) \
++  )
++
++#define RSBAC_NWM_REQUEST_VECTOR (\
++  ((rsbac_request_vector_t) 1 << R_CHANGE_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_GROUP) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_EFF_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_CHANGE_DAC_FS_OWNER) | \
++  ((rsbac_request_vector_t) 1 << R_LINK_HARD) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_ACCESS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) | \
++  ((rsbac_request_vector_t) 1 << R_RENAME) \
++  )
++
++#endif
+diff --git a/include/rsbac/res_getname.h b/include/rsbac/res_getname.h
+new file mode 100644
+index 0000000..37512ad
+--- /dev/null
++++ b/include/rsbac/res_getname.h
+@@ -0,0 +1,20 @@
++/********************************** */
++/* Rule Set Based Access Control    */
++/* Author and (c) 2002:             */
++/*   Amon Ott <ao@...>        */
++/* Getname functions for RES module */
++/* Last modified: 22/Nov/2002       */
++/********************************** */
++
++#ifndef __RSBAC_RES_GETNAME_H
++#define __RSBAC_RES_GETNAME_H
++
++#include <rsbac/types.h>
++
++#ifndef __KERNEL__
++char * get_res_name(char * name,
++                    u_int value);
++int get_res_nr(const char * name);
++#endif
++
++#endif
+diff --git a/include/rsbac/rkmem.h b/include/rsbac/rkmem.h
+new file mode 100644
+index 0000000..807c2c7
+--- /dev/null
++++ b/include/rsbac/rkmem.h
+@@ -0,0 +1,73 @@
++/*************************************************** */
++/* Rule Set Based Access Control                     */
++/* Author and (c) 1999-2010: Amon Ott <ao@...> */
++/* Memory allocation                                 */
++/* Last modified: 01/Jul/2010                        */
++/*************************************************** */
++
++#ifndef __RSBAC_RKMEM_H
++#define __RSBAC_RKMEM_H
++
++#include <linux/init.h>
++#include <linux/slab.h>
++#include <linux/vmalloc.h>
++#include <linux/timer.h>
++
++#define RSBAC_MAX_KMALLOC KMALLOC_MAX_SIZE
++#define RSBAC_MAX_SLABNAME 32
++
++/* alloc mem spinlock safe with GFP_ATOMIC */
++extern void * rsbac_kmalloc (size_t size);
++extern void * rsbac_kmalloc_clear (size_t size);
++
++/* alloc outside locks with GFP_KERNEL */
++extern void * rsbac_kmalloc_unlocked (size_t size);
++extern void * rsbac_kmalloc_clear_unlocked (size_t size);
++
++extern void rsbac_kfree (const void * objp);
++
++/* Separate slabs for RSBAC */
++
++/* name must stay available until after destroy, keep locally */
++static inline struct kmem_cache * rsbac_slab_create(
++	const char * name,
++	size_t size)
++{
++	return kmem_cache_create(name, size, 0, 0, NULL);
++}
++
++/* remember to free up name after calling, if it has been allocated */
++static inline void rsbac_slab_destroy(struct kmem_cache * cache)
++{
++	kmem_cache_destroy(cache);
++}
++
++static inline void * rsbac_smalloc(struct kmem_cache * cache)
++{
++	return kmem_cache_alloc(cache, GFP_ATOMIC);
++}
++
++static inline void * rsbac_smalloc_clear(struct kmem_cache * cache)
++{
++	return kmem_cache_alloc(cache, GFP_ATOMIC | __GFP_ZERO);
++}
++
++static inline void * rsbac_smalloc_unlocked(struct kmem_cache * cache)
++{
++	return kmem_cache_alloc(cache, GFP_KERNEL);
++}
++
++static inline void * rsbac_smalloc_clear_unlocked(struct kmem_cache * cache)
++{
++	return kmem_cache_alloc(cache, GFP_KERNEL | __GFP_ZERO);
++}
++
++static inline void rsbac_sfree(struct kmem_cache * cache, void * mem)
++{
++	if (cache)
++		kmem_cache_free(cache, mem);
++	else
++		kfree(mem);
++}
++
++#endif
+diff --git a/include/rsbac/syscall_rsbac.h b/include/rsbac/syscall_rsbac.h
+new file mode 100644
+index 0000000..8ceb81d
+--- /dev/null
++++ b/include/rsbac/syscall_rsbac.h
+@@ -0,0 +1,37 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/*                                    */
++/* Author and (c) 1999-2004:          */
++/*   Amon Ott <ao@...>          */
++/*                                    */
++/* System Calls                       */
++/*                                    */
++/* Last modified: 13/Apr/2004         */
++/************************************ */
++
++#ifndef __RSBAC_SYSCALL_RSBAC_H
++#define __RSBAC_SYSCALL_RSBAC_H
++
++/* to keep include/asm-alpha/unistd.h happy */
++//#define __LIBRARY__
++
++#include <linux/unistd.h>
++#include <rsbac/types.h>
++#include <rsbac/syscalls.h>
++
++#ifdef __PIC__
++#undef _syscall3
++#define _syscall3(type,name,type1,arg1,type2,arg2,type3,arg3) \
++        type name(type1 arg1,type2 arg2,type3 arg3) \
++{\
++                return syscall(__NR_##name, arg1, arg2, arg3);\
++}
++#endif
++
++static inline _syscall3(int, rsbac,
++		rsbac_version_t, version,
++		enum rsbac_syscall_t, call,
++		union rsbac_syscall_arg_t *, arg_p);
++
++#define sys_rsbac(a,b,c) rsbac(a,b,c)
++#endif
+diff --git a/include/rsbac/syscalls.h b/include/rsbac/syscalls.h
+new file mode 100644
+index 0000000..abcf56f
+--- /dev/null
++++ b/include/rsbac/syscalls.h
+@@ -0,0 +1,1900 @@
++/************************************* */
++/* Rule Set Based Access Control       */
++/* Author and (c) 1999-2012:           */
++/*   Amon Ott <ao@...>           */
++/* Syscall wrapper functions for all   */
++/* parts                               */
++/* Last modified: 08/May/2012          */
++/************************************* */
++
++#ifndef __RSBAC_SYSCALLS_H
++#define __RSBAC_SYSCALLS_H
++
++#include <linux/unistd.h>
++#include <rsbac/types.h>
++#include <rsbac/helpers.h>
++#include <rsbac/error.h>
++
++enum rsbac_syscall_t
++  {
++    RSYS_version,
++    RSYS_stats,
++    RSYS_check,
++    RSYS_get_attr,
++    RSYS_get_attr_n,
++    RSYS_set_attr,
++    RSYS_set_attr_n,
++    RSYS_remove_target,
++    RSYS_remove_target_n,
++    RSYS_net_list_all_netdev,
++    RSYS_net_template,
++    RSYS_net_list_all_template,
++    RSYS_switch,
++    RSYS_get_switch,
++    RSYS_adf_log_switch,
++    RSYS_get_adf_log,
++    RSYS_write,
++    RSYS_log,
++    RSYS_mac_set_curr_level,
++    RSYS_mac_get_curr_level,
++    RSYS_mac_get_max_level,
++    RSYS_mac_get_min_level,
++    RSYS_mac_add_p_tru,
++    RSYS_mac_remove_p_tru,
++    RSYS_mac_add_f_tru,
++    RSYS_mac_remove_f_tru,
++    RSYS_mac_get_f_trulist,
++    RSYS_mac_get_p_trulist,
++    RSYS_stats_pm,
++    RSYS_pm,
++    RSYS_pm_change_current_task,
++    RSYS_pm_create_file,
++    RSYS_daz_flush_cache,
++    RSYS_rc_copy_role,
++    RSYS_rc_copy_type,
++    RSYS_rc_get_item,
++    RSYS_rc_set_item,
++    RSYS_rc_change_role,
++    RSYS_rc_get_eff_rights_n,
++    RSYS_rc_get_list,
++    RSYS_auth_add_p_cap,
++    RSYS_auth_remove_p_cap,
++    RSYS_auth_add_f_cap,
++    RSYS_auth_remove_f_cap,
++    RSYS_auth_get_f_caplist,
++    RSYS_auth_get_p_caplist,
++    RSYS_acl,
++    RSYS_acl_n,
++    RSYS_acl_get_rights,
++    RSYS_acl_get_rights_n,
++    RSYS_acl_get_tlist,
++    RSYS_acl_get_tlist_n,
++    RSYS_acl_get_mask,
++    RSYS_acl_get_mask_n,
++    RSYS_acl_group,
++    RSYS_reg,
++    RSYS_jail,
++    RSYS_init,
++    RSYS_rc_get_current_role,
++    RSYS_um_auth_name,
++    RSYS_um_auth_uid,
++    RSYS_um_add_user,
++    RSYS_um_add_group,
++    RSYS_um_add_gm,
++    RSYS_um_mod_user,
++    RSYS_um_mod_group,
++    RSYS_um_get_user_item,
++    RSYS_um_get_group_item,
++    RSYS_um_remove_user,
++    RSYS_um_remove_group,
++    RSYS_um_remove_gm,
++    RSYS_um_user_exists,
++    RSYS_um_group_exists,
++    RSYS_um_get_next_user,
++    RSYS_um_get_user_list,
++    RSYS_um_get_gm_list,
++    RSYS_um_get_gm_user_list,
++    RSYS_um_get_group_list,
++    RSYS_um_get_uid,
++    RSYS_um_get_gid,
++    RSYS_um_set_pass,
++    RSYS_um_set_pass_name,
++    RSYS_um_set_group_pass,
++    RSYS_um_check_account,
++    RSYS_um_check_account_name,
++    RSYS_list_ta_begin,
++    RSYS_list_ta_refresh,
++    RSYS_list_ta_commit,
++    RSYS_list_ta_forget,
++    RSYS_list_all_dev,
++    RSYS_acl_list_all_dev,
++    RSYS_list_all_user,
++    RSYS_acl_list_all_user,
++    RSYS_list_all_group,
++    RSYS_acl_list_all_group,
++    RSYS_list_all_ipc,
++    RSYS_rc_select_fd_create_type,
++    RSYS_um_select_vset,
++    RSYS_um_add_onetime,
++    RSYS_um_add_onetime_name,
++    RSYS_um_remove_all_onetime,
++    RSYS_um_remove_all_onetime_name,
++    RSYS_um_count_onetime,
++    RSYS_um_count_onetime_name,
++    RSYS_list_ta_begin_name,
++    RSYS_um_get_max_history,
++    RSYS_um_get_max_history_name,
++    RSYS_um_set_max_history,
++    RSYS_um_set_max_history_name,
++    RSYS_none
++  };
++
++
++struct rsys_check_t
++  {
++    int correct;
++    int check_inode;
++  };
++
++struct rsys_get_attr_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t module;
++          rsbac_enum_t target;
++    union rsbac_target_id_t __user * tid;
++          rsbac_enum_t attr;
++    union rsbac_attribute_value_t __user * value;
++          int inherit;
++  };
++
++struct rsys_get_attr_n_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t module;
++          rsbac_enum_t target;
++          char __user * t_name;
++          rsbac_enum_t attr;
++    union rsbac_attribute_value_t __user * value;
++          int inherit;
++  };
++
++struct rsys_set_attr_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t module;
++          rsbac_enum_t target;
++    union rsbac_target_id_t __user * tid;
++          rsbac_enum_t attr;
++    union rsbac_attribute_value_t __user * value;
++  };
++
++struct rsys_set_attr_n_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t module;
++          rsbac_enum_t target;
++          char __user * t_name;
++          rsbac_enum_t attr;
++    union rsbac_attribute_value_t __user * value;
++  };
++
++struct rsys_remove_target_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t target;
++    union rsbac_target_id_t __user * tid;
++  };
++
++struct rsys_remove_target_n_t
++  {
++         rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t target;
++         char __user * t_name;
++  };
++
++struct rsys_net_list_all_netdev_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_netdev_id_t __user * id_p;
++    u_long maxnum;
++  };
++
++struct rsys_net_template_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t call;
++          rsbac_net_temp_id_t id;
++    union rsbac_net_temp_syscall_data_t __user * data_p;
++  };
++
++struct rsys_net_list_all_template_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_net_temp_id_t __user * id_p;
++    u_long maxnum;
++  };
++
++struct rsys_switch_t
++  {
++    rsbac_enum_t module;
++    int value;
++  };
++
++struct rsys_get_switch_t
++  {
++    rsbac_enum_t module;
++    int __user * value_p;
++    int __user * switchable_p;
++  };
++
++struct rsys_adf_log_switch_t
++  {
++    rsbac_enum_t request;
++    rsbac_enum_t target;
++    u_int        value;
++  };
++
++struct rsys_get_adf_log_t
++  {
++    rsbac_enum_t   request;
++    rsbac_enum_t   target;
++    u_int        __user * value_p;
++  };
++
++struct rsys_log_t
++  {
++    int type;
++    char __user * buf;
++    int len;
++  };
++
++struct rsys_mac_set_curr_level_t
++  {
++    rsbac_security_level_t level;
++    rsbac_mac_category_vector_t __user * categories_p;
++  };
++
++struct rsys_mac_get_curr_level_t
++  {
++    rsbac_security_level_t      __user * level_p;
++    rsbac_mac_category_vector_t __user * categories_p;
++  };
++
++struct rsys_mac_get_max_level_t
++  {
++    rsbac_security_level_t      __user * level_p;
++    rsbac_mac_category_vector_t __user * categories_p;
++  };
++
++struct rsys_mac_get_min_level_t
++  {
++    rsbac_security_level_t      __user * level_p;
++    rsbac_mac_category_vector_t __user * categories_p;
++  };
++
++struct rsys_mac_add_p_tru_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_upid_t pid;
++    rsbac_uid_t uid;
++    rsbac_time_t ttl;
++  };
++
++struct rsys_mac_remove_p_tru_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_upid_t pid;
++    rsbac_uid_t uid;
++  };
++
++struct rsys_mac_add_f_tru_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    char __user * filename;
++    rsbac_uid_t uid;
++    rsbac_time_t ttl;
++  };
++
++struct rsys_mac_remove_f_tru_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    char __user * filename;
++    rsbac_uid_t uid;
++  };
++
++struct rsys_mac_get_f_trulist_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    char __user * filename;
++    rsbac_uid_t __user * trulist;
++    rsbac_time_t __user * ttllist;
++    u_int maxnum;
++  };
++
++struct rsys_mac_get_p_trulist_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_upid_t pid;
++    rsbac_uid_t __user * trulist;
++    rsbac_time_t __user * ttllist;
++    u_int maxnum;
++  };
++
++struct rsys_pm_t
++  {
++    rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t function;
++    union rsbac_pm_function_param_t __user * param_p;
++          rsbac_pm_tkt_id_t ticket;
++  };
++
++struct rsys_pm_change_current_task_t
++  {
++    rsbac_pm_task_id_t task;
++  };
++
++struct rsys_pm_create_file_t
++  {
++    const char __user * filename;
++    int mode;
++    rsbac_pm_object_class_id_t object_class;
++  };
++
++struct rsys_rc_copy_role_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_rc_role_id_t from_role;
++    rsbac_rc_role_id_t to_role;
++  };
++
++struct rsys_rc_copy_type_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_enum_t target;
++    rsbac_rc_type_id_t from_type;
++    rsbac_rc_type_id_t to_type;
++  };
++
++struct rsys_rc_get_item_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t target;
++    union rsbac_rc_target_id_t __user * tid_p;
++    union rsbac_rc_target_id_t __user * subtid_p;
++          rsbac_enum_t item;
++    union rsbac_rc_item_value_t __user * value_p;
++          rsbac_time_t __user * ttl_p;
++  };
++
++struct rsys_rc_set_item_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t target;
++    union rsbac_rc_target_id_t __user * tid_p;
++    union rsbac_rc_target_id_t __user * subtid_p;
++          rsbac_enum_t item;
++    union rsbac_rc_item_value_t __user * value_p;
++          rsbac_time_t ttl;
++  };
++
++struct rsys_rc_get_list_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t target;
++    union rsbac_rc_target_id_t __user * tid_p;
++          rsbac_enum_t item;
++          u_int maxnum;
++          __u32 __user * array_p;
++          rsbac_time_t __user * ttl_array_p;
++  };
++
++struct rsys_rc_change_role_t
++  {
++    rsbac_rc_role_id_t role;
++    char __user * pass;
++  };
++
++struct rsys_rc_get_eff_rights_n_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_enum_t target;
++    char __user * t_name;
++    rsbac_rc_request_vector_t __user * request_vector_p;
++    rsbac_time_t __user * ttl_p;
++  };
++
++struct rsys_rc_get_current_role_t
++  {
++    rsbac_rc_role_id_t __user * role_p;
++  };
++
++struct rsys_auth_add_p_cap_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_upid_t pid;
++           rsbac_enum_t cap_type;
++    struct rsbac_auth_cap_range_t cap_range;
++           rsbac_time_t ttl;
++  };
++
++struct rsys_auth_remove_p_cap_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_upid_t pid;
++           rsbac_enum_t cap_type;
++    struct rsbac_auth_cap_range_t cap_range;
++  };
++
++struct rsys_auth_add_f_cap_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           char __user * filename;
++           rsbac_enum_t cap_type;
++    struct rsbac_auth_cap_range_t cap_range;
++           rsbac_time_t ttl;
++  };
++
++struct rsys_auth_remove_f_cap_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           char __user * filename;
++           rsbac_enum_t cap_type;
++    struct rsbac_auth_cap_range_t cap_range;
++  };
++
++struct rsys_auth_get_f_caplist_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           char __user * filename;
++           rsbac_enum_t cap_type;
++    struct rsbac_auth_cap_range_t __user * caplist;
++           rsbac_time_t __user * ttllist;
++           u_int maxnum;
++  };
++
++struct rsys_auth_get_p_caplist_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_upid_t pid;
++           rsbac_enum_t cap_type;
++    struct rsbac_auth_cap_range_t __user * caplist;
++           rsbac_time_t __user * ttllist;
++           u_int maxnum;
++  };
++
++struct rsys_acl_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_enum_t call;
++    struct rsbac_acl_syscall_arg_t __user * arg;
++  };
++
++struct rsys_acl_n_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_enum_t call;
++    struct rsbac_acl_syscall_n_arg_t __user * arg;
++  };
++
++struct rsys_acl_get_rights_t
++  {
++           rsbac_list_ta_number_t ta_number;
++    struct rsbac_acl_syscall_arg_t __user * arg;
++           rsbac_acl_rights_vector_t __user * rights_p;
++           u_int effective;
++  };
++
++struct rsys_acl_get_rights_n_t
++  {
++           rsbac_list_ta_number_t ta_number;
++    struct rsbac_acl_syscall_n_arg_t __user * arg;
++           rsbac_acl_rights_vector_t __user * rights_p;
++           u_int effective;
++  };
++
++struct rsys_acl_get_tlist_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_enum_t target;
++    union  rsbac_target_id_t __user * tid;
++    struct rsbac_acl_entry_t __user * entry_array;
++           rsbac_time_t __user * ttl_array;
++           u_int maxnum;
++  };
++
++struct rsys_acl_get_tlist_n_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_enum_t target;
++           char __user * t_name;
++    struct rsbac_acl_entry_t __user * entry_array;
++           rsbac_time_t __user * ttl_array;
++           u_int maxnum;
++  };
++
++struct rsys_acl_get_mask_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_enum_t target;
++    union  rsbac_target_id_t __user * tid;
++           rsbac_acl_rights_vector_t __user * mask_p;
++  };
++
++struct rsys_acl_get_mask_n_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_enum_t target;
++           char __user * t_name;
++           rsbac_acl_rights_vector_t __user * mask_p;
++  };
++
++struct rsys_acl_group_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t call;
++    union rsbac_acl_group_syscall_arg_t __user * arg_p;
++  };
++
++struct rsys_reg_t
++  {
++    long handle;
++    void __user * arg;
++  };
++
++struct rsys_jail_t
++  {
++    rsbac_version_t      version;
++    char               __user * path;
++    rsbac_jail_ip_t      ip;
++    rsbac_jail_flags_t   flags;
++    rsbac_cap_vector_t   max_caps;
++    rsbac_jail_scd_vector_t scd_get;
++    rsbac_jail_scd_vector_t scd_modify;
++  };
++
++struct rsys_init_t
++  {
++    char __user * root_dev;
++  };
++
++struct rsys_um_auth_name_t
++  {
++    char __user * name;
++    char __user * pass;
++  };
++
++struct rsys_um_auth_uid_t
++  {
++    rsbac_uid_t   uid;
++    char        __user * pass;
++  };
++
++struct rsys_um_add_user_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_uid_t             uid;
++    struct rsbac_um_user_entry_t __user * entry_p;
++           char                  __user * pass;
++           rsbac_time_t            ttl;
++  };
++
++struct rsys_um_add_group_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_gid_t              gid;
++    struct rsbac_um_group_entry_t __user * entry_p;
++           char                   __user * pass;
++           rsbac_time_t             ttl;
++  };
++
++struct rsys_um_add_gm_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_uid_t  uid;
++           rsbac_gid_num_t  gid;
++           rsbac_time_t ttl;
++  };
++
++struct rsys_um_mod_user_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_uid_t           uid;
++          rsbac_enum_t          mod;
++    union rsbac_um_mod_data_t __user * data_p;
++  };
++
++struct rsys_um_mod_group_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_gid_t           gid;
++          rsbac_enum_t          mod;
++    union rsbac_um_mod_data_t __user * data_p;
++  };
++
++struct rsys_um_get_user_item_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_uid_t           uid;
++          rsbac_enum_t          mod;
++    union rsbac_um_mod_data_t __user * data_p;
++  };
++
++struct rsys_um_get_group_item_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_gid_t           gid;
++          rsbac_enum_t          mod;
++    union rsbac_um_mod_data_t __user * data_p;
++  };
++
++struct rsys_um_remove_user_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_uid_t           uid;
++  };
++
++struct rsys_um_remove_group_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_gid_t           gid;
++  };
++
++struct rsys_um_remove_gm_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_uid_t  uid;
++          rsbac_gid_num_t  gid;
++  };
++
++struct rsys_um_user_exists_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_uid_t uid;
++  };
++
++struct rsys_um_group_exists_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_gid_t gid;
++  };
++
++struct rsys_um_get_next_user_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_uid_t   old_user;
++          rsbac_uid_t __user * next_user_p;
++  };
++
++struct rsys_um_get_user_list_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_um_set_t vset;
++          rsbac_uid_t __user * user_array;
++          u_int         maxnum;
++  };
++
++struct rsys_um_get_gm_list_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_uid_t   user;
++          rsbac_gid_num_t __user * group_array;
++          u_int         maxnum;
++  };
++
++struct rsys_um_get_gm_user_list_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_gid_t   group;
++          rsbac_uid_num_t __user * user_array;
++          u_int         maxnum;
++  };
++
++struct rsys_um_get_group_list_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_um_set_t vset;
++          rsbac_gid_t __user * group_array;
++          u_int         maxnum;
++  };
++
++struct rsys_um_get_uid_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    char        __user * name;
++    rsbac_uid_t __user * uid_p;
++  };
++
++struct rsys_um_get_gid_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    char        __user * name;
++    rsbac_gid_t __user * gid_p;
++  };
++
++struct rsys_um_set_pass_t
++  {
++    rsbac_uid_t   uid;
++    char        __user * old_pass;
++    char        __user * new_pass;
++  };
++
++struct rsys_um_set_pass_name_t
++  {
++    char __user * name;
++    char __user * old_pass;
++    char __user * new_pass;
++  };
++
++struct rsys_um_add_onetime_t
++  {
++    rsbac_uid_t   uid;
++    char        __user * old_pass;
++    char        __user * new_pass;
++    rsbac_time_t  ttl;
++  };
++
++struct rsys_um_add_onetime_name_t
++  {
++    char __user * name;
++    char __user * old_pass;
++    char __user * new_pass;
++    rsbac_time_t ttl;
++  };
++
++struct rsys_um_remove_all_onetime_t
++  {
++    rsbac_uid_t   uid;
++    char        __user * old_pass;
++  };
++
++struct rsys_um_remove_all_onetime_name_t
++  {
++    char __user * name;
++    char __user * old_pass;
++  };
++
++struct rsys_um_count_onetime_t
++  {
++    rsbac_uid_t   uid;
++    char        __user * old_pass;
++  };
++
++struct rsys_um_count_onetime_name_t
++  {
++    char __user * name;
++    char __user * old_pass;
++  };
++
++struct rsys_um_set_group_pass_t
++  {
++    rsbac_gid_t   gid;
++    char        __user * new_pass;
++  };
++
++struct rsys_um_check_account_t
++  {
++    rsbac_uid_t   uid;
++  };
++
++struct rsys_um_check_account_name_t
++  {
++    char __user * name;
++  };
++
++struct rsys_um_get_max_history_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_uid_t   uid;
++  };
++
++struct rsys_um_get_max_history_name_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    char __user * name;
++  };
++
++struct rsys_um_set_max_history_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_uid_t   uid;
++    __u8          max_history;
++  };
++
++struct rsys_um_set_max_history_name_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    char __user * name;
++    __u8   max_history;
++  };
++
++struct rsys_um_select_vset_t
++  {
++    rsbac_um_set_t vset;
++  };
++
++struct rsys_list_ta_begin_t
++  {
++    rsbac_time_t ttl;
++    rsbac_list_ta_number_t __user * ta_number_p;
++    rsbac_uid_t commit_uid;
++    char __user * password;
++  };
++
++struct rsys_list_ta_begin_name_t
++  {
++    rsbac_time_t ttl;
++    rsbac_list_ta_number_t __user * ta_number_p;
++    rsbac_uid_t commit_uid;
++    char __user * name;
++    char __user * password;
++  };
++
++struct rsys_list_ta_refresh_t
++  {
++    rsbac_time_t ttl;
++    rsbac_list_ta_number_t ta_number;
++    char __user * password;
++  };
++
++struct rsys_list_ta_commit_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    char __user * password;
++  };
++
++struct rsys_list_ta_forget_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    char __user * password;
++  };
++
++struct rsys_list_all_dev_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    struct rsbac_dev_desc_t __user * id_p;
++    u_long maxnum;
++  };
++
++struct rsys_acl_list_all_dev_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    struct rsbac_dev_desc_t __user * id_p;
++    u_long maxnum;
++  };
++
++struct rsys_list_all_user_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_uid_t __user * id_p;
++    u_long maxnum;
++  };
++
++struct rsys_acl_list_all_user_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_uid_t __user * id_p;
++    u_long maxnum;
++  };
++
++struct rsys_list_all_group_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_gid_t __user * id_p;
++    u_long maxnum;
++  };
++
++struct rsys_acl_list_all_group_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_gid_t __user * id_p;
++    u_long maxnum;
++  };
++
++struct rsys_list_all_ipc_t {
++       rsbac_list_ta_number_t ta_number;
++       struct rsbac_ipc_t __user *id_p;
++       u_long maxnum;
++};
++
++struct rsys_rc_select_fd_create_type_t {
++	rsbac_rc_type_id_t type;
++};
++
++union rsbac_syscall_arg_t
++  {
++    struct rsys_check_t check;
++    struct rsys_get_attr_t get_attr;
++    struct rsys_get_attr_n_t get_attr_n;
++    struct rsys_set_attr_t set_attr;
++    struct rsys_set_attr_n_t set_attr_n;
++    struct rsys_remove_target_t remove_target;
++    struct rsys_remove_target_n_t remove_target_n;
++    struct rsys_net_list_all_netdev_t net_list_all_netdev;
++    struct rsys_net_template_t net_template;
++    struct rsys_net_list_all_template_t net_list_all_template;
++    struct rsys_switch_t switch_module;
++    struct rsys_get_switch_t get_switch_module;
++    struct rsys_adf_log_switch_t adf_log_switch;
++    struct rsys_get_adf_log_t get_adf_log;
++    struct rsys_log_t log;
++    struct rsys_mac_set_curr_level_t mac_set_curr_level;
++    struct rsys_mac_get_curr_level_t mac_get_curr_level;
++    struct rsys_mac_get_max_level_t mac_get_max_level;
++    struct rsys_mac_get_min_level_t mac_get_min_level;
++    struct rsys_mac_add_p_tru_t mac_add_p_tru;
++    struct rsys_mac_remove_p_tru_t mac_remove_p_tru;
++    struct rsys_mac_add_f_tru_t mac_add_f_tru;
++    struct rsys_mac_remove_f_tru_t mac_remove_f_tru;
++    struct rsys_mac_get_f_trulist_t mac_get_f_trulist;
++    struct rsys_mac_get_p_trulist_t mac_get_p_trulist;
++    struct rsys_pm_t pm;
++    struct rsys_pm_change_current_task_t pm_change_current_task;
++    struct rsys_pm_create_file_t pm_create_file;
++    struct rsys_rc_copy_role_t rc_copy_role;
++    struct rsys_rc_copy_type_t rc_copy_type;
++    struct rsys_rc_get_item_t rc_get_item;
++    struct rsys_rc_set_item_t rc_set_item;
++    struct rsys_rc_get_list_t rc_get_list;
++    struct rsys_rc_change_role_t rc_change_role;
++    struct rsys_rc_get_eff_rights_n_t rc_get_eff_rights_n;
++    struct rsys_rc_get_current_role_t rc_get_current_role;
++    struct rsys_auth_add_p_cap_t auth_add_p_cap;
++    struct rsys_auth_remove_p_cap_t auth_remove_p_cap;
++    struct rsys_auth_add_f_cap_t auth_add_f_cap;
++    struct rsys_auth_remove_f_cap_t auth_remove_f_cap;
++    struct rsys_auth_get_f_caplist_t auth_get_f_caplist;
++    struct rsys_auth_get_p_caplist_t auth_get_p_caplist;
++    struct rsys_acl_t acl;
++    struct rsys_acl_n_t acl_n;
++    struct rsys_acl_get_rights_t acl_get_rights;
++    struct rsys_acl_get_rights_n_t acl_get_rights_n;
++    struct rsys_acl_get_tlist_t acl_get_tlist;
++    struct rsys_acl_get_tlist_n_t acl_get_tlist_n;
++    struct rsys_acl_get_mask_t acl_get_mask;
++    struct rsys_acl_get_mask_n_t acl_get_mask_n;
++    struct rsys_acl_group_t acl_group;
++    struct rsys_reg_t reg;
++    struct rsys_jail_t jail;
++    struct rsys_init_t init;
++    struct rsys_um_auth_name_t um_auth_name;
++    struct rsys_um_auth_uid_t um_auth_uid;
++    struct rsys_um_add_user_t um_add_user;
++    struct rsys_um_add_group_t um_add_group;
++    struct rsys_um_add_gm_t um_add_gm;
++    struct rsys_um_mod_user_t um_mod_user;
++    struct rsys_um_mod_group_t um_mod_group;
++    struct rsys_um_get_user_item_t um_get_user_item;
++    struct rsys_um_get_group_item_t um_get_group_item;
++    struct rsys_um_remove_user_t um_remove_user;
++    struct rsys_um_remove_group_t um_remove_group;
++    struct rsys_um_remove_gm_t um_remove_gm;
++    struct rsys_um_user_exists_t um_user_exists;
++    struct rsys_um_group_exists_t um_group_exists;
++    struct rsys_um_get_next_user_t um_get_next_user;
++    struct rsys_um_get_user_list_t um_get_user_list;
++    struct rsys_um_get_gm_list_t um_get_gm_list;
++    struct rsys_um_get_gm_user_list_t um_get_gm_user_list;
++    struct rsys_um_get_group_list_t um_get_group_list;
++    struct rsys_um_get_uid_t um_get_uid;
++    struct rsys_um_get_gid_t um_get_gid;
++    struct rsys_um_set_pass_t um_set_pass;
++    struct rsys_um_set_pass_name_t um_set_pass_name;
++    struct rsys_um_add_onetime_t um_add_onetime;
++    struct rsys_um_add_onetime_name_t um_add_onetime_name;
++    struct rsys_um_remove_all_onetime_t um_remove_all_onetime;
++    struct rsys_um_remove_all_onetime_name_t um_remove_all_onetime_name;
++    struct rsys_um_count_onetime_t um_count_onetime;
++    struct rsys_um_count_onetime_name_t um_count_onetime_name;
++    struct rsys_um_set_group_pass_t um_set_group_pass;
++    struct rsys_um_check_account_t um_check_account;
++    struct rsys_um_check_account_name_t um_check_account_name;
++    struct rsys_um_get_max_history_t um_get_max_history;
++    struct rsys_um_get_max_history_name_t um_get_max_history_name;
++    struct rsys_um_set_max_history_t um_set_max_history;
++    struct rsys_um_set_max_history_name_t um_set_max_history_name;
++    struct rsys_list_ta_begin_t list_ta_begin;
++    struct rsys_list_ta_begin_name_t list_ta_begin_name;
++    struct rsys_list_ta_refresh_t list_ta_refresh;
++    struct rsys_list_ta_commit_t list_ta_commit;
++    struct rsys_list_ta_forget_t list_ta_forget;
++    struct rsys_list_all_dev_t list_all_dev;
++    struct rsys_acl_list_all_dev_t acl_list_all_dev;
++    struct rsys_list_all_user_t list_all_user;
++    struct rsys_acl_list_all_user_t acl_list_all_user;
++    struct rsys_list_all_group_t list_all_group;
++    struct rsys_acl_list_all_group_t acl_list_all_group;
++    struct rsys_list_all_ipc_t list_all_ipc;
++    struct rsys_rc_select_fd_create_type_t rc_select_fd_create_type;
++    struct rsys_um_select_vset_t um_select_vset;
++           int dummy;
++  };
++
++/*
++ * 32 Bit emulation support on x86_64 system
++ */
++
++#ifdef CONFIG_IA32_EMULATION
++struct rsys_check_ia32_t
++  {
++    int correct;
++    int check_inode;
++  };
++
++struct rsys_get_attr_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t module;
++          rsbac_enum_t target;
++          __u32 tid;
++          rsbac_enum_t attr;
++          __u32 value;
++          int inherit;
++  };
++
++struct rsys_get_attr_n_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t module;
++          rsbac_enum_t target;
++          __u32 t_name;
++          rsbac_enum_t attr;
++          __u32 value;
++          int inherit;
++  };
++
++struct rsys_set_attr_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t module;
++          rsbac_enum_t target;
++          __u32 tid;
++          rsbac_enum_t attr;
++          __u32 value;
++  };
++
++struct rsys_set_attr_n_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t module;
++          rsbac_enum_t target;
++          __u32 t_name;
++          rsbac_enum_t attr;
++          __u32 value;
++  };
++
++struct rsys_remove_target_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t target;
++          __u32 tid;
++  };
++
++struct rsys_remove_target_n_ia32_t
++  {
++         rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t target;
++         __u32 t_name;
++  };
++
++struct rsys_net_list_all_netdev_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 id_p;
++    u_long maxnum;
++  };
++
++struct rsys_net_template_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t call;
++          rsbac_net_temp_id_t id;
++          __u32 data_p;
++  };
++
++struct rsys_net_list_all_template_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 id_p;
++    u_long maxnum;
++  };
++
++struct rsys_switch_ia32_t
++  {
++    rsbac_enum_t module;
++    int value;
++  };
++
++struct rsys_get_switch_ia32_t
++  {
++    rsbac_enum_t module;
++    __u32 value_p;
++    __u32 switchable_p;
++  };
++
++struct rsys_adf_log_switch_ia32_t
++  {
++    rsbac_enum_t request;
++    rsbac_enum_t target;
++    u_int        value;
++  };
++
++struct rsys_get_adf_log_ia32_t
++  {
++    rsbac_enum_t   request;
++    rsbac_enum_t   target;
++    __u32 value_p;
++  };
++
++struct rsys_log_ia32_t
++  {
++    int type;
++    __u32 buf;
++    int len;
++  };
++
++struct rsys_mac_set_curr_level_ia32_t
++  {
++    rsbac_security_level_t level;
++    __u32 categories_p;
++  };
++
++struct rsys_mac_get_curr_level_ia32_t
++  {
++    __u32 level_p;
++    __u32 categories_p;
++  };
++
++struct rsys_mac_get_max_level_ia32_t
++  {
++    __u32 level_p;
++    __u32 categories_p;
++  };
++
++struct rsys_mac_get_min_level_ia32_t
++  {
++    __u32 level_p;
++    __u32 categories_p;
++  };
++
++struct rsys_mac_add_p_tru_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_upid_t pid;
++    rsbac_uid_t uid;
++    rsbac_time_t ttl;
++  };
++
++struct rsys_mac_remove_p_tru_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_upid_t pid;
++    rsbac_uid_t uid;
++  };
++
++struct rsys_mac_add_f_tru_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 filename;
++    rsbac_uid_t uid;
++    rsbac_time_t ttl;
++  };
++
++struct rsys_mac_remove_f_tru_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 filename;
++    rsbac_uid_t uid;
++  };
++
++struct rsys_mac_get_f_trulist_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 filename;
++    __u32 trulist;
++    __u32 ttllist;
++    u_int maxnum;
++  };
++
++struct rsys_mac_get_p_trulist_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_upid_t pid;
++    __u32 trulist;
++    __u32 ttllist;
++    u_int maxnum;
++  };
++
++struct rsys_pm_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_enum_t function;
++    __u32 param_p;
++    rsbac_pm_tkt_id_t ticket;
++  };
++
++struct rsys_pm_change_current_task_ia32_t
++  {
++    rsbac_pm_task_id_t task;
++  };
++
++struct rsys_pm_create_file_ia32_t
++  {
++    const __u32 filename;
++    int mode;
++    rsbac_pm_object_class_id_t object_class;
++  };
++
++struct rsys_rc_copy_role_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_rc_role_id_t from_role;
++    rsbac_rc_role_id_t to_role;
++  };
++
++struct rsys_rc_copy_type_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_enum_t target;
++    rsbac_rc_type_id_t from_type;
++    rsbac_rc_type_id_t to_type;
++  };
++
++struct rsys_rc_get_item_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t target;
++          __u32 tid_p;
++          __u32 subtid_p;
++          rsbac_enum_t item;
++          __u32 value_p;
++          __u32 ttl_p;
++  };
++
++struct rsys_rc_set_item_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t target;
++          __u32 tid_p;
++          __u32 subtid_p;
++          rsbac_enum_t item;
++          __u32 value_p;
++          rsbac_time_t ttl;
++  };
++
++struct rsys_rc_get_list_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t target;
++          __u32 tid_p;
++          rsbac_enum_t item;
++          u_int maxnum;
++          __u32 array_p;
++          __u32 ttl_array_p;
++  };
++
++struct rsys_rc_change_role_ia32_t
++  {
++    rsbac_rc_role_id_t role;
++    __u32 pass;
++  };
++
++struct rsys_rc_get_eff_rights_n_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_enum_t target;
++    __u32 t_name;
++    __u32 request_vector_p;
++    __u32 ttl_p;
++  };
++
++struct rsys_rc_get_current_role_ia32_t
++  {
++    __u32 role_p;
++  };
++
++struct rsys_auth_add_p_cap_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_upid_t pid;
++           rsbac_enum_t cap_type;
++    struct rsbac_auth_cap_range_t cap_range;
++           rsbac_time_t ttl;
++  };
++
++struct rsys_auth_remove_p_cap_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_upid_t pid;
++           rsbac_enum_t cap_type;
++    struct rsbac_auth_cap_range_t cap_range;
++  };
++
++struct rsys_auth_add_f_cap_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           __u32 filename;
++           rsbac_enum_t cap_type;
++    struct rsbac_auth_cap_range_t cap_range;
++           rsbac_time_t ttl;
++  };
++
++struct rsys_auth_remove_f_cap_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           __u32 filename;
++           rsbac_enum_t cap_type;
++    struct rsbac_auth_cap_range_t cap_range;
++  };
++
++struct rsys_auth_get_f_caplist_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           __u32 filename;
++           rsbac_enum_t cap_type;
++           __u32 caplist;
++           __u32 ttllist;
++           u_int maxnum;
++  };
++
++struct rsys_auth_get_p_caplist_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_upid_t pid;
++           rsbac_enum_t cap_type;
++           __u32 caplist;
++           __u32 ttllist;
++           u_int maxnum;
++  };
++
++struct rsys_acl_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_enum_t call;
++           __u32 arg;
++  };
++
++struct rsys_acl_n_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_enum_t call;
++           __u32 arg;
++  };
++
++struct rsys_acl_get_rights_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           __u32 arg;
++           __u32 rights_p;
++           u_int effective;
++  };
++
++struct rsys_acl_get_rights_n_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           __u32 arg;
++           __u32 rights_p;
++           u_int effective;
++  };
++
++struct rsys_acl_get_tlist_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_enum_t target;
++           __u32 tid;
++           __u32 entry_array;
++           __u32 ttl_array;
++           u_int maxnum;
++  };
++
++struct rsys_acl_get_tlist_n_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_enum_t target;
++           __u32 t_name;
++           __u32 entry_array;
++           __u32 ttl_array;
++           u_int maxnum;
++  };
++
++struct rsys_acl_get_mask_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_enum_t target;
++           __u32 tid;
++           __u32 mask_p;
++  };
++
++struct rsys_acl_get_mask_n_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_enum_t target;
++           __u32 t_name;
++           __u32 mask_p;
++  };
++
++struct rsys_acl_group_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_enum_t call;
++          __u32 arg_p;
++  };
++
++struct rsys_reg_ia32_t
++  {
++    long handle;
++    __u32 arg;
++  };
++
++struct rsys_jail_ia32_t
++  {
++    rsbac_version_t      version;
++    __u32                path;
++    rsbac_jail_ip_t      ip;
++    rsbac_jail_flags_t   flags;
++    rsbac_cap_vector_t   max_caps;
++    rsbac_jail_scd_vector_t scd_get;
++    rsbac_jail_scd_vector_t scd_modify;
++  };
++
++struct rsys_init_ia32_t
++  {
++    __u32 root_dev;
++  };
++
++struct rsys_um_auth_name_ia32_t
++  {
++    __u32 name;
++    __u32 pass;
++  };
++
++struct rsys_um_auth_uid_ia32_t
++  {
++    rsbac_uid_t uid;
++    __u32       pass;
++  };
++
++struct rsys_um_add_user_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_uid_t             uid;
++           __u32                   entry_p;
++           __u32                   pass;
++           rsbac_time_t            ttl;
++  };
++
++struct rsys_um_add_group_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_gid_t              gid;
++           __u32                    entry_p;
++           __u32                    pass;
++           rsbac_time_t             ttl;
++  };
++
++struct rsys_um_add_gm_ia32_t
++  {
++           rsbac_list_ta_number_t ta_number;
++           rsbac_uid_t  uid;
++           rsbac_gid_num_t  gid;
++           rsbac_time_t ttl;
++  };
++
++struct rsys_um_mod_user_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_uid_t           uid;
++          rsbac_enum_t          mod;
++          __u32                 data_p;
++  };
++
++struct rsys_um_mod_group_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_gid_t            gid;
++          rsbac_enum_t           mod;
++          __u32                  data_p;
++  };
++
++struct rsys_um_get_user_item_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_uid_t            uid;
++          rsbac_enum_t           mod;
++          __u32                  data_p;
++  };
++
++struct rsys_um_get_group_item_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_gid_t            gid;
++          rsbac_enum_t           mod;
++          __u32                  data_p;
++  };
++
++struct rsys_um_remove_user_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_uid_t           uid;
++  };
++
++struct rsys_um_remove_group_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_gid_t           gid;
++  };
++
++struct rsys_um_remove_gm_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_uid_t  uid;
++          rsbac_gid_num_t  gid;
++  };
++
++struct rsys_um_user_exists_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_uid_t uid;
++  };
++
++struct rsys_um_group_exists_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_gid_t gid;
++  };
++
++struct rsys_um_get_next_user_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_uid_t   old_user;
++          __u32         next_user_p;
++  };
++
++struct rsys_um_get_user_list_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_um_set_t vset;
++          __u32          user_array;
++          u_int          maxnum;
++  };
++
++struct rsys_um_get_gm_list_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_uid_t   user;
++          __u32         group_array;
++          u_int         maxnum;
++  };
++
++struct rsys_um_get_gm_user_list_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_gid_t   group;
++          __u32         user_array;
++          u_int         maxnum;
++  };
++
++struct rsys_um_get_group_list_ia32_t
++  {
++          rsbac_list_ta_number_t ta_number;
++          rsbac_um_set_t vset;
++          __u32          group_array;
++          u_int          maxnum;
++  };
++
++struct rsys_um_get_uid_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32                  name;
++    __u32                  uid_p;
++  };
++
++struct rsys_um_get_gid_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32                  name;
++    __u32                  gid_p;
++  };
++
++struct rsys_um_set_pass_ia32_t
++  {
++    rsbac_uid_t uid;
++    __u32       old_pass;
++    __u32       new_pass;
++  };
++
++struct rsys_um_set_pass_name_ia32_t
++  {
++    __u32 name;
++    __u32 old_pass;
++    __u32 new_pass;
++  };
++
++struct rsys_um_add_onetime_ia32_t
++  {
++    rsbac_uid_t  uid;
++    __u32        old_pass;
++    __u32        new_pass;
++    rsbac_time_t ttl;
++  };
++
++struct rsys_um_add_onetime_name_ia32_t
++  {
++    __u32 name;
++    __u32 old_pass;
++    __u32 new_pass;
++    rsbac_time_t ttl;
++  };
++
++struct rsys_um_remove_all_onetime_ia32_t
++  {
++    rsbac_uid_t uid;
++    __u32       old_pass;
++  };
++
++struct rsys_um_remove_all_onetime_name_ia32_t
++  {
++    __u32 name;
++    __u32 old_pass;
++  };
++
++struct rsys_um_count_onetime_ia32_t
++  {
++    rsbac_uid_t uid;
++    __u32       old_pass;
++  };
++
++struct rsys_um_count_onetime_name_ia32_t
++  {
++    __u32 name;
++    __u32 old_pass;
++  };
++
++struct rsys_um_set_group_pass_ia32_t
++  {
++    rsbac_gid_t gid;
++    __u32       new_pass;
++  };
++
++struct rsys_um_check_account_ia32_t
++  {
++    rsbac_uid_t   uid;
++  };
++
++struct rsys_um_check_account_name_ia32_t
++  {
++    __u32 name;
++  };
++
++struct rsys_um_get_max_history_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_uid_t   uid;
++  };
++
++struct rsys_um_get_max_history_name_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 name;
++  };
++
++struct rsys_um_set_max_history_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    rsbac_uid_t   uid;
++    __u8          max_history;
++  };
++
++struct rsys_um_set_max_history_name_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 name;
++    __u8   max_history;
++  };
++
++struct rsys_um_select_vset_ia32_t
++  {
++    rsbac_um_set_t vset;
++  };
++
++struct rsys_list_ta_begin_ia32_t
++  {
++    rsbac_time_t ttl;
++    __u32        ta_number_p;
++    rsbac_uid_t  commit_uid;
++    __u32        password;
++  };
++
++struct rsys_list_ta_begin_name_ia32_t
++  {
++    rsbac_time_t ttl;
++    __u32 ta_number_p;
++    rsbac_uid_t commit_uid;
++    __u32 name;
++    __u32 password;
++  };
++
++struct rsys_list_ta_refresh_ia32_t
++  {
++    rsbac_time_t ttl;
++    rsbac_list_ta_number_t ta_number;
++    __u32 password;
++  };
++
++struct rsys_list_ta_commit_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 password;
++  };
++
++struct rsys_list_ta_forget_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 password;
++  };
++
++struct rsys_list_all_dev_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 id_p;
++    u_long maxnum;
++  };
++
++struct rsys_acl_list_all_dev_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 id_p;
++    u_long maxnum;
++  };
++
++struct rsys_list_all_user_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 id_p;
++    u_long maxnum;
++  };
++
++struct rsys_acl_list_all_user_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 id_p;
++    u_long maxnum;
++  };
++
++struct rsys_list_all_group_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 id_p;
++    u_long maxnum;
++  };
++
++struct rsys_acl_list_all_group_ia32_t
++  {
++    rsbac_list_ta_number_t ta_number;
++    __u32 id_p;
++    u_long maxnum;
++  };
++
++struct rsys_list_all_ipc_ia32_t
++{
++       rsbac_list_ta_number_t ta_number;
++       __u32 id_p;
++       u_long maxnum;
++};
++
++struct rsys_rc_select_fd_create_type_ia32_t
++{
++	rsbac_rc_type_id_t type;
++};
++
++union rsbac_syscall_arg_ia32_t
++  {
++    struct rsys_check_ia32_t check;
++    struct rsys_get_attr_ia32_t get_attr;
++    struct rsys_get_attr_n_ia32_t get_attr_n;
++    struct rsys_set_attr_ia32_t set_attr;
++    struct rsys_set_attr_n_ia32_t set_attr_n;
++    struct rsys_remove_target_ia32_t remove_target;
++    struct rsys_remove_target_n_ia32_t remove_target_n;
++    struct rsys_net_list_all_netdev_ia32_t net_list_all_netdev;
++    struct rsys_net_template_ia32_t net_template;
++    struct rsys_net_list_all_template_ia32_t net_list_all_template;
++    struct rsys_switch_ia32_t switch_module;
++    struct rsys_get_switch_ia32_t get_switch_module;
++    struct rsys_adf_log_switch_ia32_t adf_log_switch;
++    struct rsys_get_adf_log_ia32_t get_adf_log;
++    struct rsys_log_ia32_t log;
++    struct rsys_mac_set_curr_level_ia32_t mac_set_curr_level;
++    struct rsys_mac_get_curr_level_ia32_t mac_get_curr_level;
++    struct rsys_mac_get_max_level_ia32_t mac_get_max_level;
++    struct rsys_mac_get_min_level_ia32_t mac_get_min_level;
++    struct rsys_mac_add_p_tru_ia32_t mac_add_p_tru;
++    struct rsys_mac_remove_p_tru_ia32_t mac_remove_p_tru;
++    struct rsys_mac_add_f_tru_ia32_t mac_add_f_tru;
++    struct rsys_mac_remove_f_tru_ia32_t mac_remove_f_tru;
++    struct rsys_mac_get_f_trulist_ia32_t mac_get_f_trulist;
++    struct rsys_mac_get_p_trulist_ia32_t mac_get_p_trulist;
++    struct rsys_pm_ia32_t pm;
++    struct rsys_pm_change_current_task_ia32_t pm_change_current_task;
++    struct rsys_pm_create_file_ia32_t pm_create_file;
++    struct rsys_rc_copy_role_ia32_t rc_copy_role;
++    struct rsys_rc_copy_type_ia32_t rc_copy_type;
++    struct rsys_rc_get_item_ia32_t rc_get_item;
++    struct rsys_rc_set_item_ia32_t rc_set_item;
++    struct rsys_rc_get_list_ia32_t rc_get_list;
++    struct rsys_rc_change_role_ia32_t rc_change_role;
++    struct rsys_rc_get_eff_rights_n_ia32_t rc_get_eff_rights_n;
++    struct rsys_rc_get_current_role_ia32_t rc_get_current_role;
++    struct rsys_auth_add_p_cap_ia32_t auth_add_p_cap;
++    struct rsys_auth_remove_p_cap_ia32_t auth_remove_p_cap;
++    struct rsys_auth_add_f_cap_ia32_t auth_add_f_cap;
++    struct rsys_auth_remove_f_cap_ia32_t auth_remove_f_cap;
++    struct rsys_auth_get_f_caplist_ia32_t auth_get_f_caplist;
++    struct rsys_auth_get_p_caplist_ia32_t auth_get_p_caplist;
++    struct rsys_acl_ia32_t acl;
++    struct rsys_acl_n_ia32_t acl_n;
++    struct rsys_acl_get_rights_ia32_t acl_get_rights;
++    struct rsys_acl_get_rights_n_ia32_t acl_get_rights_n;
++    struct rsys_acl_get_tlist_ia32_t acl_get_tlist;
++    struct rsys_acl_get_tlist_n_ia32_t acl_get_tlist_n;
++    struct rsys_acl_get_mask_ia32_t acl_get_mask;
++    struct rsys_acl_get_mask_n_ia32_t acl_get_mask_n;
++    struct rsys_acl_group_ia32_t acl_group;
++    struct rsys_reg_ia32_t reg;
++    struct rsys_jail_ia32_t jail;
++    struct rsys_init_ia32_t init;
++    struct rsys_um_auth_name_ia32_t um_auth_name;
++    struct rsys_um_auth_uid_ia32_t um_auth_uid;
++    struct rsys_um_add_user_ia32_t um_add_user;
++    struct rsys_um_add_group_ia32_t um_add_group;
++    struct rsys_um_add_gm_ia32_t um_add_gm;
++    struct rsys_um_mod_user_ia32_t um_mod_user;
++    struct rsys_um_mod_group_ia32_t um_mod_group;
++    struct rsys_um_get_user_item_ia32_t um_get_user_item;
++    struct rsys_um_get_group_item_ia32_t um_get_group_item;
++    struct rsys_um_remove_user_ia32_t um_remove_user;
++    struct rsys_um_remove_group_ia32_t um_remove_group;
++    struct rsys_um_remove_gm_ia32_t um_remove_gm;
++    struct rsys_um_user_exists_ia32_t um_user_exists;
++    struct rsys_um_group_exists_ia32_t um_group_exists;
++    struct rsys_um_get_next_user_ia32_t um_get_next_user;
++    struct rsys_um_get_user_list_ia32_t um_get_user_list;
++    struct rsys_um_get_gm_list_ia32_t um_get_gm_list;
++    struct rsys_um_get_gm_user_list_ia32_t um_get_gm_user_list;
++    struct rsys_um_get_group_list_ia32_t um_get_group_list;
++    struct rsys_um_get_uid_ia32_t um_get_uid;
++    struct rsys_um_get_gid_ia32_t um_get_gid;
++    struct rsys_um_set_pass_ia32_t um_set_pass;
++    struct rsys_um_set_pass_name_ia32_t um_set_pass_name;
++    struct rsys_um_add_onetime_ia32_t um_add_onetime;
++    struct rsys_um_add_onetime_name_ia32_t um_add_onetime_name;
++    struct rsys_um_remove_all_onetime_ia32_t um_remove_all_onetime;
++    struct rsys_um_remove_all_onetime_name_ia32_t um_remove_all_onetime_name;
++    struct rsys_um_count_onetime_ia32_t um_count_onetime;
++    struct rsys_um_count_onetime_name_ia32_t um_count_onetime_name;
++    struct rsys_um_set_group_pass_ia32_t um_set_group_pass;
++    struct rsys_um_check_account_ia32_t um_check_account;
++    struct rsys_um_check_account_name_ia32_t um_check_account_name;
++    struct rsys_um_get_max_history_ia32_t um_get_max_history;
++    struct rsys_um_get_max_history_name_ia32_t um_get_max_history_name;
++    struct rsys_um_set_max_history_ia32_t um_set_max_history;
++    struct rsys_um_set_max_history_name_ia32_t um_set_max_history_name;
++    struct rsys_list_ta_begin_ia32_t list_ta_begin;
++    struct rsys_list_ta_begin_name_ia32_t list_ta_begin_name;
++    struct rsys_list_ta_refresh_ia32_t list_ta_refresh;
++    struct rsys_list_ta_commit_ia32_t list_ta_commit;
++    struct rsys_list_ta_forget_ia32_t list_ta_forget;
++    struct rsys_list_all_dev_ia32_t list_all_dev;
++    struct rsys_acl_list_all_dev_ia32_t acl_list_all_dev;
++    struct rsys_list_all_user_ia32_t list_all_user;
++    struct rsys_acl_list_all_user_ia32_t acl_list_all_user;
++    struct rsys_list_all_group_ia32_t list_all_group;
++    struct rsys_acl_list_all_group_ia32_t acl_list_all_group;
++    struct rsys_list_all_ipc_ia32_t list_all_ipc;
++    struct rsys_rc_select_fd_create_type_ia32_t rc_select_fd_create_type;
++    struct rsys_um_select_vset_ia32_t um_select_vset;
++    __u32 dummy;
++  };
++
++#endif /* CONFIG_IA32_EMULATION */
++
++#endif
+diff --git a/include/rsbac/types.h b/include/rsbac/types.h
+new file mode 100644
+index 0000000..d0dc84f
+--- /dev/null
++++ b/include/rsbac/types.h
+@@ -0,0 +1,1015 @@
++/*********************************** */
++/* Rule Set Based Access Control     */
++/* Author and (c)1999-2011:          */
++/*   Amon Ott <ao@...>         */
++/* API: Data types for attributes    */
++/*      and standard module calls    */
++/* Last modified: 12/Jul/2011        */
++/*********************************** */
++
++#ifndef __RSBAC_TYPES_H
++#define __RSBAC_TYPES_H
++
++
++/* trigger module dependency for EXPORT_SYMBOL */
++#ifdef CONFIG_MODULES
++#endif
++
++#define RSBAC_VERSION "1.4.6"
++#define RSBAC_VERSION_MAJOR 1
++#define RSBAC_VERSION_MID 4
++#define RSBAC_VERSION_MINOR 6
++#define RSBAC_VERSION_NR \
++ ((RSBAC_VERSION_MAJOR << 16) | (RSBAC_VERSION_MID << 8) | RSBAC_VERSION_MINOR)
++#define RSBAC_VERSION_MAKE_NR(x,y,z) \
++ ((x << 16) | (y << 8) | z)
++
++#ifdef __KERNEL__
++#include <linux/types.h>
++#include <linux/capability.h>
++#include <linux/resource.h>
++#else
++#include <asm/types.h>
++#include <sys/types.h>
++#endif
++
++typedef __u32 rsbac_version_t;
++typedef __u64 rsbac_uid_t;           /* High 32 Bit virtual set, low uid */
++typedef __u64 rsbac_gid_t;           /* High 32 Bit virtual set, low gid */
++typedef __u32 rsbac_old_uid_t;       /* Same as user in Linux kernel */
++typedef __u32 rsbac_uid_num_t;       /* Same as user in Linux kernel */
++typedef __u32 rsbac_old_gid_t;       /* Same as group in Linux kernel */
++typedef __u32 rsbac_gid_num_t;       /* Same as user in Linux kernel */
++typedef __u32 rsbac_um_set_t;
++typedef __u32 rsbac_time_t;          /* Same as time_t in Linux kernel */
++typedef kernel_cap_t rsbac_cap_vector_t;    /* Same as kernel_cap_t in Linux kernel */
++typedef __u32 rsbac_cap_old_vector_t;    /* Same as kernel_cap_t in Linux kernel */
++
++#define RSBAC_UID_SET(x) ((rsbac_um_set_t) (x >> 32))
++#define RSBAC_UID_NUM(x) ((rsbac_uid_num_t) (x & (rsbac_uid_num_t) -1))
++#define RSBAC_GEN_UID(x,y) ((rsbac_uid_t) x << 32 | RSBAC_UID_NUM(y))
++#define RSBAC_GID_SET(x) ((rsbac_um_set_t) (x >> 32))
++#define RSBAC_GID_NUM(x) ((rsbac_gid_num_t) (x & (rsbac_gid_num_t) -1))
++#define RSBAC_GEN_GID(x,y) ((rsbac_gid_t) x << 32 | RSBAC_GID_NUM(y))
++#define RSBAC_UM_VIRTUAL_KEEP ((rsbac_um_set_t) -1)
++#define RSBAC_UM_VIRTUAL_ALL ((rsbac_um_set_t) -2)
++#define RSBAC_UM_VIRTUAL_MAX ((rsbac_um_set_t) -10)
++
++typedef __u32 rsbac_list_ta_number_t;
++
++struct rsbac_nanotime_t
++    {
++      rsbac_time_t sec;
++      __u32 nsec;
++    };
++
++#ifdef __KERNEL__
++#include <linux/fs.h>
++#include <linux/socket.h>
++#include <linux/pipe_fs_i.h>
++#include <linux/kdev_t.h>
++
++/* version checks */
++#ifndef LINUX_VERSION_CODE
++#include <linux/version.h>
++#endif
++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,4,19)
++#error "RSBAC: unsupported kernel version"
++#endif
++
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24)
++#include <linux/pid.h>
++#endif
++#define RSBAC_MAJOR MAJOR
++#define RSBAC_MINOR MINOR
++#define RSBAC_MKDEV(major,minor) MKDEV(major,minor)
++static inline rsbac_time_t rsbac_current_time(void)
++  {
++    struct timespec ts = CURRENT_TIME;
++    return ts.tv_sec;
++  }
++static inline void rsbac_get_current_nanotime(struct rsbac_nanotime_t * nanotime)
++  {
++    struct timespec ts = CURRENT_TIME;
++    nanotime->sec = ts.tv_sec;
++    nanotime->nsec = ts.tv_nsec;
++  }
++#ifndef kdev_t
++#define kdev_t dev_t
++#endif
++#define RSBAC_CURRENT_TIME (rsbac_current_time())
++
++
++#define RSBAC_ZERO_DEV RSBAC_MKDEV(0,0)
++#define RSBAC_AUTO_DEV RSBAC_MKDEV(99,99)
++#define RSBAC_IS_ZERO_DEV(kdev) (!RSBAC_MAJOR(kdev) && !RSBAC_MINOR(kdev))
++#define RSBAC_IS_AUTO_DEV(kdev) ((RSBAC_MAJOR(kdev) == 99) && (RSBAC_MINOR(kdev) == 99))
++
++#ifdef CONFIG_RSBAC_INIT_DELAY
++#define R_INIT
++#else
++#define R_INIT __init
++#endif
++
++#endif
++
++/* General */
++
++#ifndef NULL
++#define NULL ((void *) 0)
++#endif
++
++#define rsbac_min(a,b) (((a)<(b))?(a):(b))
++#define rsbac_max(a,b) (((a)>(b))?(a):(b))
++
++#define RSBAC_OLD_NO_USER 65533
++#define RSBAC_OLD_ALL_USERS 65532
++#define RSBAC_NO_USER ((rsbac_uid_num_t) -3)
++#define RSBAC_ALL_USERS ((rsbac_uid_num_t) -4)
++#define RSBAC_NO_GROUP ((rsbac_gid_num_t) -3)
++#define RSBAC_ALL_GROUPS ((rsbac_gid_num_t) -4)
++
++#ifndef FALSE
++#define FALSE 0
++#endif
++#ifndef TRUE
++#define TRUE 1
++#endif
++
++typedef u_int rsbac_boolean_t;
++
++typedef __u8 rsbac_boolean_int_t;
++
++#define RSBAC_IFNAMSIZ 16
++typedef u_char rsbac_netdev_id_t[RSBAC_IFNAMSIZ + 1];
++
++#define RSBAC_SEC_DEL_CHUNK_SIZE 65536
++
++/* Adjust these, if you have to, but if you do, adjust them all! */
++/* Note: no / allowed, file must be exactly in second level! */
++#define RSBAC_AUTH_LOGIN_PATH "/bin/login"
++#define RSBAC_AUTH_LOGIN_PATH_DIR "bin"
++#define RSBAC_AUTH_LOGIN_PATH_FILE "login"
++
++/* These data structures work parallel to the Linux data structures, */
++/* so all data for RSBAC decisions is maintained seperately.         */
++/* Any change to RSBAC data will NOT modify any other linux data,    */
++/* e.g. userlists, process lists or inodes.                          */
++
++/* Special generic lists time-to-live (ttl) value to keep old setting */
++#define RSBAC_LIST_TTL_KEEP ((rsbac_time_t) -1)
++
++typedef __u8 rsbac_enum_t; /* internally used for all enums */
++
++#define RSBAC_SYSADM_UID   0
++#define RSBAC_BIN_UID      1
++#ifdef CONFIG_RSBAC_SECOFF_UID
++#define RSBAC_SECOFF_UID   CONFIG_RSBAC_SECOFF_UID
++#else
++#define RSBAC_SECOFF_UID 400
++#endif
++#define RSBAC_DATAPROT_UID (RSBAC_SECOFF_UID+1)
++#define RSBAC_TPMAN_UID    (RSBAC_SECOFF_UID+2)
++#define RSBAC_AUDITOR_UID  (RSBAC_SECOFF_UID+4)
++
++typedef __u32 rsbac_pseudo_t;               /* For Pseudonymic Logging */
++typedef __kernel_pid_t rsbac_upid_t;         /* Same as pid in Linux < 2.6.24 */
++
++typedef struct pid * rsbac_pid_t;         /* use new pid struct */
++
++typedef __u32 rsbac_ta_number_t;
++
++typedef __u8 rsbac_security_level_t;
++#define SL_max            252
++#define SL_min            0
++// #define SL_rsbac_internal 253
++#define SL_inherit        254
++#define SL_none           255
++enum    rsbac_old_security_level_t {SL_unclassified, SL_confidential, SL_secret,
++                                    SL_top_secret, SL_old_rsbac_internal,
++                                    SL_old_inherit, SL_old_none};
++                                             /* MAC security levels   */
++typedef __u64 rsbac_mac_category_vector_t;   /* MAC category sets */
++#define RSBAC_MAC_GENERAL_CATEGORY 0
++#define RSBAC_MAC_DEF_CAT_VECTOR ((rsbac_mac_category_vector_t) 1)
++  /* 1 << GENERAL_CAT */
++#define RSBAC_MAC_MAX_CAT_VECTOR ((rsbac_mac_category_vector_t) -1)
++  /* all bits set */
++#define RSBAC_MAC_MIN_CAT_VECTOR ((rsbac_mac_category_vector_t) 0)
++  /* no bits set */
++#define RSBAC_MAC_INHERIT_CAT_VECTOR ((rsbac_mac_category_vector_t) 0)
++  /* for fd: no bits set */
++#define RSBAC_MAC_NR_CATS 64
++#define RSBAC_MAC_MAX_CAT 63
++
++#define RSBAC_MAC_CAT_VECTOR(x) ((rsbac_mac_category_vector_t) 1 << (x))
++
++typedef u_int rsbac_cwi_relation_id_t;
++
++/* For MAC, FF, AUTH */
++enum    rsbac_system_role_t {SR_user, SR_security_officer, SR_administrator,
++                             SR_auditor, SR_none};
++typedef rsbac_enum_t rsbac_system_role_int_t;
++
++/* For all models */
++enum    rsbac_fake_root_uid_t {FR_off, FR_uid_only, FR_euid_only, FR_both,
++                              FR_none};
++typedef rsbac_enum_t rsbac_fake_root_uid_int_t;
++
++enum    rsbac_scd_type_t {ST_time_strucs, ST_clock, ST_host_id,
++                          ST_net_id, ST_ioports, ST_rlimit,
++                          ST_swap, ST_syslog, ST_rsbac, ST_rsbac_log,
++                          ST_other, ST_kmem, ST_network, ST_firewall,
++                          ST_priority, ST_sysfs, ST_rsbac_remote_log,
++                          ST_quota, ST_sysctl, ST_nfsd, ST_ksyms,
++                          ST_mlock, ST_capability, ST_kexec, ST_videomem,
++                          ST_none};
++
++typedef __u32 rsbac_scd_vector_t;
++#define RSBAC_SCD_VECTOR(x) ((rsbac_scd_vector_t) 1 << (x))
++
++enum    rsbac_dev_type_t {D_block, D_char, D_block_major, D_char_major, D_none};
++
++
++enum    rsbac_ipc_type_t {I_sem, I_msg, I_shm, I_anonpipe, I_mqueue,
++				I_anonunix, I_none};
++union   rsbac_ipc_id_t
++  {
++    u_long id_nr;
++  };
++
++typedef __u32 rsbac_inode_nr_t;
++
++enum    rsbac_linux_dac_disable_t {LDD_false, LDD_true, LDD_inherit, LDD_none};
++typedef rsbac_enum_t rsbac_linux_dac_disable_int_t;
++
++#ifdef __KERNEL__
++/* We need unique identifiers for each file/dir. inode means inode in */
++/* the file system.                                                   */
++struct rsbac_fs_file_t
++    {
++      kdev_t               device;
++      rsbac_inode_nr_t     inode;
++      struct dentry      * dentry_p;  /* used for inheritance recursion */
++    };
++
++struct rsbac_dev_t
++    {
++      enum  rsbac_dev_type_t     type;
++            kdev_t               id;
++    };
++#endif /* __KERNEL */
++
++/* We need unique ids for dev objects */
++struct rsbac_dev_desc_t
++    {
++      __u32 type;
++      __u32 major;
++      __u32 minor;
++    };
++
++static inline struct rsbac_dev_desc_t
++  rsbac_mkdev_desc(__u32 type, __u32 major, __u32 minor)
++  {
++    struct rsbac_dev_desc_t dev_desc;
++
++    dev_desc.type = type;
++    dev_desc.major = major;
++    dev_desc.minor = minor;
++    return dev_desc;
++  }
++
++#define RSBAC_ZERO_DEV_DESC rsbac_mkdev_desc(D_none, 0, 0)
++#define RSBAC_AUTO_DEV_DESC rsbac_mkdev_desc(D_none, 99, 99)
++#define RSBAC_IS_ZERO_DEV_DESC(dev) ((dev.type == D_none) && !dev.major && !dev.minor)
++#define RSBAC_IS_AUTO_DEV_DESC(dev) ((dev.type == D_none) && (dev.major == 99) && (dev.minor == 99))
++
++/* And we need unique ids for ipc objects */
++struct rsbac_ipc_t
++    {
++      enum  rsbac_ipc_type_t     type;
++      union rsbac_ipc_id_t       id;
++    };
++
++/* log levels: nothing, denied requests only, all, refer to request log level */
++enum    rsbac_log_level_t {LL_none, LL_denied, LL_full, LL_request, LL_invalid};
++typedef __u64 rsbac_log_array_t;
++
++/* request bitvectors */
++typedef __u64 rsbac_request_vector_t;
++#define RSBAC_REQUEST_VECTOR(x) ((rsbac_request_vector_t) 1 << (x))
++
++/* The max length of each filename is kept in a macro */
++#define RSBAC_MAXNAMELEN     256
++
++#define RSBAC_LIST_TA_MAX_NAMELEN 32
++#define RSBAC_LIST_TA_MAX_PASSLEN 36
++
++/* MAC */
++
++typedef __u8 rsbac_mac_user_flags_t;
++typedef __u16 rsbac_mac_process_flags_t;
++typedef __u8 rsbac_mac_file_flags_t;
++typedef struct rsbac_fs_file_t rsbac_mac_file_t;
++#define RSBAC_MAC_MAX_MAXNUM 1000000
++
++#define MAC_override		1
++#define MAC_auto		2
++#define MAC_trusted     	4
++#define MAC_write_up		8
++#define MAC_read_up		16
++#define MAC_write_down		32
++#define MAC_allow_auto		64
++#define MAC_prop_trusted	128
++#define MAC_program_auto	256
++
++#define RSBAC_MAC_U_FLAGS (MAC_override | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down | MAC_allow_auto)
++#define RSBAC_MAC_P_FLAGS (MAC_override | MAC_auto | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down | MAC_prop_trusted | MAC_program_auto)
++#define RSBAC_MAC_F_FLAGS (MAC_auto | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down)
++
++#define RSBAC_MAC_DEF_U_FLAGS 0
++#define RSBAC_MAC_DEF_SYSADM_U_FLAGS MAC_allow_auto
++#define RSBAC_MAC_DEF_SECOFF_U_FLAGS MAC_override
++
++#define RSBAC_MAC_DEF_P_FLAGS 0
++#define RSBAC_MAC_DEF_INIT_P_FLAGS MAC_auto
++
++typedef rsbac_enum_t rsbac_mac_auto_int_t;
++enum    rsbac_mac_auto_t {MA_no, MA_yes, MA_inherit};
++
++/* PM */
++
++#include <rsbac/pm_types.h>
++
++/* DAZ */
++typedef __u8 rsbac_daz_scanned_t;
++#define DAZ_unscanned 0
++#define DAZ_infected 1
++#define DAZ_clean 2
++#define DAZ_max 2
++#define DEFAULT_DAZ_FD_SCANNED DAZ_unscanned
++typedef __u8 rsbac_daz_scanner_t;
++typedef __u8 rsbac_daz_do_scan_t;
++#define DAZ_never 0
++#define DAZ_registered 1
++#define DAZ_always 2
++#define DAZ_inherit 3
++#define DAZ_max_do_scan 3
++#define DEFAULT_DAZ_FD_DO_SCAN DAZ_inherit
++#define DEFAULT_DAZ_FD_ROOT_DO_SCAN DAZ_registered
++
++/* FF */
++
++typedef __u16 rsbac_ff_flags_t;
++#define FF_read_only       1
++#define FF_execute_only    2
++#define FF_search_only     4
++#define FF_write_only      8
++#define FF_secure_delete  16
++#define FF_no_execute     32
++#define FF_no_delete_or_rename 64
++#define FF_append_only   256
++#define FF_no_mount      512
++#define FF_no_search     1024
++
++#define FF_add_inherited 128
++
++#define RSBAC_FF_DEF FF_add_inherited
++#define RSBAC_FF_ROOT_DEF 0
++
++/***** RC *****/
++
++#include <rsbac/rc_types.h>
++
++/**** AUTH ****/
++/* special cap value, replaced by process owner at execute time */
++#define RSBAC_AUTH_MAX_MAXNUM 1000000
++#define RSBAC_AUTH_OWNER_F_CAP ((rsbac_uid_num_t) -3)
++#define RSBAC_AUTH_DAC_OWNER_F_CAP ((rsbac_uid_num_t) -4)
++#define RSBAC_AUTH_MAX_RANGE_UID ((rsbac_uid_num_t) -10)
++#define RSBAC_AUTH_GROUP_F_CAP ((rsbac_uid_num_t) -3)
++#define RSBAC_AUTH_DAC_GROUP_F_CAP ((rsbac_uid_num_t) -4)
++#define RSBAC_AUTH_MAX_RANGE_GID ((rsbac_uid_num_t) -10)
++typedef struct rsbac_fs_file_t rsbac_auth_file_t;
++struct rsbac_auth_cap_range_t
++  {
++    rsbac_uid_t first;
++    rsbac_uid_t last;
++  };
++struct rsbac_auth_old_cap_range_t
++  {
++    rsbac_old_uid_t first;
++    rsbac_old_uid_t last;
++  };
++enum    rsbac_auth_cap_type_t {ACT_real, ACT_eff, ACT_fs, 
++                               ACT_group_real, ACT_group_eff, ACT_group_fs,
++                               ACT_none};
++typedef rsbac_enum_t rsbac_auth_cap_type_int_t;
++
++enum    rsbac_auth_may_setuid_t {AMS_off, AMS_full, AMS_last_auth_only, 
++                               AMS_last_auth_and_gid, AMS_none};
++
++typedef rsbac_enum_t rsbac_auth_may_setuid_int_t;
++
++/**** ACL ****/
++/* include at end of types.h */
++
++/**** CAP ****/
++enum    rsbac_cap_process_hiding_t {PH_off, PH_from_other_users, PH_full,
++                              PH_none};
++typedef rsbac_enum_t rsbac_cap_process_hiding_int_t;
++
++enum rsbac_cap_ld_env_t { LD_deny, LD_allow, LD_keep, LD_inherit };
++typedef rsbac_enum_t rsbac_cap_ld_env_int_t;
++
++#define RSBAC_CAP_DEFAULT_MIN (__u32) 0
++#define RSBAC_CAP_DEFAULT_MAX (__u32) -1
++
++#include <linux/capability.h>
++#define CAP_NONE 34
++#define RSBAC_CAP_MAX CAP_NONE
++
++/**** JAIL ****/
++
++#define RSBAC_JAIL_VERSION 1
++
++typedef __u32 rsbac_jail_id_t;
++#define RSBAC_JAIL_DEF_ID 0
++typedef __u32 rsbac_jail_ip_t;
++typedef __u32 rsbac_jail_scd_vector_t;
++
++typedef __u32 rsbac_jail_flags_t;
++#define JAIL_allow_external_ipc 1
++#define JAIL_allow_all_net_family 2
++#define JAIL_allow_inet_raw 8
++#define JAIL_auto_adjust_inet_any 16
++#define JAIL_allow_inet_localhost 32
++#define JAIL_allow_dev_get_status 128
++#define JAIL_allow_dev_mod_system 256
++#define JAIL_allow_dev_read 512
++#define JAIL_allow_dev_write 1024
++#define JAIL_allow_tty_open 2048
++#define JAIL_allow_parent_ipc 4096
++#define JAIL_allow_suid_files 8192
++#define JAIL_allow_mount 16384
++#define JAIL_this_is_syslog 32768
++#define JAIL_allow_ipc_to_syslog 65536
++#define JAIL_allow_netlink 131072
++
++#define RSBAC_JAIL_LOCALHOST ((1 << 24) | 127)
++
++/**** PAX ****/
++
++typedef unsigned long rsbac_pax_flags_t;
++
++/* for PaX defines */
++#ifdef __KERNEL__
++#include <linux/elf.h>
++#include <linux/random.h>
++#endif
++#ifndef PF_PAX_PAGEEXEC
++#define PF_PAX_PAGEEXEC	0x01000000	/* Paging based non-executable pages */
++#define PF_PAX_EMUTRAMP	0x02000000	/* Emulate trampolines */
++#define PF_PAX_MPROTECT	0x04000000	/* Restrict mprotect() */
++#define PF_PAX_RANDMMAP	0x08000000	/* Randomize mmap() base */
++#define PF_PAX_RANDEXEC	0x10000000	/* Randomize ET_EXEC base */
++#define PF_PAX_SEGMEXEC	0x20000000	/* Segmentation based non-executable pages */
++#endif
++
++#define RSBAC_PAX_DEF_FLAGS (PF_PAX_SEGMEXEC | PF_PAX_PAGEEXEC | PF_PAX_MPROTECT | PF_PAX_RANDMMAP)
++#define RSBAC_PAX_ALL_FLAGS ((rsbac_pax_flags_t) 255 << 24)
++
++/**** UM User management ****/
++/* Included from um_types.h */
++
++/**** RES ****/
++
++typedef __u32 rsbac_res_limit_t;
++#define RSBAC_RES_UNSET 0
++
++#define RSBAC_RES_MAX 10 /* RLIMIT_LOCKS in 2.4.x kernels */
++#define RSBAC_RES_NONE 11
++
++typedef rsbac_res_limit_t rsbac_res_array_t[RSBAC_RES_MAX + 1];
++
++/**** REG ****/
++typedef __s32 rsbac_reg_handle_t;
++
++
++/****************************************************************************/
++/* ADF types                                                                */
++/****************************************************************************/
++
++#include <rsbac/network_types.h>
++
++#ifdef __KERNEL__
++    typedef struct socket * rsbac_net_obj_id_t;
++#else
++    typedef void * rsbac_net_obj_id_t;
++#endif
++
++struct rsbac_net_obj_desc_t
++  {
++    rsbac_net_obj_id_t sock_p;
++    void * local_addr;
++    u_int  local_len;
++    void * remote_addr;
++    u_int  remote_len;
++    rsbac_net_temp_id_t local_temp;
++    rsbac_net_temp_id_t remote_temp;
++  };
++
++#define RSBAC_ADF_REQUEST_ARRAY_VERSION 2
++
++enum  rsbac_adf_request_t {
++                        R_ADD_TO_KERNEL,
++                        R_ALTER,
++                        R_APPEND_OPEN,
++                        R_CHANGE_GROUP,
++                        R_CHANGE_OWNER,
++                        R_CHDIR,
++                        R_CLONE,
++                        R_CLOSE,
++                        R_CREATE,
++                        R_DELETE,
++                        R_EXECUTE,
++                        R_GET_PERMISSIONS_DATA,
++                        R_GET_STATUS_DATA,
++                        R_LINK_HARD,
++                        R_MODIFY_ACCESS_DATA,
++                        R_MODIFY_ATTRIBUTE,
++                        R_MODIFY_PERMISSIONS_DATA,
++                        R_MODIFY_SYSTEM_DATA,
++                        R_MOUNT,
++                        R_READ,
++                        R_READ_ATTRIBUTE,
++                        R_READ_WRITE_OPEN,
++                        R_READ_OPEN,
++                        R_REMOVE_FROM_KERNEL,
++                        R_RENAME,
++                        R_SEARCH,
++                        R_SEND_SIGNAL,
++                        R_SHUTDOWN,
++                        R_SWITCH_LOG,
++                        R_SWITCH_MODULE,
++                        R_TERMINATE,
++                        R_TRACE,
++                        R_TRUNCATE,
++                        R_UMOUNT,
++                        R_WRITE,
++                        R_WRITE_OPEN,
++                        R_MAP_EXEC,
++                        R_BIND,
++                        R_LISTEN,
++                        R_ACCEPT,
++                        R_CONNECT,
++                        R_SEND,
++                        R_RECEIVE,
++                        R_NET_SHUTDOWN,
++                        R_CHANGE_DAC_EFF_OWNER,
++                        R_CHANGE_DAC_FS_OWNER,
++                        R_CHANGE_DAC_EFF_GROUP,
++                        R_CHANGE_DAC_FS_GROUP,
++                        R_IOCTL,
++                        R_LOCK,
++                        R_AUTHENTICATE,
++                        R_NONE
++                      };
++
++typedef rsbac_enum_t rsbac_adf_request_int_t;
++
++#include <rsbac/request_groups.h>
++
++/* This type is returned from the rsbac_adf_request() function. Since a */
++/* decision of undefined means an error, it is never returned.          */
++
++enum  rsbac_adf_req_ret_t {NOT_GRANTED,GRANTED,DO_NOT_CARE,UNDEFINED};
++
++/****************************************************************************/
++/* ACI types                                                                */
++/****************************************************************************/
++
++/* For switching adf-modules */
++enum  rsbac_switch_target_t {SW_GEN,SW_MAC,SW_PM,SW_DAZ,SW_FF,SW_RC,SW_AUTH,
++			SW_REG,SW_ACL,SW_CAP,SW_JAIL,SW_RES,SW_PAX,SW_SOFTMODE,
++			SW_DAC_DISABLE,SW_UM,SW_FREEZE,SW_NONE};
++#define RSBAC_MAX_MOD (SW_SOFTMODE - 1)
++typedef rsbac_enum_t rsbac_switch_target_int_t;
++
++/****************************************************************************/
++/* For objects, users and processes all manipulation is encapsulated by the */
++/* function calls rsbac_set_attr, rsbac_get_attr and rsbac_remove_target.   */
++
++/* For those, we declare some extra types to specify target and attribute.  */
++
++enum   rsbac_target_t {T_FILE, T_DIR, T_FIFO, T_SYMLINK, T_DEV, T_IPC, T_SCD, T_USER, T_PROCESS,
++                       T_NETDEV, T_NETTEMP, T_NETOBJ, T_NETTEMP_NT, T_GROUP,
++                       T_FD, T_UNIXSOCK,
++                       T_NONE};
++
++union  rsbac_target_id_t
++       {
++#ifdef __KERNEL__
++          struct rsbac_fs_file_t    file;
++          struct rsbac_fs_file_t    dir;
++          struct rsbac_fs_file_t    fifo;
++          struct rsbac_fs_file_t    symlink;
++          struct rsbac_fs_file_t    unixsock;
++#endif
++          struct rsbac_dev_desc_t   dev;
++          struct rsbac_ipc_t        ipc;
++          rsbac_enum_t              scd;
++          rsbac_uid_t               user;
++          rsbac_gid_t               group;
++          rsbac_pid_t               process; /* new struct pid * */
++          rsbac_upid_t              uprocess; /* old fashioned pid from user space */
++          rsbac_netdev_id_t         netdev;
++          rsbac_net_temp_id_t       nettemp;
++          struct rsbac_net_obj_desc_t netobj;
++          int                       dummy;
++       };
++
++#ifdef __KERNEL__
++typedef rsbac_enum_t rsbac_log_entry_t[T_NONE+1];
++typedef rsbac_enum_t rsbac_old_log_entry_t[T_NONE];
++
++struct rsbac_create_data_t
++  {
++    enum   rsbac_target_t   target;
++    struct dentry         * dentry_p;
++           int              mode;
++           kdev_t           device; /* for mknod etc. */
++  };
++
++struct rsbac_rlimit_t
++  {
++           u_int            resource;
++    struct rlimit           limit;
++  };
++#endif
++
++enum rsbac_attribute_t
++  {
++    A_pseudo,
++    A_security_level,
++    A_initial_security_level,
++    A_local_sec_level,
++    A_remote_sec_level,
++    A_min_security_level,
++    A_mac_categories,
++    A_mac_initial_categories,
++    A_local_mac_categories,
++    A_remote_mac_categories,
++    A_mac_min_categories,
++    A_mac_user_flags,
++    A_mac_process_flags,
++    A_mac_file_flags,
++    A_system_role,
++    A_mac_role,
++    A_daz_role,
++    A_ff_role,
++    A_auth_role,
++    A_cap_role,
++    A_jail_role,
++    A_pax_role,
++    A_current_sec_level,
++    A_mac_curr_categories,
++    A_min_write_open,
++    A_min_write_categories,
++    A_max_read_open,
++    A_max_read_categories,
++    A_mac_auto,
++    A_mac_check,
++    A_mac_prop_trusted,
++    A_pm_role,
++    A_pm_process_type,
++    A_pm_current_task,
++    A_pm_object_class,
++    A_local_pm_object_class,
++    A_remote_pm_object_class,
++    A_pm_ipc_purpose,
++    A_local_pm_ipc_purpose,
++    A_remote_pm_ipc_purpose,
++    A_pm_object_type,
++    A_local_pm_object_type,
++    A_remote_pm_object_type,
++    A_pm_program_type,
++    A_pm_tp,
++    A_pm_task_set,
++    A_daz_scanned,
++    A_daz_scanner,
++    A_ff_flags,
++    A_rc_type,
++    A_rc_select_type,
++    A_local_rc_type,
++    A_remote_rc_type,
++    A_rc_type_fd,
++    A_rc_type_nt,
++    A_rc_force_role,
++    A_rc_initial_role,
++    A_rc_role,
++    A_rc_def_role,
++    A_auth_may_setuid,
++    A_auth_may_set_cap,
++    A_auth_learn,
++    A_min_caps,
++    A_max_caps,
++    A_max_caps_user,
++    A_max_caps_program,
++    A_jail_id,
++    A_jail_parent,
++    A_jail_ip,
++    A_jail_flags,
++    A_jail_max_caps,
++    A_jail_scd_get,
++    A_jail_scd_modify,
++    A_pax_flags,
++    A_res_role,
++    A_res_min,
++    A_res_max,
++    A_log_array_low,
++    A_local_log_array_low,
++    A_remote_log_array_low,
++    A_log_array_high,
++    A_local_log_array_high,
++    A_remote_log_array_high,
++    A_log_program_based,
++    A_log_user_based,
++    A_symlink_add_remote_ip,
++    A_symlink_add_uid,
++    A_symlink_add_mac_level,
++    A_symlink_add_rc_role,
++    A_linux_dac_disable,
++    A_cap_process_hiding,
++    A_fake_root_uid,
++    A_audit_uid,
++    A_auid_exempt,
++    A_auth_last_auth,
++    A_remote_ip,
++    A_cap_ld_env,
++    A_daz_do_scan,
++    A_vset,
++#ifdef __KERNEL__
++    /* adf-request helpers */
++    A_owner,
++    A_group,
++    A_signal,
++    A_mode,
++    A_nlink,
++    A_switch_target,
++    A_mod_name,
++    A_request,
++    A_trace_request,
++    A_auth_add_f_cap,
++    A_auth_remove_f_cap,
++    A_auth_get_caplist,
++    A_prot_bits,
++    A_internal,
++    /* used with CREATE on DIR */
++    A_create_data,
++    A_new_object,
++    A_rlimit,
++    A_new_dir_dentry_p,
++    A_program_file,
++    A_auth_start_uid,
++    A_auth_start_euid,
++    A_auth_start_gid,
++    A_auth_start_egid,
++    A_acl_learn,
++    A_priority,
++    A_pgid,
++    A_kernel_thread,
++    A_open_flag,
++    A_reboot_cmd,
++    A_setsockopt_level,
++    A_ioctl_cmd,
++    A_f_mode,
++    A_process,
++    A_sock_type,
++    A_pagenr,
++    A_cap_learn,
++    A_rc_learn,
++#endif
++    A_none};
++
++union rsbac_attribute_value_t
++  {
++         rsbac_uid_t                 owner;           /* process owner */
++         rsbac_pseudo_t              pseudo;
++         rsbac_system_role_int_t     system_role;
++#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_MAC)
++         rsbac_security_level_t      security_level;
++         rsbac_mac_category_vector_t mac_categories;
++         rsbac_security_level_t      current_sec_level;
++         rsbac_security_level_t      min_write_open;
++         rsbac_security_level_t      max_read_open;
++         rsbac_mac_user_flags_t      mac_user_flags;
++         rsbac_mac_process_flags_t   mac_process_flags;
++         rsbac_mac_file_flags_t      mac_file_flags;
++         rsbac_mac_auto_int_t        mac_auto;
++         rsbac_boolean_t             mac_check;
++         rsbac_boolean_t             mac_prop_trusted;
++#endif
++#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_PM)
++         rsbac_pm_role_int_t         pm_role;
++         rsbac_pm_process_type_int_t pm_process_type;
++         rsbac_pm_task_id_t          pm_current_task;
++         rsbac_pm_object_class_id_t  pm_object_class;
++         rsbac_pm_purpose_id_t       pm_ipc_purpose;
++         rsbac_pm_object_type_int_t  pm_object_type;
++         rsbac_pm_program_type_int_t pm_program_type;
++         rsbac_pm_tp_id_t            pm_tp;
++         rsbac_pm_task_set_id_t      pm_task_set;
++#endif
++#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_DAZ)
++         rsbac_daz_scanned_t         daz_scanned;
++         rsbac_daz_scanner_t         daz_scanner;
++         rsbac_daz_do_scan_t         daz_do_scan;
++#endif
++#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_FF)
++         rsbac_ff_flags_t            ff_flags;
++#endif
++#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RC)
++         rsbac_rc_type_id_t          rc_type;
++         rsbac_rc_type_id_t          rc_type_fd;
++         rsbac_rc_role_id_t          rc_force_role;
++         rsbac_rc_role_id_t          rc_initial_role;
++         rsbac_rc_role_id_t          rc_role;
++         rsbac_rc_role_id_t          rc_def_role;
++         rsbac_rc_type_id_t          rc_select_type;
++#endif
++#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_AUTH)
++         rsbac_auth_may_setuid_int_t auth_may_setuid;
++         rsbac_boolean_t             auth_may_set_cap;
++         rsbac_pid_t                 auth_p_capset;
++         rsbac_inode_nr_t            auth_f_capset;
++         rsbac_boolean_t             auth_learn;
++         rsbac_uid_t                 auth_last_auth;
++#endif
++#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_CAP)
++         rsbac_cap_vector_t          min_caps;
++         rsbac_cap_vector_t          max_caps;
++         rsbac_cap_vector_t          max_caps_user;
++         rsbac_cap_vector_t          max_caps_program;
++         rsbac_cap_process_hiding_int_t cap_process_hiding;
++         rsbac_cap_ld_env_int_t      cap_ld_env;
++#endif
++#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_JAIL)
++         rsbac_jail_id_t             jail_id;
++         rsbac_jail_id_t             jail_parent;
++         rsbac_jail_ip_t             jail_ip;
++         rsbac_jail_flags_t          jail_flags;
++         rsbac_jail_scd_vector_t     jail_scd_get;
++         rsbac_jail_scd_vector_t     jail_scd_modify;
++         rsbac_cap_vector_t          jail_max_caps;
++#endif
++#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_PAX)
++         rsbac_pax_flags_t           pax_flags;
++#endif
++#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RES)
++         rsbac_res_array_t           res_array;
++#endif
++         rsbac_log_array_t           log_array_low;
++         rsbac_log_array_t           log_array_high;
++         rsbac_request_vector_t      log_program_based;
++         rsbac_request_vector_t      log_user_based;
++         rsbac_enum_t                symlink_add_remote_ip;
++         rsbac_boolean_t             symlink_add_uid;
++         rsbac_boolean_t             symlink_add_mac_level;
++         rsbac_boolean_t             symlink_add_rc_role;
++         rsbac_linux_dac_disable_int_t linux_dac_disable;
++//         rsbac_net_temp_id_t         net_temp;
++         rsbac_fake_root_uid_int_t   fake_root_uid;
++         rsbac_uid_t                 audit_uid;
++         rsbac_uid_t                 auid_exempt;
++         __u32                       remote_ip;
++         rsbac_um_set_t              vset;
++#ifdef __KERNEL__
++         rsbac_gid_t     	     group;        /* process/fd group */
++    struct sockaddr                * sockaddr_p; /* socket address */
++         long                        signal;        /* signal for kill */
++         int                         mode;    /* mode for create/mount */
++         int                         nlink;       /* for DELETE/unlink */
++    enum rsbac_switch_target_t       switch_target; /* for SWITCH_MODULE */
++         char                      * mod_name;    /* for ADD_TO_KERNEL */
++    enum rsbac_adf_request_t         request;        /* for SWITCH_LOG */
++         long                        trace_request; /* request for sys_trace */
++    struct rsbac_auth_cap_range_t    auth_cap_range;
++    	 int                         prot_bits;/* prot bits for mmap()/mprotect() */
++         rsbac_boolean_t             internal;
++    /* used with CREATE on DIR */
++    struct rsbac_create_data_t       create_data;
++    /* newly created object in OPEN requests? */
++         rsbac_boolean_t             new_object;
++    struct rsbac_rlimit_t            rlimit;
++         struct dentry             * new_dir_dentry_p;
++         struct rsbac_fs_file_t      program_file; /* for learning mode */
++         rsbac_uid_t                 auth_start_uid;
++         rsbac_uid_t                 auth_start_euid;
++         rsbac_gid_t                 auth_start_gid;
++         rsbac_gid_t                 auth_start_egid;
++         rsbac_boolean_t             acl_learn;
++         int                         priority;
++         rsbac_pid_t                 pgid;
++         rsbac_boolean_t             kernel_thread;
++         u_int                       open_flag;
++         u_int                       reboot_cmd;
++         int                         setsockopt_level;
++         u_int                       ioctl_cmd;
++         mode_t                      f_mode;
++         rsbac_pid_t                 process;
++         short                       sock_type;
++         u_int                       pagenr;
++         rsbac_boolean_t             cap_learn;
++         rsbac_boolean_t             rc_learn;
++#endif
++         u_char                      u_char_dummy;
++         u_short                     u_short_dummy;
++         int                         dummy;
++         u_int                       u_dummy;
++         long                        long_dummy;
++         u_long                      u_long_dummy;
++       };
++
++/* List all values possibly used in FD Cache to find data size */
++
++#ifdef CONFIG_RSBAC_FD_CACHE
++union rsbac_attribute_value_cache_t
++  {
++         rsbac_uid_t                 owner;           /* process owner */
++         rsbac_pseudo_t              pseudo;
++         rsbac_system_role_int_t     system_role;
++#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_MAC)
++         rsbac_security_level_t      security_level;
++         rsbac_mac_category_vector_t mac_categories;
++         rsbac_security_level_t      current_sec_level;
++         rsbac_security_level_t      min_write_open;
++         rsbac_security_level_t      max_read_open;
++         rsbac_mac_user_flags_t      mac_user_flags;
++         rsbac_mac_process_flags_t   mac_process_flags;
++         rsbac_mac_file_flags_t      mac_file_flags;
++         rsbac_mac_auto_int_t        mac_auto;
++         rsbac_boolean_t             mac_check;
++         rsbac_boolean_t             mac_prop_trusted;
++#endif
++#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_DAZ)
++         rsbac_daz_scanned_t         daz_scanned;
++         rsbac_daz_scanner_t         daz_scanner;
++         rsbac_daz_do_scan_t         daz_do_scan;
++#endif
++#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_FF)
++         rsbac_ff_flags_t            ff_flags;
++#endif
++#if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RC)
++         rsbac_rc_type_id_t          rc_type;
++         rsbac_rc_type_id_t          rc_type_fd;
++         rsbac_rc_role_id_t          rc_force_role;
++         rsbac_rc_role_id_t          rc_initial_role;
++         rsbac_rc_role_id_t          rc_role;
++         rsbac_rc_role_id_t          rc_def_role;
++         rsbac_rc_type_id_t          rc_select_type;
++#endif
++         rsbac_log_array_t           log_array_low;
++         rsbac_log_array_t           log_array_high;
++         rsbac_request_vector_t      log_program_based;
++         rsbac_request_vector_t      log_user_based;
++         rsbac_enum_t                symlink_add_remote_ip;
++         rsbac_boolean_t             symlink_add_uid;
++         rsbac_boolean_t             symlink_add_mac_level;
++         rsbac_boolean_t             symlink_add_rc_role;
++         rsbac_linux_dac_disable_int_t linux_dac_disable;
++//         rsbac_net_temp_id_t         net_temp;
++         rsbac_fake_root_uid_int_t   fake_root_uid;
++         rsbac_uid_t                 audit_uid;
++         rsbac_uid_t                 auid_exempt;
++         __u32                       remote_ip;
++         rsbac_um_set_t              vset;
++         u_char                      u_char_dummy;
++         u_short                     u_short_dummy;
++         int                         dummy;
++         u_int                       u_dummy;
++         long                        long_dummy;
++         u_long                      u_long_dummy;
++       };
++#endif
++
++/**** ACL + UM ****/
++
++#include <rsbac/acl_types.h>
++#include <rsbac/um_types.h>
++
++/* not aligned, yet */
++struct rsbac_rw_req {
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	enum  rsbac_attribute_t rsbac_attribute;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++	enum rsbac_adf_request_t rsbac_request;
++};
++
++int rsbac_handle_rw_req(const struct file *file, struct rsbac_rw_req *rsbac_rw_req_obj);
++int rsbac_handle_rw_up(struct rsbac_rw_req *rsbac_rw_req_obj);
++
++#endif
++
+diff --git a/include/rsbac/um.h b/include/rsbac/um.h
+new file mode 100644
+index 0000000..b7b6e6e
+--- /dev/null
++++ b/include/rsbac/um.h
+@@ -0,0 +1,178 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2011:          */
++/*   Amon Ott <ao@...>          */
++/* API: Data structures               */
++/* and functions for User Management  */
++/* Last modified: 19/Apt/2011         */
++/************************************ */
++
++#ifndef __RSBAC_UM_H
++#define __RSBAC_UM_H
++
++#include <linux/init.h>
++#include <rsbac/types.h>
++#include <rsbac/um_types.h>
++
++/***************************************************/
++/*               General Prototypes                */
++/***************************************************/
++
++/* All functions return 0, if no error occurred, and a negative error code  */
++/* otherwise. The error codes are defined in rsbac_error.h.                 */
++
++/****************************************************************************/
++/* Initialization, including ACI restoration for all mounted devices from   */
++/* disk. After this call, all ACI is kept in memory for performance reasons,*/
++/* but user and file/dir object ACI are written to disk on every change.    */
++
++#ifdef CONFIG_RSBAC_INIT_DELAY
++extern int rsbac_init_um(void);
++#else
++extern int rsbac_init_um(void) __init;
++#endif
++
++/* Some information about the current status is also available */
++extern int rsbac_stats_um(void);
++
++/************************************************* */
++/*               Access functions                  */
++/************************************************* */
++
++/* Trying to access a never created or removed user entry returns an error! */
++
++/* rsbac_um_add_user (fills *user_p with new uid) */
++
++int rsbac_um_add_user(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_uid_t * user_p,
++  struct rsbac_um_user_entry_t * entry_p,
++  char * pass,
++  rsbac_time_t ttl);
++
++int rsbac_um_add_group(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_gid_t * group_p,
++  struct rsbac_um_group_entry_t * entry_p,
++  char * pass,
++  rsbac_time_t ttl);
++
++int rsbac_um_add_gm(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_uid_t user,
++  rsbac_gid_num_t group,
++  rsbac_time_t ttl);
++
++int rsbac_um_mod_user(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_uid_t user,
++  enum rsbac_um_mod_t mod,
++  union rsbac_um_mod_data_t * data_p);
++
++int rsbac_um_mod_group(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_uid_t group,
++  enum rsbac_um_mod_t mod,
++  union rsbac_um_mod_data_t * data_p);
++
++int rsbac_um_get_user_item(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_uid_t user,
++  enum rsbac_um_mod_t mod,
++  union rsbac_um_mod_data_t * data_p);
++
++int rsbac_um_get_group_item(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_gid_t group,
++  enum rsbac_um_mod_t mod,
++  union rsbac_um_mod_data_t * data_p);
++
++int rsbac_um_user_exists(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_uid_t user);
++
++int rsbac_um_group_exists(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_gid_t group);
++
++int rsbac_um_remove_user(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_uid_t user);
++
++int rsbac_um_remove_group(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_gid_t group);
++
++int rsbac_um_remove_gm(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_uid_t user,
++  rsbac_gid_num_t group);
++
++int rsbac_um_get_next_user(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_uid_t old_user,
++  rsbac_uid_t * next_user_p);
++
++int rsbac_um_get_user_list(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_um_set_t vset,
++  rsbac_uid_t ** list_pp);
++
++int rsbac_um_get_gm_list(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_uid_t user,
++  rsbac_gid_num_t ** list_pp);
++
++int rsbac_um_get_gm_user_list(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_gid_t group,
++  rsbac_uid_num_t ** list_pp);
++
++int rsbac_um_get_group_list(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_um_set_t vset,
++  rsbac_gid_t ** list_pp);
++
++int rsbac_um_get_user_entry(
++  rsbac_list_ta_number_t ta_number,
++  rsbac_uid_t user,
++  struct rsbac_um_user_entry_t * entry_p,
++  rsbac_time_t * ttl_p);
++
++int rsbac_um_get_uid(
++  rsbac_list_ta_number_t ta_number,
++  char * name,
++  rsbac_uid_t * uid_p);
++
++int rsbac_um_get_gid(
++  rsbac_list_ta_number_t ta_number,
++  char * name,
++  rsbac_gid_t * gid_p);
++
++int rsbac_um_check_pass(rsbac_uid_t uid,
++                        char * pass);
++
++/* Check for good password (min length etc.) */
++int rsbac_um_good_pass(rsbac_uid_t uid, char * pass);
++
++#ifdef CONFIG_RSBAC_UM_ONETIME
++int rsbac_um_add_onetime(rsbac_uid_t uid, char * pass, rsbac_time_t ttl);
++
++int rsbac_um_remove_all_onetime(rsbac_uid_t uid);
++
++int rsbac_um_count_onetime(rsbac_uid_t uid);
++#endif
++
++int rsbac_um_set_pass(rsbac_uid_t uid,
++                      char * pass);
++
++int rsbac_um_set_group_pass(rsbac_gid_t gid,
++                            char * pass);
++
++int rsbac_um_check_account(rsbac_uid_t user);
++
++int rsbac_um_get_max_history(rsbac_list_ta_number_t ta_number, rsbac_uid_t uid);
++
++int rsbac_um_set_max_history(rsbac_list_ta_number_t ta_number, rsbac_uid_t uid, __u8 max_history);
++
++#endif
+diff --git a/include/rsbac/um_types.h b/include/rsbac/um_types.h
+new file mode 100644
+index 0000000..866bdd1
+--- /dev/null
++++ b/include/rsbac/um_types.h
+@@ -0,0 +1,139 @@
++/**************************************/
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2008: Amon Ott */
++/* User Management Data structures    */
++/* Last modified: 28/Oct/2008         */
++/**************************************/
++
++#ifndef __RSBAC_UM_TYPES_H
++#define __RSBAC_UM_TYPES_H
++
++//#include <rsbac/types.h>
++
++#if 0
++#ifdef __KERNEL__		/* only include in kernel code */
++#include <rsbac/debug.h>
++#include <rsbac/lists.h>
++#endif				/* __KERNEL__ */
++#endif
++
++#define RSBAC_UM_MAX_MAXNUM 1000000
++
++#define RSBAC_UM_USER_LIST_NAME  "um_user"
++#define RSBAC_UM_GROUP_LIST_NAME  "um_grp"
++#define RSBAC_UM_USER_PWHISTORY_LIST_NAME "um_pwh"
++#define RSBAC_UM_ONETIME_LIST_NAME "um_pwot"
++#define RSBAC_UM_OLD_USER_LIST_NAME  "um_u."
++#define RSBAC_UM_OLD_GROUP_LIST_NAME  "um_g."
++#define RSBAC_UM_OLD_USER_PWHISTORY_LIST_NAME "um_pwh."
++
++#define RSBAC_UM_NR_USER_LISTS  8
++#define RSBAC_UM_NR_GROUP_LISTS  8
++#define RSBAC_UM_NR_USER_PWHISTORY_LISTS  8
++
++#define RSBAC_UM_USER_LIST_VERSION 3
++#define RSBAC_UM_GROUP_LIST_VERSION 3
++#define RSBAC_UM_USER_PWHISTORY_LIST_VERSION 2
++#define RSBAC_UM_ONETIME_LIST_VERSION 1
++
++#define RSBAC_UM_USER_OLD_LIST_VERSION 2
++#define RSBAC_UM_USER_OLD_OLD_LIST_VERSION 1
++#define RSBAC_UM_GROUP_OLD_LIST_VERSION 2
++#define RSBAC_UM_GROUP_OLD_OLD_LIST_VERSION 1
++#define RSBAC_UM_USER_PWHISTORY_OLD_LIST_VERSION 1
++
++#define RSBAC_UM_USER_LIST_KEY 6363636
++#define RSBAC_UM_GROUP_LIST_KEY 9847298
++#define RSBAC_UM_USER_PWHISTORY_LIST_KEY 8854687
++#define RSBAC_UM_ONETIME_LIST_KEY 63273279
++
++#define RSBAC_UM_NAME_LEN 65
++#define RSBAC_UM_OLD_NAME_LEN 16
++#define RSBAC_UM_PASS_LEN 24
++#define RSBAC_UM_FULLNAME_LEN 65
++#define RSBAC_UM_OLD_FULLNAME_LEN 30
++#define RSBAC_UM_HOMEDIR_LEN 101
++#define RSBAC_UM_OLD_HOMEDIR_LEN 50
++#define RSBAC_UM_SHELL_LEN 45
++#define RSBAC_UM_OLD_SHELL_LEN 24
++
++typedef __s32 rsbac_um_days_t;
++
++typedef char rsbac_um_password_t[RSBAC_UM_PASS_LEN];
++
++enum rsbac_um_mod_t { UM_name, UM_pass, UM_fullname, UM_homedir, UM_shell,
++	UM_group, UM_lastchange, UM_minchange, UM_maxchange,
++	UM_warnchange, UM_inactive, UM_expire, UM_ttl,
++	UM_cryptpass, UM_none
++};
++
++union rsbac_um_mod_data_t {
++	char string[RSBAC_MAXNAMELEN];
++	rsbac_gid_num_t group;
++	rsbac_um_days_t days;
++	rsbac_time_t ttl;
++};
++
++struct rsbac_um_user_entry_t {
++	rsbac_gid_num_t group;
++	rsbac_um_days_t lastchange;
++	rsbac_um_days_t minchange;
++	rsbac_um_days_t maxchange;
++	rsbac_um_days_t warnchange;
++	rsbac_um_days_t inactive;
++	rsbac_um_days_t expire;
++	char name[RSBAC_UM_NAME_LEN];
++	char pass[RSBAC_UM_PASS_LEN];
++	char fullname[RSBAC_UM_FULLNAME_LEN];
++	char homedir[RSBAC_UM_HOMEDIR_LEN];
++	char shell[RSBAC_UM_SHELL_LEN];
++};
++
++struct rsbac_um_old_user_entry_t {
++	char name[RSBAC_UM_OLD_NAME_LEN];
++	char pass[RSBAC_UM_PASS_LEN];
++	char fullname[RSBAC_UM_OLD_FULLNAME_LEN];
++	char homedir[RSBAC_UM_OLD_HOMEDIR_LEN];
++	char shell[RSBAC_UM_OLD_SHELL_LEN];
++	rsbac_gid_num_t group;
++	rsbac_um_days_t lastchange;
++	rsbac_um_days_t minchange;
++	rsbac_um_days_t maxchange;
++	rsbac_um_days_t warnchange;
++	rsbac_um_days_t inactive;
++	rsbac_um_days_t expire;
++};
++
++#define DEFAULT_UM_U_ENTRY \
++    { \
++      65534,  /* group */ \
++      100000,  /* lastchange */ \
++      0,  /* minchange */ \
++      365,  /* maxchange */ \
++      10,  /* warnchange */ \
++      3,  /* inactive */ \
++      100000,   /* expire */ \
++      "", /* name */ \
++      "", /* pass */ \
++      "", /* fullname */ \
++      "/home", /* homedir */ \
++      "/bin/sh" /* shell */ \
++    }
++
++struct rsbac_um_group_entry_t {
++	char name[RSBAC_UM_NAME_LEN];
++	char pass[RSBAC_UM_PASS_LEN];
++};
++
++struct rsbac_um_old_group_entry_t {
++	char name[RSBAC_UM_OLD_NAME_LEN];
++	char pass[RSBAC_UM_PASS_LEN];
++};
++
++#define DEFAULT_UM_G_ENTRY \
++    { \
++      "", /* name */ \
++      ""  /* pass */ \
++    }
++
++#endif
+diff --git a/include/rsbac/unistd-alpha.h b/include/rsbac/unistd-alpha.h
+new file mode 100644
+index 0000000..d6014f2
+--- /dev/null
++++ b/include/rsbac/unistd-alpha.h
+@@ -0,0 +1,16 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2002: Amon Ott */
++/* System Call definitions - alpha    */
++/* Last modified: 20/Mar/2002         */
++/************************************ */
++
++#ifndef __RSBAC_UNISTD_ALPHA_H
++#define __RSBAC_UNISTD_ALPHA_H
++
++#ifndef __NR_security
++#define __NR_security 380
++#endif
++#define __NR_rsbac __NR_security
++
++#endif
+diff --git a/include/rsbac/unistd-i386.h b/include/rsbac/unistd-i386.h
+new file mode 100644
+index 0000000..5d600fb
+--- /dev/null
++++ b/include/rsbac/unistd-i386.h
+@@ -0,0 +1,16 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2002: Amon Ott */
++/* System Call definitions - i386     */
++/* Last modified: 20/Mar/2002         */
++/************************************ */
++
++#ifndef __RSBAC_UNISTD_I386_H
++#define __RSBAC_UNISTD_I386_H
++
++#ifndef __NR_security
++#define __NR_security 223
++#endif
++#define __NR_rsbac __NR_security
++
++#endif
+diff --git a/include/rsbac/unistd-ppc.h b/include/rsbac/unistd-ppc.h
+new file mode 100644
+index 0000000..cab4714
+--- /dev/null
++++ b/include/rsbac/unistd-ppc.h
+@@ -0,0 +1,16 @@
++/************************************ */
++/* Rule Set Based Access Control      */
++/* Author and (c) 1999-2002: Amon Ott */
++/* System Call definitions - i386     */
++/* Last modified: 07/Apr/2002         */
++/************************************ */
++
++#ifndef __RSBAC_UNISTD_PPC_H
++#define __RSBAC_UNISTD_PPC_H
++
++#ifndef __NR_security
++#define __NR_security 220
++#endif
++#define __NR_rsbac __NR_security
++
++#endif
+diff --git a/init/do_mounts.c b/init/do_mounts.c
+index d6c229f..c1b657d 100644
+--- a/init/do_mounts.c
++++ b/init/do_mounts.c
+@@ -23,6 +23,14 @@
+ 
+ #include "do_mounts.h"
+ 
++#ifdef CONFIG_RSBAC
++#include <rsbac/aci.h>
++#include <rsbac/debug.h>
++#ifdef CONFIG_BLK_DEV_INITRD
++#include <linux/initrd.h>
++#endif
++#endif
++
+ int __initdata rd_doload;	/* 1 = load RAM disk, 0 = don't load */
+ 
+ int root_mountflags = MS_RDONLY | MS_SILENT;
+@@ -555,4 +563,12 @@ out:
+ 	devtmpfs_mount("dev");
+ 	sys_mount(".", "/", NULL, MS_MOVE, NULL);
+ 	sys_chroot((const char __user __force *)".");
++
++#ifdef CONFIG_RSBAC
++#ifdef CONFIG_RSBAC_INIT_DELAY
++        if(rsbac_no_delay_init)
++#endif
++        rsbac_init(ROOT_DEV);
++#endif
++
+ }
+diff --git a/init/main.c b/init/main.c
+index cb08fea2..5aa8e1c 100644
+--- a/init/main.c
++++ b/init/main.c
+@@ -75,6 +75,8 @@
+ #include <asm/sections.h>
+ #include <asm/cacheflush.h>
+ 
++#include <rsbac/hooks.h>
++
+ #ifdef CONFIG_X86_LOCAL_APIC
+ #include <asm/smp.h>
+ #endif
+@@ -617,6 +619,9 @@ asmlinkage void __init start_kernel(void)
+ 	key_init();
+ 	security_init();
+ 	dbg_late_init();
++#ifdef CONFIG_RSBAC
++	rsbac_kthreads_init();
++#endif
+ 	vfs_caches_init(totalram_pages);
+ 	signals_init();
+ 	/* rootfs populating might need page-writeback */
+diff --git a/ipc/msg.c b/ipc/msg.c
+index 7385de2..00e92b5 100644
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -41,6 +41,7 @@
+ #include <asm/current.h>
+ #include <asm/uaccess.h>
+ #include "util.h"
++#include <rsbac/hooks.h>
+ 
+ /*
+  * one msg_receiver structure for each sleeping receiver:
+@@ -184,6 +185,12 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
+ 	key_t key = params->key;
+ 	int msgflg = params->flg;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	msq = ipc_rcu_alloc(sizeof(*msq));
+ 	if (!msq)
+ 		return -ENOMEM;
+@@ -191,6 +198,23 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
+ 	msq->q_perm.mode = msgflg & S_IRWXUGO;
+ 	msq->q_perm.key = key;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_msgget()]: calling ADF\n");
++	rsbac_target_id.ipc.type = I_msg;
++	rsbac_target_id.ipc.id.id_nr = 0;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_CREATE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		ipc_rcu_putref(msq);
++		return -EPERM;
++	}
++#endif
++
+ 	msq->q_perm.security = NULL;
+ 	retval = security_msg_queue_alloc(msq);
+ 	if (retval) {
+@@ -217,6 +241,24 @@ static int newque(struct ipc_namespace *ns, struct ipc_params *params)
+ 	INIT_LIST_HEAD(&msq->q_receivers);
+ 	INIT_LIST_HEAD(&msq->q_senders);
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_target_id.ipc.type = I_msg;
++	rsbac_target_id.ipc.id.id_nr = msq->q_perm.id;
++	rsbac_new_target_id.dummy = 0;
++	if (rsbac_adf_set_attr(R_CREATE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				T_NONE,
++				rsbac_new_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rsbac_printk(KERN_WARNING
++				"newque() [sys_msgget()]: rsbac_adf_set_attr() returned error");
++	}
++#endif
++
++
+ 	msg_unlock(msq);
+ 
+ 	return msq->q_perm.id;
+@@ -415,6 +457,11 @@ static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
+ 	struct msqid64_ds uninitialized_var(msqid64);
+ 	struct msg_queue *msq;
+ 	int err;
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
+ 
+ 	if (cmd == IPC_SET) {
+ 		if (copy_msqid_from_user(&msqid64, buf, version))
+@@ -434,7 +481,36 @@ static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
+ 
+ 	switch (cmd) {
+ 	case IPC_RMID:
++#ifdef CONFIG_RSBAC
++		rsbac_target_id.ipc.type = I_msg;
++		rsbac_target_id.ipc.id.id_nr = msqid;
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_DELETE,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			err = -EPERM;
++			goto out_unlock;
++		}
++#endif
+ 		freeque(ns, ipcp);
++#ifdef CONFIG_RSBAC
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_DELETE,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"sys_msgctl(): rsbac_adf_set_attr() returned error");
++		}
++#endif
+ 		goto out_up;
+ 	case IPC_SET:
+ 		if (msqid64.msg_qbytes > ns->msg_ctlmnb &&
+@@ -443,6 +519,50 @@ static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
+ 			goto out_unlock;
+ 		}
+ 
++#ifdef CONFIG_RSBAC
++		rsbac_target_id.ipc.type = I_msg;
++		rsbac_target_id.ipc.id.id_nr = msqid;
++		if (ipcp->uid != msqid64.msg_perm.uid) {
++			rsbac_pr_debug(aef, "calling ADF\n");
++			rsbac_attribute_value.owner = msqid64.msg_perm.uid;
++			if (!rsbac_adf_request(R_CHANGE_OWNER,
++						task_pid(current),
++						T_IPC,
++						rsbac_target_id,
++						A_owner,
++						rsbac_attribute_value)) {
++				err = -EPERM;
++				goto out_unlock;
++			}
++		}
++		if (ipcp->gid != msqid64.msg_perm.gid) {
++			rsbac_pr_debug(aef, "calling ADF\n");
++			rsbac_attribute_value.group = msqid64.msg_perm.gid;
++			if (!rsbac_adf_request(R_CHANGE_GROUP,
++						task_pid(current),
++						T_IPC,
++						rsbac_target_id,
++						A_group,
++						rsbac_attribute_value)) {
++				err = -EPERM;
++				goto out_unlock;
++			}
++		}
++		if (ipcp->mode != ((ipcp->mode & ~S_IRWXUGO) | (S_IRWXUGO & msqid64.msg_perm.mode))) {
++			rsbac_pr_debug(aef, "calling ADF\n");
++			rsbac_attribute_value.mode = (S_IRWXUGO & msqid64.msg_perm.mode);
++			if (!rsbac_adf_request(R_ALTER,
++						task_pid(current),
++						T_IPC,
++						rsbac_target_id,
++						A_mode,
++						rsbac_attribute_value)) {
++				err = -EPERM;
++				goto out_unlock;
++			}
++		}
++#endif
++
+ 		msq->q_qbytes = msqid64.msg_qbytes;
+ 
+ 		ipc_update_perm(&msqid64.msg_perm, ipcp);
+@@ -640,6 +760,12 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
+ 	int err;
+ 	struct ipc_namespace *ns;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	ns = current->nsproxy->ipc_ns;
+ 
+ 	if (msgsz > ns->msg_ctlmax || (long) msgsz < 0 || msqid < 0)
+@@ -647,6 +773,21 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
+ 	if (mtype < 1)
+ 		return -EINVAL;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.ipc.type   = I_msg;
++	rsbac_target_id.ipc.id.id_nr  = msqid;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_SEND,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	msg = load_msg(mtext, msgsz);
+ 	if (IS_ERR(msg))
+ 		return PTR_ERR(msg);
+@@ -712,6 +853,21 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
+ 		atomic_inc(&ns->msg_hdrs);
+ 	}
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_new_target_id.dummy = 0;
++	if (rsbac_adf_set_attr(R_SEND,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				T_NONE,
++				rsbac_new_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rsbac_printk(KERN_WARNING
++				"sys_msgsnd(): rsbac_adf_set_attr() returned error");
++	}
++#endif
++
+ 	err = 0;
+ 	msg = NULL;
+ 
+@@ -760,11 +916,32 @@ long do_msgrcv(int msqid, long *pmtype, void __user *mtext,
+ 	int mode;
+ 	struct ipc_namespace *ns;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (msqid < 0 || (long) msgsz < 0)
+ 		return -EINVAL;
+ 	mode = convert_mode(&msgtyp, msgflg);
+ 	ns = current->nsproxy->ipc_ns;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.ipc.type   = I_msg;
++	rsbac_target_id.ipc.id.id_nr  = msqid;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_RECEIVE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	msq = msg_lock_check(ns, msqid);
+ 	if (IS_ERR(msq))
+ 		return PTR_ERR(msq);
+@@ -808,6 +985,23 @@ long do_msgrcv(int msqid, long *pmtype, void __user *mtext,
+ 				msg = ERR_PTR(-E2BIG);
+ 				goto out_unlock;
+ 			}
++
++	                /* RSBAC: notify ADF of opened ipc */
++#ifdef CONFIG_RSBAC
++			rsbac_new_target_id.dummy = 0;
++			if (rsbac_adf_set_attr(R_RECEIVE,
++						task_pid(current),
++						T_IPC,
++						rsbac_target_id,
++						T_NONE,
++						rsbac_new_target_id,
++						A_none,
++						rsbac_attribute_value)) {
++				rsbac_printk(KERN_WARNING
++						"sys_msgrcv(): rsbac_adf_set_attr() returned error");
++			}
++#endif
++
+ 			list_del(&msg->m_list);
+ 			msq->q_qnum--;
+ 			msq->q_rtime = get_seconds();
+diff --git a/ipc/sem.c b/ipc/sem.c
+index 5215a81..5be561c 100644
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -89,6 +89,7 @@
+ 
+ #include <asm/uaccess.h>
+ #include "util.h"
++#include <rsbac/hooks.h>
+ 
+ /* One semaphore structure for each semaphore in the system. */
+ struct sem {
+@@ -292,6 +293,12 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
+ 	int semflg = params->flg;
+ 	int i;
+ 
++#ifdef CONFIG_RSBAC_IPC_SEM
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!nsems)
+ 		return -EINVAL;
+ 	if (ns->used_sems + nsems > ns->sc_semmns)
+@@ -307,6 +314,22 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
+ 	sma->sem_perm.mode = (semflg & S_IRWXUGO);
+ 	sma->sem_perm.key = key;
+ 
++#ifdef CONFIG_RSBAC_IPC_SEM
++	rsbac_pr_debug(aef, "[sys_semget()]: calling ADF\n");
++	rsbac_target_id.ipc.type = I_sem;
++	rsbac_target_id.ipc.id.id_nr = 0;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_CREATE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		ipc_rcu_putref(sma);
++		return -EPERM;
++	}
++#endif
++
+ 	sma->sem_perm.security = NULL;
+ 	retval = security_sem_alloc(sma);
+ 	if (retval) {
+@@ -334,6 +357,21 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
+ 	sma->sem_ctime = get_seconds();
+ 	sem_unlock(sma);
+ 
++/* RSBAC: notify ADF of new shm */
++#ifdef CONFIG_RSBAC_IPC_SEM
++	rsbac_target_id.ipc.id.id_nr = sma->sem_perm.id;
++	rsbac_new_target_id.dummy = 0;
++	if (rsbac_adf_set_attr(R_CREATE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				T_NONE,
++				rsbac_new_target_id,
++				A_none,
++				rsbac_attribute_value))
++		rsbac_printk(KERN_WARNING
++		"newary() [sys_semget()]: rsbac_adf_set_attr() returned error\n");
++#endif
+ 	return sma->sem_perm.id;
+ }
+ 
+@@ -894,6 +932,12 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
+ 	int nsems;
+ 	struct list_head tasks;
+ 
++#ifdef CONFIG_RSBAC_IPC_SEM
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	sma = sem_lock_check(ns, semid);
+ 	if (IS_ERR(sma))
+ 		return PTR_ERR(sma);
+@@ -934,12 +978,48 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
+ 			}
+ 		}
+ 
++#ifdef CONFIG_RSBAC_IPC_SEM
++		rsbac_target_id.ipc.type = I_sem;
++		rsbac_target_id.ipc.id.id_nr = semid;
++		rsbac_pr_debug(aef, "[sys_semctl()]: calling ADF\n");
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_READ,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			sem_unlock(sma);
++			err = -EPERM;
++			goto out_free;
++		}
++#endif
++
+ 		for (i = 0; i < sma->sem_nsems; i++)
+ 			sem_io[i] = sma->sem_base[i].semval;
+ 		sem_unlock(sma);
+ 		err = 0;
+ 		if(copy_to_user(array, sem_io, nsems*sizeof(ushort)))
+ 			err = -EFAULT;
++
++		/* RSBAC: notify ADF of read sem */
++#ifdef CONFIG_RSBAC_IPC_SEM
++		if(!err) {
++			rsbac_new_target_id.dummy = 0;
++			if (rsbac_adf_set_attr(R_READ,
++						task_pid(current),
++						T_IPC,
++						rsbac_target_id,
++						T_NONE,
++						rsbac_new_target_id,
++						A_none,
++						rsbac_attribute_value)) {
++				rsbac_printk(KERN_WARNING
++						"semctl_main() [sys_semctl()]: rsbac_adf_set_attr() returned error");
++			}
++		}
++#endif
++
+ 		goto out_free;
+ 	}
+ 	case SETALL:
+@@ -963,6 +1043,23 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
+ 			goto out_free;
+ 		}
+ 
++#ifdef CONFIG_RSBAC_IPC_SEM
++		rsbac_target_id.ipc.type = I_sem;
++		rsbac_target_id.ipc.id.id_nr = semid;
++		rsbac_pr_debug(aef, "[sys_semctl()]: calling ADF\n");
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_WRITE,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			err = -EPERM;
++			sem_putref(sma);
++			goto out_free;
++		}
++#endif
++
+ 		for (i = 0; i < nsems; i++) {
+ 			if (sem_io[i] > SEMVMX) {
+ 				sem_putref(sma);
+@@ -986,6 +1083,23 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
+ 				un->semadj[i] = 0;
+ 		}
+ 		sma->sem_ctime = get_seconds();
++
++                /* RSBAC: notify ADF of written sem */
++#ifdef CONFIG_RSBAC_IPC_SEM
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_WRITE,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"semctl_main() [sys_semctl()]: rsbac_adf_set_attr() returned error");
++		}
++#endif
++
+ 		/* maybe some queued-up processes were waiting for this */
+ 		do_smart_update(sma, NULL, 0, 0, &tasks);
+ 		err = 0;
+@@ -1021,6 +1135,23 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
+ 		if (val > SEMVMX || val < 0)
+ 			goto out_unlock;
+ 
++#ifdef CONFIG_RSBAC_IPC_SEM
++		rsbac_target_id.ipc.type = I_sem;
++		rsbac_target_id.ipc.id.id_nr = semid;
++		rsbac_pr_debug(aef, "[sys_semctl()]: calling ADF\n");
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_WRITE,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value))
++		{
++			err = -EPERM;
++			goto out_unlock;
++		}
++#endif
++
+ 		assert_spin_locked(&sma->sem_perm.lock);
+ 		list_for_each_entry(un, &sma->list_id, list_id)
+ 			un->semadj[semnum] = 0;
+@@ -1083,6 +1214,12 @@ static int semctl_down(struct ipc_namespace *ns, int semid,
+ 	struct semid64_ds semid64;
+ 	struct kern_ipc_perm *ipcp;
+ 
++#ifdef CONFIG_RSBAC_IPC_SEM
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if(cmd == IPC_SET) {
+ 		if (copy_semid_from_user(&semid64, arg.buf, version))
+ 			return -EFAULT;
+@@ -1101,9 +1238,85 @@ static int semctl_down(struct ipc_namespace *ns, int semid,
+ 
+ 	switch(cmd){
+ 	case IPC_RMID:
++#ifdef CONFIG_RSBAC_IPC_SEM
++		rsbac_target_id.ipc.type = I_sem;
++		rsbac_target_id.ipc.id.id_nr = semid;
++		rsbac_pr_debug(aef, "[sys_semctl()]: calling ADF\n");
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_DELETE,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			err = -EPERM;
++			goto out_unlock;
++		}
++#endif
++
+ 		freeary(ns, ipcp);
++
++                /* RSBAC: notify ADF of deleted sem */
++#ifdef CONFIG_RSBAC_IPC_SEM
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_DELETE,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"semctl_down() [sys_semctl()]: rsbac_adf_set_attr() returned error");
++		}
++#endif
++
+ 		goto out_up;
+ 	case IPC_SET:
++#ifdef CONFIG_RSBAC_IPC_SEM
++		rsbac_target_id.ipc.type = I_sem;
++		rsbac_target_id.ipc.id.id_nr = semid;
++		if (ipcp->uid != semid64.sem_perm.uid) {
++			rsbac_pr_debug(aef, "calling ADF\n");
++			rsbac_attribute_value.owner = semid64.sem_perm.uid;
++			if (!rsbac_adf_request(R_CHANGE_OWNER,
++						task_pid(current),
++						T_IPC,
++						rsbac_target_id,
++						A_owner,
++						rsbac_attribute_value)) {
++				err = -EPERM;
++				goto out_unlock;
++			}
++		}
++		if (ipcp->gid != semid64.sem_perm.gid) {
++			rsbac_pr_debug(aef, "calling ADF\n");
++			rsbac_attribute_value.group = semid64.sem_perm.gid;
++			if (!rsbac_adf_request(R_CHANGE_GROUP,
++						task_pid(current),
++						T_IPC,
++						rsbac_target_id,
++						A_group,
++						rsbac_attribute_value)) {
++				err = -EPERM;
++				goto out_unlock;
++			}
++		}
++		if (ipcp->mode != ((ipcp->mode & ~S_IRWXUGO) | (S_IRWXUGO & semid64.sem_perm.mode))) {
++			rsbac_pr_debug(aef, "calling ADF\n");
++			rsbac_attribute_value.mode = (S_IRWXUGO & semid64.sem_perm.mode);
++			if (!rsbac_adf_request(R_ALTER,
++						task_pid(current),
++						T_IPC,
++						rsbac_target_id,
++						A_mode,
++						rsbac_attribute_value)) {
++				err = -EPERM;
++				goto out_unlock;
++			}
++		}
++#endif
+ 		ipc_update_perm(&semid64.sem_perm, ipcp);
+ 		sma->sem_ctime = get_seconds();
+ 		break;
+diff --git a/ipc/shm.c b/ipc/shm.c
+index b76be5b..c253579 100644
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -44,6 +44,8 @@
+ 
+ #include "util.h"
+ 
++#include <rsbac/hooks.h>
++
+ struct shm_file_data {
+ 	int id;
+ 	struct ipc_namespace *ns;
+@@ -85,6 +87,11 @@ void shm_init_ns(struct ipc_namespace *ns)
+  */
+ static void do_shm_rmid(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
+ {
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
+ 	struct shmid_kernel *shp;
+ 	shp = container_of(ipcp, struct shmid_kernel, shm_perm);
+ 
+@@ -93,8 +100,25 @@ static void do_shm_rmid(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
+ 		/* Do not find it any more */
+ 		shp->shm_perm.key = IPC_PRIVATE;
+ 		shm_unlock(shp);
+-	} else
++	} else {
+ 		shm_destroy(ns, shp);
++
++		/* RSBAC: notify ADF of deleted shm */
++#ifdef CONFIG_RSBAC
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_DELETE,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"sys_shmctl(): rsbac_adf_set_attr() returned error");
++		}
++#endif
++	}
+ }
+ 
+ #ifdef CONFIG_IPC_NS
+@@ -187,6 +211,10 @@ static void shm_open(struct vm_area_struct *vma)
+  */
+ static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp)
+ {
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++#endif
++
+ 	ns->shm_tot -= (shp->shm_segsz + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ 	shm_rmid(ns, shp);
+ 	shm_unlock(shp);
+@@ -197,6 +225,14 @@ static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp)
+ 						shp->mlock_user);
+ 	fput (shp->shm_file);
+ 	security_shm_free(shp);
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ACI remove_target()\n");
++	rsbac_target_id.ipc.type   = I_shm;
++	rsbac_target_id.ipc.id.id_nr  = shp->shm_perm.id;
++	rsbac_remove_target(T_IPC, rsbac_target_id);
++#endif
++
+ 	ipc_rcu_putref(shp);
+ }
+ 
+@@ -230,6 +266,27 @@ static void shm_close(struct vm_area_struct *vma)
+ 	struct shmid_kernel *shp;
+ 	struct ipc_namespace *ns = sfd->ns;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_shmdt() et al.]: calling ADF\n");
++	rsbac_target_id.ipc.type   = I_shm;
++	rsbac_target_id.ipc.id.id_nr  = sfd->id;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_CLOSE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rsbac_printk(KERN_WARNING
++				"shm_close() [sys_shmdt() et al.]: rsbac_adf_request() for CLOSE returned NOT_GRANTED\n");
++	}
++#endif
++
+ 	down_write(&shm_ids(ns).rw_mutex);
+ 	/* remove from the list of attaches of the shm segment */
+ 	shp = shm_lock(ns, sfd->id);
+@@ -456,6 +513,12 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
+ 	int id;
+ 	vm_flags_t acctflag = 0;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (size < SHMMIN || size > ns->shm_ctlmax)
+ 		return -EINVAL;
+ 
+@@ -466,6 +529,22 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
+ 	if (!shp)
+ 		return -ENOMEM;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_shmget()]: calling ADF\n");
++	rsbac_target_id.ipc.type = I_shm;
++	rsbac_target_id.ipc.id.id_nr = 0;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_CREATE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		ipc_rcu_putref(shp);
++		return -EPERM;
++	}
++#endif
++
+ 	shp->shm_perm.key = key;
+ 	shp->shm_perm.mode = (shmflg & S_IRWXUGO);
+ 	shp->mlock_user = NULL;
+@@ -521,6 +600,24 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
+ 	ns->shm_tot += numpages;
+ 	error = shp->shm_perm.id;
+ 	shm_unlock(shp);
++
++#ifdef CONFIG_RSBAC
++	rsbac_target_id.ipc.id.id_nr = file->f_dentry->d_inode->i_ino;
++	rsbac_new_target_id.ipc.type = I_shm;
++	rsbac_new_target_id.ipc.id.id_nr = file->f_dentry->d_inode->i_ino;
++	if (rsbac_adf_set_attr(R_CREATE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				T_IPC,
++				rsbac_new_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rsbac_printk(KERN_WARNING
++				"newseg() [sys_shmget()]: rsbac_adf_set_attr() returned error");
++	}
++#endif
++
+ 	return error;
+ 
+ no_id:
+@@ -765,6 +862,11 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
+ 	int err, version;
+ 	struct ipc_namespace *ns;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (cmd < 0 || shmid < 0) {
+ 		err = -EINVAL;
+ 		goto out;
+@@ -922,6 +1024,23 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
+ 	}
+ 	case IPC_RMID:
+ 	case IPC_SET:
++
++#ifdef CONFIG_RSBAC
++		rsbac_target_id.ipc.type = I_shm;
++		rsbac_target_id.ipc.id.id_nr = shmid;
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_DELETE,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			err = -EPERM;
++			goto out;
++		}
++#endif
++
+ 		err = shmctl_down(ns, shmid, cmd, buf, version);
+ 		return err;
+ 	default:
+@@ -957,6 +1076,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr)
+ 	struct path path;
+ 	fmode_t f_mode;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_adf_request_t rsbac_request = R_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	err = -EINVAL;
+ 	if (shmid < 0)
+ 		goto out;
+@@ -1011,6 +1137,26 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr)
+ 	if (err)
+ 		goto out_unlock;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef,  "calling ADF\n");
++	if ((shmflg & SHM_RDONLY))
++		rsbac_request = R_READ_OPEN;
++	else
++		rsbac_request = R_READ_WRITE_OPEN;
++	rsbac_target_id.ipc.type   = I_shm;
++	rsbac_target_id.ipc.id.id_nr  = shp->shm_perm.id;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(rsbac_request,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		err = -EPERM;
++		goto out_unlock;
++	}
++#endif
++
+ 	path = shp->shm_file->f_path;
+ 	path_get(&path);
+ 	shp->shm_nattch++;
+@@ -1072,6 +1218,25 @@ out_nattch:
+ 	up_write(&shm_ids(ns).rw_mutex);
+ 
+ out:
++
++/* RSBAC: notify ADF of attached shm */
++#ifdef CONFIG_RSBAC
++	if(!err) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(rsbac_request,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"sys_shmat(): rsbac_adf_set_attr() returned error");
++		}
++	}
++#endif
++
+ 	return err;
+ 
+ out_unlock:
+diff --git a/kernel/capability.c b/kernel/capability.c
+index b463871..2b108fe 100644
+--- a/kernel/capability.c
++++ b/kernel/capability.c
+@@ -17,6 +17,8 @@
+ #include <linux/user_namespace.h>
+ #include <asm/uaccess.h>
+ 
++#include <rsbac/hooks.h>
++
+ /*
+  * Leveraged for setting/resetting capabilities
+  */
+@@ -128,6 +130,11 @@ static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp,
+ {
+ 	int ret;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (pid && (pid != task_pid_vnr(current))) {
+ 		struct task_struct *target;
+ 
+@@ -136,12 +143,34 @@ static inline int cap_get_target_pid(pid_t pid, kernel_cap_t *pEp,
+ 		target = find_task_by_vpid(pid);
+ 		if (!target)
+ 			ret = -ESRCH;
+-		else
++		else {
+ 			ret = security_capget(target, pEp, pIp, pPp);
++#ifdef CONFIG_RSBAC
++			rsbac_target_id.process = task_pid(target);
++#endif
++		}
+ 
+ 		rcu_read_unlock();
+-	} else
++	} else {
+ 		ret = security_capget(current, pEp, pIp, pPp);
++#ifdef CONFIG_RSBAC
++		rsbac_target_id.process = task_pid(current);
++#endif
++	}
++#ifdef CONFIG_RSBAC
++	if(!ret) {
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_attribute_value.dummy = 0;
++		if(!rsbac_adf_request(R_GET_STATUS_DATA,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			ret = -EPERM;
++		}
++	}
++#endif
+ 
+ 	return ret;
+ }
+@@ -238,6 +267,12 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
+ 	int ret;
+ 	pid_t pid;
+ 
++#ifdef CONFIG_RSBAC
++     union rsbac_target_id_t rsbac_target_id;
++     union rsbac_target_id_t rsbac_new_target_id;
++     union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	ret = cap_validate_magic(header, &tocopy);
+ 	if (ret != 0)
+ 		return ret;
+@@ -272,6 +307,25 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
+ 	if (!new)
+ 		return -ENOMEM;
+ 
++#ifdef CONFIG_RSBAC
++	if (!cap_issubset(effective, new->cap_effective)
++		     || !cap_issubset(permitted, new->cap_permitted)
++		     || !cap_issubset(inheritable, new->cap_inheritable)) {
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.scd = ST_capability;
++		rsbac_attribute_value.dummy = 0;
++		if(!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++					task_pid(current),
++					T_SCD,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++		     ret = -EPERM;
++		     goto error;
++		}
++	}
++#endif
++
+ 	ret = security_capset(new, current_cred(),
+ 			      &effective, &inheritable, &permitted);
+ 	if (ret < 0)
+@@ -279,7 +333,26 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
+ 
+ 	audit_log_capset(pid, new, current_cred());
+ 
+-	return commit_creds(new);
++	ret = commit_creds(new);
++
++#ifdef CONFIG_RSBAC
++	if (!ret) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_MODIFY_SYSTEM_DATA,
++					task_pid(current),
++					T_SCD,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"sys_setcap(): rsbac_adf_set_attr() returned error");
++		}
++	}
++#endif
++
++	return ret;
+ 
+ error:
+ 	abort_creds(new);
+@@ -378,6 +451,9 @@ bool ns_capable(struct user_namespace *ns, int cap)
+ 		current->flags |= PF_SUPERPRIV;
+ 		return true;
+ 	}
++#if defined(CONFIG_RSBAC_CAP_LOG_MISSING) || defined(CONFIG_RSBAC_JAIL_LOG_MISSING)
++	rsbac_log_missing_cap(cap);
++#endif
+ 	return false;
+ }
+ EXPORT_SYMBOL(ns_capable);
+diff --git a/kernel/exit.c b/kernel/exit.c
+index 5a8a66e..08f90f1 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -57,6 +57,8 @@
+ #include <asm/pgtable.h>
+ #include <asm/mmu_context.h>
+ 
++#include <rsbac/hooks.h>
++
+ static void exit_mm(struct task_struct * tsk);
+ 
+ static void __unhash_process(struct task_struct *p, bool group_dead)
+@@ -874,6 +876,11 @@ NORET_TYPE void do_exit(long code)
+ 	struct task_struct *tsk = current;
+ 	int group_dead;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	profile_task_exit(tsk);
+ 
+ 	WARN_ON(blk_needs_flush_plug(tsk));
+@@ -962,6 +969,23 @@ NORET_TYPE void do_exit(long code)
+ 	exit_shm(tsk);
+ 	exit_files(tsk);
+ 	exit_fs(tsk);
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_exit()]: calling ADF\n");
++	rsbac_target_id.process = task_pid(tsk);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_TERMINATE,
++				rsbac_target_id.process,
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		rsbac_printk(KERN_WARNING
++				"do_exit() [sys_exit()]: ADF request for TERMINATE returned NOT_GRANTED!\n");
++	}
++#endif
++
+ 	check_stack_usage();
+ 	exit_thread();
+ 
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 26f1ab0..0bc4a72 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -76,6 +76,8 @@
+ #include <asm/cacheflush.h>
+ #include <asm/tlbflush.h>
+ 
++#include <rsbac/hooks.h>
++
+ #include <trace/events/sched.h>
+ 
+ /*
+@@ -569,6 +571,27 @@ void mmput(struct mm_struct *mm)
+ }
+ EXPORT_SYMBOL_GPL(mmput);
+ 
++#ifdef CONFIG_RSBAC
++/* yes, i hate putting new functions here as much as ao does. seems like we
++ * have no choice because mmput() is beeing used from rsbac_adf_request_int()
++ * which in turn cannot be sleeping when called from do_exit(). michal. */
++void mmput_nosleep(struct mm_struct *mm)
++{
++	if (atomic_dec_and_test(&mm->mm_users)) {
++		exit_aio(mm);
++		exit_mmap(mm);
++		if (!list_empty(&mm->mmlist)) {
++			spin_lock(&mmlist_lock);
++			list_del(&mm->mmlist);
++			spin_unlock(&mmlist_lock);
++		}
++		put_swap_token(mm);
++		mmdrop(mm);
++	}
++}
++EXPORT_SYMBOL_GPL(mmput_nosleep);
++#endif
++
+ /*
+  * We added or removed a vma mapping the executable. The vmas are only mapped
+  * during exec and are not mapped with the mmap system call.
+@@ -1464,7 +1487,12 @@ struct task_struct * __cpuinit fork_idle(int cpu)
+  * It copies the process, and if successful kick-starts
+  * it and waits for it to finish using the VM if required.
+  */
++
++#ifdef CONFIG_RSBAC
++long do_fork(unsigned long long clone_flags,
++#else
+ long do_fork(unsigned long clone_flags,
++#endif
+ 	      unsigned long stack_start,
+ 	      struct pt_regs *regs,
+ 	      unsigned long stack_size,
+@@ -1475,6 +1503,31 @@ long do_fork(unsigned long clone_flags,
+ 	int trace = 0;
+ 	long nr;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	enum  rsbac_attribute_t rsbac_attribute;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_attribute = A_none;
++	rsbac_attribute_value.dummy = 0;
++	if(current->pid) {
++		rsbac_pr_debug(aef, "[sys_fork(),sys_clone(),sys_vfork]: calling ADF\n");
++		rsbac_target_id.process = task_pid(current);
++		if (!rsbac_adf_request(R_CLONE,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value))
++		{
++			return -EPERM;
++		}
++	}
++#endif
++
+ 	/*
+ 	 * Do some preliminary argument and permissions checking before we
+ 	 * actually start allocating stuff
+@@ -1539,6 +1592,33 @@ long do_fork(unsigned long clone_flags,
+ 		 */
+ 		p->flags &= ~PF_STARTING;
+ 
++#ifdef CONFIG_RSBAC
++		if (clone_flags & CLONE_KTHREAD) {
++			rsbac_attribute = A_kernel_thread;
++			rsbac_attribute_value.kernel_thread = 1;
++			rsbac_mark_kthread(task_pid(p));
++			rsbac_kthread_notify(task_pid(p));
++		}
++
++		if (current->pid)
++		{
++			rsbac_pr_debug(aef, "[sys_fork(),sys_clone(),sys_vfork()]: calling ADF_set_attr\n");
++			rsbac_new_target_id.process = task_pid(p);
++			if (rsbac_adf_set_attr(R_CLONE,
++						task_pid(current),
++						T_PROCESS,
++						rsbac_target_id,
++						T_PROCESS,
++						rsbac_new_target_id,
++						rsbac_attribute,
++						rsbac_attribute_value))
++			{
++				rsbac_printk(KERN_WARNING
++						"do_fork() [sys_fork(), sys_clone()]: rsbac_adf_set_attr() returned error!\n");
++			}
++		}
++#endif
++
+ 		wake_up_new_task(p);
+ 
+ 		/* forking complete and child started to run, tell ptracer */
+diff --git a/kernel/groups.c b/kernel/groups.c
+index 99b53d1..506b5fb 100644
+--- a/kernel/groups.c
++++ b/kernel/groups.c
+@@ -8,6 +8,8 @@
+ #include <linux/syscalls.h>
+ #include <asm/uaccess.h>
+ 
++#include <rsbac/hooks.h>
++
+ /* init to 2 - one for init_task, one to ensure it is never freed */
+ struct group_info init_groups = { .usage = ATOMIC_INIT(2) };
+ 
+@@ -233,6 +235,12 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist)
+ 	struct group_info *group_info;
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++	int i;
++#endif
++
+ 	if (!nsown_capable(CAP_SETGID))
+ 		return -EPERM;
+ 	if ((unsigned)gidsetsize > NGROUPS_MAX)
+@@ -247,6 +255,25 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist)
+ 		return retval;
+ 	}
+ 
++#ifdef CONFIG_RSBAC
++	if (gidsetsize > 0) {
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.process = task_pid(current);
++		for (i=0; i < gidsetsize; i++) {
++			rsbac_attribute_value.group = RSBAC_GEN_GID(RSBAC_UM_VIRTUAL_KEEP, group_info->blocks[i / NGROUPS_PER_BLOCK][i]);
++			if(!rsbac_adf_request(R_CHANGE_GROUP,
++						task_pid(current),
++						T_PROCESS,
++						rsbac_target_id,
++						A_group,
++						rsbac_attribute_value)) {
++				put_group_info(group_info);
++				return -EPERM;
++			}
++		}
++	}
++#endif
++
+ 	retval = set_current_groups(group_info);
+ 	put_group_info(group_info);
+ 
+diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
+index 079f1d3..5279edbb 100644
+--- a/kernel/kallsyms.c
++++ b/kernel/kallsyms.c
+@@ -26,6 +26,8 @@
+ 
+ #include <asm/sections.h>
+ 
++#include <rsbac/hooks.h>
++
+ #ifdef CONFIG_KALLSYMS_ALL
+ #define all_var 1
+ #else
+@@ -540,6 +542,26 @@ static int kallsyms_open(struct inode *inode, struct file *file)
+ 	struct kallsym_iter *iter;
+ 	int ret;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_target_id.scd = ST_ksyms;
++	rsbac_attribute_value.dummy = 0;
++	rsbac_pr_debug(aef, "calling ADF\n");
++	if(!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	iter = kmalloc(sizeof(*iter), GFP_KERNEL);
+ 	if (!iter)
+ 		return -ENOMEM;
+diff --git a/kernel/kexec.c b/kernel/kexec.c
+index dc7bc08..7844c96 100644
+--- a/kernel/kexec.c
++++ b/kernel/kexec.c
+@@ -41,6 +41,8 @@
+ #include <asm/system.h>
+ #include <asm/sections.h>
+ 
++#include <rsbac/hooks.h>
++
+ /* Per cpu memory for storing cpu states in case of system crash. */
+ note_buf_t __percpu *crash_notes;
+ 
+@@ -945,10 +947,30 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
+ 	struct kimage **dest_image, *image;
+ 	int result;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t	rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	/* We only trust the superuser with rebooting the system. */
+ 	if (!capable(CAP_SYS_BOOT))
+ 		return -EPERM;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_target_id.scd = ST_kexec;
++	rsbac_attribute_value.dummy = 0;
++	rsbac_pr_debug(aef, "calling ADF\n");
++	if(!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	/*
+ 	 * Verify we have a legal set of flags
+ 	 * This leaves us room for future extensions.
+diff --git a/kernel/module.c b/kernel/module.c
+index 6969ef0..741890c 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -59,6 +59,8 @@
+ #include <linux/pfn.h>
+ #include <linux/bsearch.h>
+ 
++#include <rsbac/hooks.h>
++
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/module.h>
+ 
+@@ -778,6 +780,11 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
+ 	char name[MODULE_NAME_LEN];
+ 	int ret, forced = 0;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!capable(CAP_SYS_MODULE) || modules_disabled)
+ 		return -EPERM;
+ 
+@@ -787,6 +794,19 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
+ 
+ 	if (mutex_lock_interruptible(&module_mutex) != 0)
+ 		return -EINTR;
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.dummy = 0;
++	rsbac_attribute_value.mod_name = name;
++	if (!rsbac_adf_request(R_REMOVE_FROM_KERNEL,
++				task_pid(current),
++				T_NONE,
++				rsbac_target_id,
++				A_mod_name,
++				rsbac_attribute_value))
++		ret = -EPERM;
++		goto out;
++#endif
+ 
+ 	mod = find_module(name);
+ 	if (!mod) {
+@@ -2952,10 +2972,28 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
+ 	struct module *mod;
+ 	int ret = 0;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	/* Must have permission */
+ 	if (!capable(CAP_SYS_MODULE) || modules_disabled)
+ 		return -EPERM;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.dummy = 0;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_ADD_TO_KERNEL,
++				task_pid(current),
++				T_NONE,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
+ 	/* Do all the hard work */
+ 	mod = load_module(umod, len, uargs);
+ 	if (IS_ERR(mod))
+diff --git a/kernel/printk.c b/kernel/printk.c
+index 7982a0a..ecaa0ae 100644
+--- a/kernel/printk.c
++++ b/kernel/printk.c
+@@ -44,6 +44,8 @@
+ 
+ #include <asm/uaccess.h>
+ 
++#include <rsbac/hooks.h>
++
+ /*
+  * Architectures can override it:
+  */
+@@ -336,6 +338,11 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)
+ 	char c;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC_SYSLOG
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	error = check_syslog_permissions(type, from_file);
+ 	if (error)
+ 		goto out;
+@@ -344,6 +351,44 @@ int do_syslog(int type, char __user *buf, int len, bool from_file)
+ 	if (error)
+ 		return error;
+ 
++#ifdef CONFIG_RSBAC_SYSLOG
++	rsbac_pr_debug(aef, "[sys_syslog()]: calling ADF\n");
++	rsbac_target_id.scd = ST_syslog;
++	rsbac_attribute_value.dummy = 0;
++	switch(type) {
++		case 2:
++		case 3:
++			if (!rsbac_adf_request(R_GET_STATUS_DATA,
++						task_pid(current),
++						T_SCD,
++						rsbac_target_id,
++						A_none,
++						rsbac_attribute_value)) {
++				error = -EPERM;
++				goto out;
++			}
++			break;
++		case 4:
++		case 5:
++		case 6:
++		case 7:
++		case 8:
++			if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++						task_pid(current),
++						T_SCD,
++						rsbac_target_id,
++						A_none,
++						rsbac_attribute_value)) {
++				error = -EPERM;
++				goto out;
++			}
++			break;
++
++		default:
++			break;
++	}
++#endif
++
+ 	switch (type) {
+ 	case SYSLOG_ACTION_CLOSE:	/* Close log */
+ 		break;
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index 78ab24a..eb803a6 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -32,6 +32,8 @@ static int ptrace_trapping_sleep_fn(void *flags)
+ 	return 0;
+ }
+ 
++#include <rsbac/hooks.h>
++
+ /*
+  * ptrace a task: make the debugger its new parent and
+  * move it to the ptrace list.
+@@ -869,7 +871,26 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
+ 	struct task_struct *child;
+ 	long ret;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++        union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (request == PTRACE_TRACEME) {
++#ifdef CONFIG_RSBAC
++		rsbac_pr_debug(aef, "[sys_ptrace] calling ADF\n");
++		rsbac_target_id.process = task_pid(current);
++		rsbac_attribute_value.trace_request = PTRACE_TRACEME;
++		if (!rsbac_adf_request(R_TRACE,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_trace_request,
++				rsbac_attribute_value)) {
++			return -EPERM;
++		}
++#endif
++
+ 		ret = ptrace_traceme();
+ 		if (!ret)
+ 			arch_ptrace_attach(current);
+@@ -882,6 +903,23 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
+ 		goto out;
+ 	}
+ 
++#ifdef CONFIG_RSBAC
++	if (request != PTRACE_DETACH) {
++		rsbac_pr_debug(aef, "[sys_ptrace] calling ADF\n");
++		rsbac_target_id.process = task_pid(child);
++		rsbac_attribute_value.trace_request = request;
++		if (!rsbac_adf_request(R_TRACE,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_trace_request,
++					rsbac_attribute_value)) {
++			ret = -EPERM;
++			goto out_put_task_struct;
++		}
++	}
++#endif
++
+ 	if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
+ 		ret = ptrace_attach(child, request, data);
+ 		/*
+diff --git a/kernel/sched.c b/kernel/sched.c
+index 299f55c..b66e9d6 100644
+--- a/kernel/sched.c
++++ b/kernel/sched.c
+@@ -80,6 +80,8 @@
+ #include <asm/paravirt.h>
+ #endif
+ 
++#include <rsbac/hooks.h>
++
+ #include "sched_cpupri.h"
+ #include "workqueue_sched.h"
+ #include "sched_autogroup.h"
+@@ -5113,6 +5115,10 @@ int can_nice(const struct task_struct *p, const int nice)
+ SYSCALL_DEFINE1(nice, int, increment)
+ {
+ 	long nice, retval;
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
+ 
+ 	/*
+ 	 * Setpriority might change our priority at the same moment.
+@@ -5133,6 +5139,22 @@ SYSCALL_DEFINE1(nice, int, increment)
+ 	if (increment < 0 && !can_nice(current, nice))
+ 		return -EPERM;
+ 
++#ifdef CONFIG_RSBAC
++	if (increment < 0) {
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.scd = ST_priority;
++		rsbac_attribute_value.priority = nice;
++		if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++					task_pid(current),
++					T_SCD,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			return -EPERM;
++		}
++	}
++#endif
++
+ 	retval = security_task_setnice(current, nice);
+ 	if (retval)
+ 		return retval;
+@@ -5435,6 +5457,12 @@ do_sched_setscheduler(pid_t pid, int policy, struct sched_param __user *param)
+ 	struct task_struct *p;
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!param || pid < 0)
+ 		return -EINVAL;
+ 	if (copy_from_user(&lparam, param, sizeof(struct sched_param)))
+@@ -5443,8 +5471,31 @@ do_sched_setscheduler(pid_t pid, int policy, struct sched_param __user *param)
+ 	rcu_read_lock();
+ 	retval = -ESRCH;
+ 	p = find_process_by_pid(pid);
+-	if (p != NULL)
++	if (p != NULL) {
++
++#ifdef CONFIG_RSBAC
++		rsbac_pr_debug(aef, "[sys_sched_setscheduler, sys_sched_setparam]: calling ADF\n");
++		if (!pid || (pid == current->pid)) {
++			rsbac_target = T_SCD;
++			rsbac_target_id.scd = ST_priority;
++		} else {
++			rsbac_target = T_PROCESS;
++			rsbac_target_id.process = task_pid(p);
++		}
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			rcu_read_unlock();
++			return -EPERM;
++		}
++#endif
++
+ 		retval = sched_setscheduler(p, policy, &lparam);
++	}
+ 	rcu_read_unlock();
+ 
+ 	return retval;
+@@ -5485,9 +5536,35 @@ SYSCALL_DEFINE1(sched_getscheduler, pid_t, pid)
+ 	struct task_struct *p;
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC
++        enum  rsbac_target_t rsbac_target;
++        union rsbac_target_id_t rsbac_target_id;
++        union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (pid < 0)
+ 		return -EINVAL;
+ 
++#ifdef CONFIG_RSBAC
++        rsbac_pr_debug(aef, "[sys_sched_getscheduler]: calling ADF\n");
++        if (!pid || (pid == current->pid)) {
++                rsbac_target = T_SCD;
++                rsbac_target_id.scd = ST_priority;
++        } else {
++                rsbac_target = T_PROCESS;
++                rsbac_target_id.process = find_pid_ns(pid, &init_pid_ns);
++        }
++        rsbac_attribute_value.dummy = 0;
++        if (!rsbac_adf_request(R_GET_STATUS_DATA,
++                                task_pid(current),
++                                rsbac_target,
++                                rsbac_target_id,
++                                A_none,
++                                rsbac_attribute_value)) {
++                return -EPERM;
++        }
++#endif
++
+ 	retval = -ESRCH;
+ 	rcu_read_lock();
+ 	p = find_process_by_pid(pid);
+@@ -5512,9 +5589,35 @@ SYSCALL_DEFINE2(sched_getparam, pid_t, pid, struct sched_param __user *, param)
+ 	struct task_struct *p;
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC
++        enum  rsbac_target_t rsbac_target;
++        union rsbac_target_id_t rsbac_target_id;
++        union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!param || pid < 0)
+ 		return -EINVAL;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_sched_getparam]: calling ADF\n");
++	if (!pid || (pid == current->pid)) {
++		rsbac_target = T_SCD;
++		rsbac_target_id.scd = ST_priority;
++	} else {
++		rsbac_target = T_PROCESS;
++		rsbac_target_id.process = find_pid_ns(pid, &init_pid_ns);
++	}
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	rcu_read_lock();
+ 	p = find_process_by_pid(pid);
+ 	retval = -ESRCH;
+@@ -5542,6 +5645,12 @@ out_unlock:
+ 
+ long sched_setaffinity(pid_t pid, const struct cpumask *in_mask)
+ {
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	cpumask_var_t cpus_allowed, new_mask;
+ 	struct task_struct *p;
+ 	int retval;
+@@ -5576,6 +5685,27 @@ long sched_setaffinity(pid_t pid, const struct cpumask *in_mask)
+ 	if (retval)
+ 		goto out_unlock;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_sched_setaffinity]: calling ADF\n");
++	if (p == current) {
++		rsbac_target = T_SCD;
++		rsbac_target_id.scd = ST_priority;
++	} else {
++		rsbac_target = T_PROCESS;
++		rsbac_target_id.process = task_pid(p);
++	}
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		retval = -EPERM;
++		goto out_unlock;
++	}
++#endif
++
+ 	cpuset_cpus_allowed(p, cpus_allowed);
+ 	cpumask_and(new_mask, in_mask, cpus_allowed);
+ again:
+@@ -5641,6 +5771,31 @@ long sched_getaffinity(pid_t pid, struct cpumask *mask)
+ 	struct task_struct *p;
+ 	unsigned long flags;
+ 	int retval;
++#ifdef CONFIG_RSBAC
++	enum rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sched_getaffinity]: calling ADF\n");
++	if (!pid || (pid == current->pid)) {
++		rsbac_target = T_SCD;
++		rsbac_target_id.scd = ST_priority;
++	} else {
++		rsbac_target = T_PROCESS;
++		rsbac_target_id.process = find_pid_ns(pid, &init_pid_ns);
++	}
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
+ 
+ 	get_online_cpus();
+ 	rcu_read_lock();
+@@ -5966,9 +6121,35 @@ SYSCALL_DEFINE2(sched_rr_get_interval, pid_t, pid,
+ 	int retval;
+ 	struct timespec t;
+ 
++#ifdef CONFIG_RSBAC
++	enum rsbac_target_t rsbac_target;
++        union rsbac_target_id_t rsbac_target_id;
++        union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (pid < 0)
+ 		return -EINVAL;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_sched_rr_get_interval]: calling ADF\n");
++	if (!pid || (pid == current->pid)) {
++		rsbac_target = T_SCD;
++		rsbac_target_id.scd = ST_priority;
++	} else {
++		rsbac_target = T_PROCESS;
++		rsbac_target_id.process = find_pid_ns(pid, &init_pid_ns);
++	}
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	retval = -ESRCH;
+ 	rcu_read_lock();
+ 	p = find_process_by_pid(pid);
+diff --git a/kernel/signal.c b/kernel/signal.c
+index 08e0b97..c1fa91e 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -37,6 +37,8 @@
+ #include <asm/siginfo.h>
+ #include "audit.h"	/* audit_signal_info() */
+ 
++#include <rsbac/hooks.h>
++
+ /*
+  * SLAB caches for signal bits.
+  */
+@@ -789,6 +791,11 @@ static int check_kill_permission(int sig, struct siginfo *info,
+ 	struct pid *sid;
+ 	int error;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!valid_signal(sig))
+ 		return -EINVAL;
+ 
+@@ -815,6 +822,23 @@ static int check_kill_permission(int sig, struct siginfo *info,
+ 		}
+ 	}
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[group_send_sig_info(), sys_tgkill(),sys_tkill()]: calling ADF\n");
++	rsbac_target_id.process = task_pid(t);
++	rsbac_attribute_value.dummy = 0;
++	if ((!info || ((unsigned long)info != 1
++			&& (unsigned long)info != 2 && SI_FROMUSER(info)))
++			&& ((sig != SIGCONT) || (task_session(current) != task_session(t)))
++				&& !rsbac_adf_request(R_SEND_SIGNAL,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)
++	  )
++		return -EPERM;
++#endif
++
+ 	return security_task_kill(t, info, sig, 0);
+ }
+ 
+diff --git a/kernel/sys.c b/kernel/sys.c
+index 481611f..79f777f 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -54,6 +54,8 @@
+ #include <asm/io.h>
+ #include <asm/unistd.h>
+ 
++#include <rsbac/hooks.h>
++
+ #ifndef SET_UNALIGN_CTL
+ # define SET_UNALIGN_CTL(a,b)	(-EINVAL)
+ #endif
+@@ -178,6 +180,12 @@ SYSCALL_DEFINE3(setpriority, int, which, int, who, int, niceval)
+ 	int error = -EINVAL;
+ 	struct pid *pgrp;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (which > PRIO_USER || which < PRIO_PROCESS)
+ 		goto out;
+ 
+@@ -188,6 +196,37 @@ SYSCALL_DEFINE3(setpriority, int, which, int, who, int, niceval)
+ 	if (niceval > 19)
+ 		niceval = 19;
+ 
++#ifdef CONFIG_RSBAC
++	if ((niceval < (current->static_prio - MAX_RT_PRIO - 20)) || ((which == PRIO_PROCESS) 
++				&& (who != 0)
++				&& (who != current->pid))
++					|| ((which == PRIO_PGRP)
++					&& (who != 0)
++					&& (who != current->pid))) {
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rcu_read_lock();
++		if (niceval < (current->static_prio - MAX_RT_PRIO - 20)) {
++			rsbac_target = T_SCD;
++			rsbac_target_id.scd = ST_priority;
++		} else {
++			rsbac_target = T_PROCESS;
++			rsbac_target_id.process = find_pid_ns(who, &init_pid_ns);
++		}
++		rsbac_attribute_value.priority = niceval;
++		if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					A_priority,
++					rsbac_attribute_value)) {
++			rcu_read_unlock();
++			error = -EPERM;
++			goto out;
++		}
++		rcu_read_unlock();
++	}
++#endif
++
+ 	rcu_read_lock();
+ 	read_lock(&tasklist_lock);
+ 	switch (which) {
+@@ -432,6 +471,11 @@ SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd,
+ 	char buffer[256];
+ 	int ret = 0;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	/* We only trust the superuser with rebooting the system. */
+ 	if (!capable(CAP_SYS_BOOT))
+ 		return -EPERM;
+@@ -450,6 +494,20 @@ SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd,
+ 	if ((cmd == LINUX_REBOOT_CMD_POWER_OFF) && !pm_power_off)
+ 		cmd = LINUX_REBOOT_CMD_HALT;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.dummy = 0;
++	rsbac_attribute_value.reboot_cmd = cmd;
++	if (!rsbac_adf_request(R_SHUTDOWN,
++				task_pid(current),
++				T_NONE,
++				rsbac_target_id,
++				A_reboot_cmd,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	mutex_lock(&reboot_mutex);
+ 	switch (cmd) {
+ 	case LINUX_REBOOT_CMD_RESTART:
+@@ -555,18 +613,66 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
+ 
+ 	retval = -EPERM;
+ 	if (rgid != (gid_t) -1) {
+-		if (old->gid == rgid ||
++
++#ifdef CONFIG_RSBAC
++		union rsbac_target_id_t rsbac_target_id;
++		union rsbac_attribute_value_t rsbac_attribute_value;
++
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.process = task_pid(current);
++		rsbac_attribute_value.long_dummy = 0;
++		rsbac_attribute_value.group = RSBAC_GEN_GID(RSBAC_UM_VIRTUAL_KEEP, rgid);
++#endif
++
++		if ((old->gid == rgid ||
+ 		    old->egid == rgid ||
+ 		    nsown_capable(CAP_SETGID))
++
++#ifdef CONFIG_RSBAC
++				&& rsbac_adf_request(R_CHANGE_GROUP,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_group,
++					rsbac_attribute_value)
++#endif
++                   )
+ 			new->gid = rgid;
+ 		else
+ 			goto error;
+ 	}
+ 	if (egid != (gid_t) -1) {
+-		if (old->gid == egid ||
++
++#ifdef CONFIG_RSBAC_DAC_GROUP
++		union rsbac_target_id_t rsbac_target_id;
++		union rsbac_attribute_value_t rsbac_attribute_value;
++
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.process = task_pid(current);
++		rsbac_attribute_value.long_dummy = 0;
++		rsbac_attribute_value.group = RSBAC_GEN_GID(RSBAC_UM_VIRTUAL_KEEP, egid);
++#endif
++
++		if ((old->gid == egid ||
+ 		    old->egid == egid ||
+ 		    old->sgid == egid ||
+ 		    nsown_capable(CAP_SETGID))
++
++#ifdef CONFIG_RSBAC_DAC_GROUP
++				&& rsbac_adf_request(R_CHANGE_DAC_EFF_GROUP,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_group,
++					rsbac_attribute_value)
++				&& rsbac_adf_request(R_CHANGE_DAC_FS_GROUP,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_group,
++					rsbac_attribute_value)
++#endif
++                   )
+ 			new->egid = egid;
+ 		else
+ 			goto error;
+@@ -595,16 +701,68 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
+ 	struct cred *new;
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	new = prepare_creds();
+ 	if (!new)
+ 		return -ENOMEM;
+ 	old = current_cred();
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.process = task_pid(current);
++	rsbac_attribute_value.group = RSBAC_GEN_GID(RSBAC_UM_VIRTUAL_KEEP, gid);
++#endif
++
+ 	retval = -EPERM;
+-	if (nsown_capable(CAP_SETGID))
++	if ((nsown_capable(CAP_SETGID))
++#ifdef CONFIG_RSBAC
++			&& rsbac_adf_request(R_CHANGE_GROUP,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_group,
++				rsbac_attribute_value)
++#ifdef CONFIG_RSBAC_DAC_GROUP
++			&& rsbac_adf_request(R_CHANGE_DAC_EFF_GROUP,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_group,
++				rsbac_attribute_value)
++			&& rsbac_adf_request(R_CHANGE_DAC_FS_GROUP,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_group,
++				rsbac_attribute_value)
++#endif
++#endif
++           )
++	{
+ 		new->gid = new->egid = new->sgid = new->fsgid = gid;
+-	else if (gid == old->gid || gid == old->sgid)
++	} else if ((gid == old->gid || gid == old->sgid)
++#ifdef CONFIG_RSBAC_DAC_GROUP
++			&& rsbac_adf_request(R_CHANGE_DAC_EFF_GROUP,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_group,
++				rsbac_attribute_value)
++			&& rsbac_adf_request(R_CHANGE_DAC_FS_GROUP,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_group,
++				rsbac_attribute_value)
++#endif
++                )
++	{
+ 		new->egid = new->fsgid = gid;
++	}
+ 	else
+ 		goto error;
+ 
+@@ -665,6 +823,12 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
+ 	struct cred *new;
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	new = prepare_creds();
+ 	if (!new)
+ 		return -ENOMEM;
+@@ -698,11 +862,106 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
+ 		new->suid = new->euid;
+ 	new->fsuid = new->euid;
+ 
++#ifdef CONFIG_RSBAC
++	if (ruid != (uid_t) -1) {
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.process = task_pid(current);
++		rsbac_attribute_value.long_dummy = 0;
++		rsbac_attribute_value.owner = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, ruid);
++		if (!rsbac_adf_request(R_CHANGE_OWNER,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_owner,
++					rsbac_attribute_value)) {
++			retval = -EPERM;
++			goto error;
++		}
++	}
++#ifdef CONFIG_RSBAC_DAC_OWNER
++	if (euid != (uid_t) -1) {
++		rsbac_pr_debug(aef, "calling ADF for euid\n");
++		rsbac_target_id.process = task_pid(current);
++		rsbac_attribute_value.long_dummy = 0;
++		rsbac_attribute_value.owner = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, euid);
++		if (!rsbac_adf_request(R_CHANGE_DAC_EFF_OWNER,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_owner,
++					rsbac_attribute_value)) {
++			retval = -EPERM;
++			goto error;
++		}
++		if (!rsbac_adf_request(R_CHANGE_DAC_FS_OWNER,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_owner,
++					rsbac_attribute_value)) {
++			retval = -EPERM;
++			goto error;
++		}
++	}
++#endif
++#endif
++
+ 	retval = security_task_fix_setuid(new, old, LSM_SETID_RE);
+ 	if (retval < 0)
+ 		goto error;
+ 
+-	return commit_creds(new);
++	retval = commit_creds(new);
++
++#ifdef CONFIG_RSBAC
++	if(!retval) {
++		if(ruid != (uid_t) -1) {
++			rsbac_set_audit_uid(old->uid);
++			rsbac_attribute_value.owner = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, current_uid());
++			rsbac_new_target_id.dummy = 0;
++			if (rsbac_adf_set_attr(R_CHANGE_OWNER,
++						task_pid(current),
++						T_PROCESS,
++						rsbac_target_id,
++						T_NONE,
++						rsbac_new_target_id,
++						A_owner,
++						rsbac_attribute_value)) {
++				rsbac_printk(KERN_WARNING
++						"sys_setreuid(): rsbac_adf_set_attr() returned error");
++			}
++		}
++#ifdef CONFIG_RSBAC_DAC_OWNER
++		if(euid != (uid_t) -1) {
++			rsbac_attribute_value.owner = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, current_euid());
++			rsbac_new_target_id.dummy = 0;
++			if (rsbac_adf_set_attr(R_CHANGE_DAC_EFF_OWNER,
++						task_pid(current),
++						T_PROCESS,
++						rsbac_target_id,
++						T_NONE,
++						rsbac_new_target_id,
++						A_owner,
++						rsbac_attribute_value)) {
++				rsbac_printk(KERN_WARNING
++						"sys_setreuid(): rsbac_adf_set_attr() for euid returned error");
++			}
++			if (rsbac_adf_set_attr(R_CHANGE_DAC_FS_OWNER,
++						task_pid(current),
++						T_PROCESS,
++						rsbac_target_id,
++						T_NONE,
++						rsbac_new_target_id,
++						A_owner,
++						rsbac_attribute_value)) {
++				printk(KERN_WARNING
++						"sys_setreuid(): rsbac_adf_set_attr() for fsuid returned error");
++			}
++		}
++#endif
++	}
++#endif
++
++	return retval;
+ 
+ error:
+ 	abort_creds(new);
+@@ -726,11 +985,60 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
+ 	struct cred *new;
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC_FAKE_ROOT_UID
++	if(!uid && rsbac_uid_faked())
++		return 0;
++#endif
++
+ 	new = prepare_creds();
+ 	if (!new)
+ 		return -ENOMEM;
+ 	old = current_cred();
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.process = task_pid(current);
++	rsbac_attribute_value.long_dummy = 0;
++	rsbac_attribute_value.owner = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, uid);
++	if(!rsbac_adf_request(R_CHANGE_OWNER,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_owner,
++				rsbac_attribute_value)) {
++		retval = -EPERM;
++		goto error;
++	}
++#ifdef CONFIG_RSBAC_DAC_OWNER
++	rsbac_pr_debug(aef, "calling ADF for euid\n");
++	if (!rsbac_adf_request(R_CHANGE_DAC_EFF_OWNER,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_owner,
++				rsbac_attribute_value)) {
++		retval = -EPERM;
++		goto error;
++	}
++	rsbac_pr_debug(aef, "calling ADF for fsuid\n");
++	if (!rsbac_adf_request(R_CHANGE_DAC_FS_OWNER,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_owner,
++				rsbac_attribute_value)) {
++		retval = -EPERM;
++		goto error;
++	}
++#endif
++#endif
++
+ 	retval = -EPERM;
+ 	if (nsown_capable(CAP_SETUID)) {
+ 		new->suid = new->uid = uid;
+@@ -749,7 +1057,53 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
+ 	if (retval < 0)
+ 		goto error;
+ 
+-	return commit_creds(new);
++	retval = commit_creds(new);
++
++#ifdef CONFIG_RSBAC
++	if (!retval) {
++		rsbac_set_audit_uid(old->uid);
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_CHANGE_OWNER,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_owner,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"sys_setuid(): rsbac_adf_set_attr() returned error");
++		}
++#ifdef CONFIG_RSBAC_DAC_OWNER
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_CHANGE_DAC_EFF_OWNER,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_owner,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"sys_setuid(): rsbac_adf_set_attr() for euid returned error");
++		}
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_CHANGE_DAC_FS_OWNER,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_owner,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"sys_setuid(): rsbac_adf_set_attr() for fsuid returned error");
++		}
++#endif
++	}
++#endif
++
++	return retval;
+ 
+ error:
+ 	abort_creds(new);
+@@ -767,6 +1121,12 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
+ 	struct cred *new;
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	new = prepare_creds();
+ 	if (!new)
+ 		return -ENOMEM;
+@@ -786,6 +1146,51 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
+ 			goto error;
+ 	}
+ 
++#ifdef CONFIG_RSBAC
++	if(ruid != (uid_t) -1) {
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.process = task_pid(current);
++		rsbac_attribute_value.long_dummy = 0;
++		rsbac_attribute_value.owner = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, ruid);
++		if(!rsbac_adf_request(R_CHANGE_OWNER,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_owner,
++					rsbac_attribute_value)) {
++			retval = -EPERM;
++			goto error;
++		}
++	}
++#ifdef CONFIG_RSBAC_DAC_OWNER
++	if(euid != (uid_t) -1) {
++		rsbac_pr_debug(aef, "calling ADF for euid\n");
++		rsbac_target_id.process = task_pid(current);
++		rsbac_attribute_value.long_dummy = 0;
++		rsbac_attribute_value.owner = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, euid);
++		if(!rsbac_adf_request(R_CHANGE_DAC_EFF_OWNER,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_owner,
++					rsbac_attribute_value)) {
++			retval = -EPERM;
++			goto error;
++		}
++		rsbac_pr_debug(aef, "calling ADF for fsuid\n");
++		if(!rsbac_adf_request(R_CHANGE_DAC_FS_OWNER,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_owner,
++					rsbac_attribute_value)) {
++			retval = -EPERM;
++			goto error;
++		}
++	}
++#endif
++#endif
++
+ 	if (ruid != (uid_t) -1) {
+ 		new->uid = ruid;
+ 		if (ruid != old->uid) {
+@@ -804,7 +1209,58 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
+ 	if (retval < 0)
+ 		goto error;
+ 
+-	return commit_creds(new);
++	retval = commit_creds(new);
++
++#ifdef CONFIG_RSBAC
++	if (!retval) {
++		if(ruid != (uid_t) -1) {
++			rsbac_set_audit_uid(old->uid);
++			rsbac_new_target_id.dummy = 0;
++			rsbac_attribute_value.owner = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, current_uid());
++			if (rsbac_adf_set_attr(R_CHANGE_OWNER,
++						task_pid(current),
++						T_PROCESS,
++						rsbac_target_id,
++						T_NONE,
++						rsbac_new_target_id,
++						A_owner,
++						rsbac_attribute_value)) {
++				rsbac_printk(KERN_WARNING
++						"sys_setresuid(): rsbac_adf_set_attr() returned error");
++			}
++		}
++#ifdef CONFIG_RSBAC_DAC_OWNER
++		if(euid != (uid_t) -1) {
++			rsbac_new_target_id.dummy = 0;
++			rsbac_attribute_value.owner = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, current_euid());
++			if (rsbac_adf_set_attr(R_CHANGE_DAC_EFF_OWNER,
++						task_pid(current),
++						T_PROCESS,
++						rsbac_target_id,
++						T_NONE,
++						rsbac_new_target_id,
++						A_owner,
++						rsbac_attribute_value)) {
++				rsbac_printk(KERN_WARNING
++						"sys_setreuid(): rsbac_adf_set_attr() for euid returned error\n");
++			}
++			if (rsbac_adf_set_attr(R_CHANGE_DAC_FS_OWNER,
++						task_pid(current),
++						T_PROCESS,
++						rsbac_target_id,
++						T_NONE,
++						rsbac_new_target_id,
++						A_owner,
++						rsbac_attribute_value))	{
++				rsbac_printk(KERN_WARNING
++						"sys_setreuid(): rsbac_adf_set_attr() for fsuid returned error\n");
++			}
++		}
++#endif
++	}
++#endif
++
++	return retval;
+ 
+ error:
+ 	abort_creds(new);
+@@ -832,6 +1288,11 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
+ 	struct cred *new;
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	new = prepare_creds();
+ 	if (!new)
+ 		return -ENOMEM;
+@@ -850,10 +1311,50 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
+ 			goto error;
+ 	}
+ 
+-	if (rgid != (gid_t) -1)
++	if (rgid != (gid_t) -1) {
++#ifdef CONFIG_RSBAC
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.process = task_pid(current);
++		rsbac_attribute_value.group = RSBAC_GEN_GID(RSBAC_UM_VIRTUAL_KEEP, rgid);
++		if(!rsbac_adf_request(R_CHANGE_GROUP,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_group,
++					rsbac_attribute_value)) {
++			retval = -EPERM;
++			goto error;
++		}
++#endif
+ 		new->gid = rgid;
+-	if (egid != (gid_t) -1)
++	}
++
++	if (egid != (gid_t) -1) {
++#ifdef CONFIG_RSBAC_DAC_GROUP
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.process = task_pid(current);
++		rsbac_attribute_value.group = RSBAC_GEN_GID(RSBAC_UM_VIRTUAL_KEEP, egid);
++		if (!rsbac_adf_request(R_CHANGE_DAC_EFF_GROUP,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_group,
++					rsbac_attribute_value)) {
++			retval = -EPERM;
++			goto error;
++		}
++		if (!rsbac_adf_request(R_CHANGE_DAC_FS_GROUP,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_group,
++					rsbac_attribute_value)) {
++			retval = -EPERM;
++			goto error;
++		}
++#endif
+ 		new->egid = egid;
++	}
+ 	if (sgid != (gid_t) -1)
+ 		new->sgid = sgid;
+ 	new->fsgid = new->egid;
+@@ -890,12 +1391,32 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
+ 	struct cred *new;
+ 	uid_t old_fsuid;
+ 
++#ifdef CONFIG_RSBAC_DAC_OWNER
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	new = prepare_creds();
+ 	if (!new)
+ 		return current_fsuid();
+ 	old = current_cred();
+ 	old_fsuid = old->fsuid;
+ 
++#ifdef CONFIG_RSBAC_DAC_OWNER
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.process = task_pid(current);
++	rsbac_attribute_value.owner = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, uid);
++	if (!rsbac_adf_request(R_CHANGE_DAC_FS_OWNER,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_owner,
++				rsbac_attribute_value)) {
++		abort_creds(new);
++		return old_fsuid;
++	}
++#endif
+ 	if (uid == old->uid  || uid == old->euid  ||
+ 	    uid == old->suid || uid == old->fsuid ||
+ 	    nsown_capable(CAP_SETUID)) {
+@@ -911,6 +1432,24 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
+ 
+ change_okay:
+ 	commit_creds(new);
++
++#ifdef CONFIG_RSBAC_DAC_OWNER
++	rsbac_target_id.process = task_pid(current);
++	rsbac_new_target_id.dummy = 0;
++	rsbac_attribute_value.owner = RSBAC_GEN_UID(RSBAC_UM_VIRTUAL_KEEP, uid);
++	if (rsbac_adf_set_attr(R_CHANGE_DAC_FS_OWNER,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				T_NONE,
++				rsbac_new_target_id,
++				A_owner,
++				rsbac_attribute_value)) {
++		rsbac_printk(KERN_WARNING
++				"sys_setfsuid(): rsbac_adf_set_attr() returned error\n");
++	}
++#endif
++
+ 	return old_fsuid;
+ }
+ 
+@@ -923,12 +1462,31 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
+ 	struct cred *new;
+ 	gid_t old_fsgid;
+ 
++#ifdef CONFIG_RSBAC_DAC_GROUP
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	new = prepare_creds();
+ 	if (!new)
+ 		return current_fsgid();
+ 	old = current_cred();
+ 	old_fsgid = old->fsgid;
+ 
++#ifdef CONFIG_RSBAC_DAC_GROUP
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.process = task_pid(current);
++	rsbac_attribute_value.group = RSBAC_GEN_GID(RSBAC_UM_VIRTUAL_KEEP, gid);
++	if (!rsbac_adf_request(R_CHANGE_DAC_FS_GROUP,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_group,
++				rsbac_attribute_value)) {
++		abort_creds(new);
++		return old_fsgid;
++	}
++#endif
+ 	if (gid == old->gid  || gid == old->egid  ||
+ 	    gid == old->sgid || gid == old->fsgid ||
+ 	    nsown_capable(CAP_SETGID)) {
+@@ -993,6 +1551,11 @@ SYSCALL_DEFINE2(setpgid, pid_t, pid, pid_t, pgid)
+ 	struct pid *pgrp;
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!pid)
+ 		pid = task_pid_vnr(group_leader);
+ 	if (!pgid)
+@@ -1001,6 +1564,21 @@ SYSCALL_DEFINE2(setpgid, pid_t, pid, pid_t, pgid)
+ 		return -EINVAL;
+ 	rcu_read_lock();
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.process = find_pid_ns(pid, &init_pid_ns);
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_PROCESS,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		rcu_read_unlock();
++		return -EPERM;
++	}
++#endif
++
+ 	/* From this point forward we keep holding onto the tasklist lock
+ 	 * so that our parent does not change from under us. -DaveM
+ 	 */
+@@ -1067,6 +1645,11 @@ SYSCALL_DEFINE1(getpgid, pid_t, pid)
+ 	if (!pid)
+ 		grp = task_pgrp(current);
+ 	else {
++#ifdef CONFIG_RSBAC
++		union rsbac_target_id_t rsbac_target_id;
++		union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 		retval = -ESRCH;
+ 		p = find_task_by_vpid(pid);
+ 		if (!p)
+@@ -1075,6 +1658,22 @@ SYSCALL_DEFINE1(getpgid, pid_t, pid)
+ 		if (!grp)
+ 			goto out;
+ 
++#ifdef CONFIG_RSBAC
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.process = task_pid(p);
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_GET_STATUS_DATA,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value))
++		{
++			retval = -EPERM;
++			goto out;
++		}
++#endif
++
+ 		retval = security_task_getpgid(p);
+ 		if (retval)
+ 			goto out;
+@@ -1104,6 +1703,11 @@ SYSCALL_DEFINE1(getsid, pid_t, pid)
+ 	if (!pid)
+ 		sid = task_session(current);
+ 	else {
++#ifdef CONFIG_RSBAC
++		union rsbac_target_id_t rsbac_target_id;
++		union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 		retval = -ESRCH;
+ 		p = find_task_by_vpid(pid);
+ 		if (!p)
+@@ -1112,6 +1716,21 @@ SYSCALL_DEFINE1(getsid, pid_t, pid)
+ 		if (!sid)
+ 			goto out;
+ 
++#ifdef CONFIG_RSBAC
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.process = task_pid(p);
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_GET_STATUS_DATA,
++					task_pid(current),
++					T_PROCESS,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			retval = -EPERM;
++			goto out;
++		}
++#endif
++
+ 		retval = security_task_getsid(p);
+ 		if (retval)
+ 			goto out;
+@@ -1273,11 +1892,31 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int, len)
+ 	int errno;
+ 	char tmp[__NEW_UTS_LEN];
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_SYS_ADMIN))
+ 		return -EPERM;
+ 
+ 	if (len < 0 || len > __NEW_UTS_LEN)
+ 		return -EINVAL;
++
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_host_id;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	down_write(&uts_sem);
+ 	errno = -EFAULT;
+ 	if (!copy_from_user(tmp, name, len)) {
+@@ -1324,11 +1963,30 @@ SYSCALL_DEFINE2(setdomainname, char __user *, name, int, len)
+ 	int errno;
+ 	char tmp[__NEW_UTS_LEN];
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_SYS_ADMIN))
+ 		return -EPERM;
+ 	if (len < 0 || len > __NEW_UTS_LEN)
+ 		return -EINVAL;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_net_id;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	down_write(&uts_sem);
+ 	errno = -EFAULT;
+ 	if (!copy_from_user(tmp, name, len)) {
+@@ -1420,6 +2078,12 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
+ 	struct rlimit *rlim;
+ 	int retval = 0;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (resource >= RLIM_NLIMITS)
+ 		return -EINVAL;
+ 	if (new_rlim) {
+@@ -1445,6 +2109,23 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
+ 		if (new_rlim->rlim_max > rlim->rlim_max &&
+ 				!capable(CAP_SYS_RESOURCE))
+ 			retval = -EPERM;
++
++#ifdef CONFIG_RSBAC
++		if (!retval) {
++			rsbac_pr_debug(aef, "calling ADF\n");
++			rsbac_target_id.scd = ST_rlimit;
++			rsbac_attribute_value.rlimit.resource = resource;
++			rsbac_attribute_value.rlimit.limit = *new_rlim;
++			if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++						task_pid(current),
++						T_SCD,
++						rsbac_target_id,
++						A_rlimit,
++						rsbac_attribute_value))
++				retval = -EPERM;
++		}
++#endif
++
+ 		if (!retval)
+ 			retval = security_task_setrlimit(tsk->group_leader,
+ 					resource, new_rlim);
+@@ -1466,6 +2147,21 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
+ 	}
+ 	task_unlock(tsk->group_leader);
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_new_target_id.dummy = 0;
++	if (rsbac_adf_set_attr(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				T_NONE,
++				rsbac_new_target_id,
++				A_rlimit,
++				rsbac_attribute_value)) {
++		rsbac_printk(KERN_WARNING
++				"sys_setrlimit(): rsbac_adf_set_attr() returned error");
++	}
++#endif
++
+ 	/*
+ 	 * RLIMIT_CPU handling.   Note that the kernel fails to return an error
+ 	 * code if it rejected the user's attempt to set RLIMIT_CPU.  This is a
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index ea7ec7f..3b1738a 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -62,6 +62,8 @@
+ #include <asm/uaccess.h>
+ #include <asm/processor.h>
+ 
++#include <rsbac/hooks.h>
++
+ #ifdef CONFIG_X86
+ #include <asm/nmi.h>
+ #include <asm/stacktrace.h>
+@@ -1721,11 +1723,33 @@ int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
+ {
+ 	int mode;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (root->permissions)
+ 		mode = root->permissions(root, current->nsproxy, table);
+ 	else
+ 		mode = table->mode;
+ 
++#ifdef CONFIG_RSBAC
++	if (op & 002) { /* write access */
++		rsbac_target_id.scd = ST_sysctl;
++		rsbac_attribute_value.mode = mode;
++		rsbac_pr_debug(aef, "[sysctl() etc.]: calling ADF\n");
++		if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++					task_pid(current),
++					T_SCD,
++					rsbac_target_id,
++					A_mode,
++					rsbac_attribute_value))
++		{
++			return -EPERM;
++		}
++	}
++#endif
++
+ 	return test_perm(mode, op);
+ }
+ 
+diff --git a/kernel/time.c b/kernel/time.c
+index 73e416d..06ea8d4 100644
+--- a/kernel/time.c
++++ b/kernel/time.c
+@@ -41,6 +41,8 @@
+ #include <asm/uaccess.h>
+ #include <asm/unistd.h>
+ 
++#include <rsbac/hooks.h>
++
+ #include "timeconst.h"
+ 
+ /*
+@@ -83,9 +85,29 @@ SYSCALL_DEFINE1(stime, time_t __user *, tptr)
+ 	struct timespec tv;
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (get_user(tv.tv_sec, tptr))
+ 		return -EFAULT;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_clock;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	tv.tv_nsec = 0;
+ 
+ 	err = security_settime(&tv, NULL);
+@@ -155,6 +177,11 @@ int do_sys_settimeofday(const struct timespec *tv, const struct timezone *tz)
+ 	static int firsttime = 1;
+ 	int error = 0;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (tv && !timespec_valid(tv))
+ 		return -EINVAL;
+ 
+@@ -162,6 +189,21 @@ int do_sys_settimeofday(const struct timespec *tv, const struct timezone *tz)
+ 	if (error)
+ 		return error;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_settimeofday()]: calling ADF\n");
++	rsbac_target_id.scd = ST_clock;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	if (tz) {
+ 		/* SMP safe, global irq locking makes it work. */
+ 		sys_tz = *tz;
+diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c
+index 4b85a7a..8365119 100644
+--- a/kernel/time/ntp.c
++++ b/kernel/time/ntp.c
+@@ -18,6 +18,8 @@
+ 
+ #include "tick-internal.h"
+ 
++#include <rsbac/hooks.h>
++
+ /*
+  * NTP timekeeping variables:
+  */
+@@ -622,6 +624,11 @@ int do_adjtimex(struct timex *txc)
+ 	struct timespec ts;
+ 	int result;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	/* Validate the data before disabling interrupts */
+ 	if (txc->modes & ADJ_ADJTIME) {
+ 		/* singleshot must not be used with any other mode bits */
+@@ -635,6 +642,19 @@ int do_adjtimex(struct timex *txc)
+ 		 if (txc->modes && !capable(CAP_SYS_TIME))
+ 			return -EPERM;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_time_strucs;
++	rsbac_attribute_value.dummy = 0;
++	if (txc->modes && !rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++		return -EPERM;
++#endif
++
+ 		/*
+ 		 * if the quartz is off by more than 10% then
+ 		 * something is VERY wrong!
+diff --git a/kernel/timer.c b/kernel/timer.c
+index 9c3c62b..3effcaa 100644
+--- a/kernel/timer.c
++++ b/kernel/timer.c
+@@ -47,6 +47,8 @@
+ #include <asm/timex.h>
+ #include <asm/io.h>
+ 
++#include <rsbac/hooks.h>
++
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/timer.h>
+ 
+@@ -1376,14 +1378,22 @@ SYSCALL_DEFINE0(getppid)
+ 
+ SYSCALL_DEFINE0(getuid)
+ {
++#ifdef CONFIG_RSBAC_FAKE_ROOT_UID
++	return rsbac_fake_uid();
++#else
+ 	/* Only we change this so SMP safe */
+ 	return current_uid();
++#endif
+ }
+ 
+ SYSCALL_DEFINE0(geteuid)
+ {
++#ifdef CONFIG_RSBAC_FAKE_ROOT_UID
++	return rsbac_fake_euid();
++#else
+ 	/* Only we change this so SMP safe */
+ 	return current_euid();
++#endif
+ }
+ 
+ SYSCALL_DEFINE0(getgid)
+diff --git a/kernel/uid16.c b/kernel/uid16.c
+index 51c6e89..b47e71b 100644
+--- a/kernel/uid16.c
++++ b/kernel/uid16.c
+@@ -16,6 +16,8 @@
+ 
+ #include <asm/uaccess.h>
+ 
++#include <rsbac/hooks.h>
++
+ SYSCALL_DEFINE3(chown16, const char __user *, filename, old_uid_t, user, old_gid_t, group)
+ {
+ 	long ret = sys_chown(filename, low2highuid(user), low2highgid(group));
+@@ -189,6 +191,12 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist)
+ 	struct group_info *group_info;
+ 	int retval;
+ 
++#ifdef CONFIG_RSBAC
++        union rsbac_target_id_t rsbac_target_id;
++        union rsbac_attribute_value_t rsbac_attribute_value;
++        int i;
++#endif
++
+ 	if (!nsown_capable(CAP_SETGID))
+ 		return -EPERM;
+ 	if ((unsigned)gidsetsize > NGROUPS_MAX)
+@@ -203,6 +211,26 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist)
+ 		return retval;
+ 	}
+ 
++#ifdef CONFIG_RSBAC
++        if (gidsetsize > 0) {
++                rsbac_pr_debug(aef, "calling ADF\n");
++                rsbac_target_id.process = task_pid(current);
++                for (i=0; i < gidsetsize; i++) {
++                        rsbac_attribute_value.group = RSBAC_GEN_GID(RSBAC_UM_VIRTUAL_KEEP, group_info->blocks[i / NGROUPS_PER_BLOCK][i]);
++                        if(!rsbac_adf_request(R_CHANGE_GROUP,
++                                                task_pid(current),
++                                                T_PROCESS,
++                                                rsbac_target_id,
++                                                A_group,
++                                                rsbac_attribute_value))
++                        {
++                                put_group_info(group_info);
++                                return -EPERM;
++                        }
++		}
++	}
++#endif
++
+ 	retval = set_current_groups(group_info);
+ 	put_group_info(group_info);
+ 
+@@ -211,12 +239,20 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist)
+ 
+ SYSCALL_DEFINE0(getuid16)
+ {
++#ifdef CONFIG_RSBAC_FAKE_ROOT_UID
++	return high2lowuid(rsbac_fake_uid());
++#else
+ 	return high2lowuid(current_uid());
++#endif
+ }
+ 
+ SYSCALL_DEFINE0(geteuid16)
+ {
++#ifdef CONFIG_RSBAC_FAKE_ROOT_UID
++	return high2lowuid(rsbac_fake_euid());
++#else
+ 	return high2lowuid(current_euid());
++#endif
+ }
+ 
+ SYSCALL_DEFINE0(getgid16)
+diff --git a/mm/mlock.c b/mm/mlock.c
+index 4f4f53b..21cab81 100644
+--- a/mm/mlock.c
++++ b/mm/mlock.c
+@@ -13,6 +13,7 @@
+ #include <linux/pagemap.h>
+ #include <linux/mempolicy.h>
+ #include <linux/syscalls.h>
++#include <rsbac/hooks.h>
+ #include <linux/sched.h>
+ #include <linux/export.h>
+ #include <linux/rmap.h>
+@@ -484,9 +485,29 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len)
+ 	unsigned long lock_limit;
+ 	int error = -ENOMEM;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!can_do_mlock())
+ 		return -EPERM;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_target_id.scd = ST_mlock;
++	rsbac_attribute_value.dummy = 0;
++	rsbac_pr_debug(aef, "calling ADF\n");
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	lru_add_drain_all();	/* flush pagevec */
+ 
+ 	down_write(&current->mm->mmap_sem);
+@@ -550,6 +571,11 @@ SYSCALL_DEFINE1(mlockall, int, flags)
+ 	unsigned long lock_limit;
+ 	int ret = -EINVAL;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!flags || (flags & ~(MCL_CURRENT | MCL_FUTURE)))
+ 		goto out;
+ 
+@@ -557,6 +583,21 @@ SYSCALL_DEFINE1(mlockall, int, flags)
+ 	if (!can_do_mlock())
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_target_id.scd = ST_mlock;
++	rsbac_attribute_value.dummy = 0;
++	rsbac_pr_debug(aef, "calling ADF\n");
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		ret = -EPERM;
++		goto out;
++	}
++#endif
++
+ 	if (flags & MCL_CURRENT)
+ 		lru_add_drain_all();	/* flush pagevec */
+ 
+diff --git a/mm/mmap.c b/mm/mmap.c
+index eae90af..f0f43a5 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -34,6 +34,7 @@
+ #include <asm/uaccess.h>
+ #include <asm/cacheflush.h>
+ #include <asm/tlb.h>
++#include <rsbac/hooks.h>
+ #include <asm/mmu_context.h>
+ 
+ #include "internal.h"
+@@ -949,6 +950,12 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+ 	int error;
+ 	unsigned long reqprot = prot;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	/*
+ 	 * Does the application expect PROT_READ to imply PROT_EXEC?
+ 	 *
+@@ -1073,6 +1080,33 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
+ 	if (error)
+ 		return error;
+ 
++#ifdef CONFIG_RSBAC
++	if (prot & PROT_EXEC) {
++		rsbac_pr_debug(aef, "[do_mmap() [sys_mmap()]]: calling ADF\n");
++		if (file) {
++			rsbac_target = T_FILE;
++			rsbac_target_id.file.device = file->f_dentry->d_inode->i_sb->s_dev;
++			rsbac_target_id.file.inode  = file->f_dentry->d_inode->i_ino;
++			rsbac_target_id.file.dentry_p = file->f_dentry;
++		} else {
++			rsbac_target = T_NONE;
++			rsbac_target_id.dummy = 0;
++		}
++		rsbac_attribute_value.prot_bits = prot;
++		if (!rsbac_adf_request(R_MAP_EXEC,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					A_prot_bits,
++					rsbac_attribute_value))
++		{
++			rsbac_pr_debug(aef, "[do_mmap() [sys_mmap()]]: request not granted, my PID: %i\n",
++					current->pid);
++			return -EPERM;
++		}
++	}
++#endif
++
+ 	return mmap_region(file, addr, len, flags, vm_flags, pgoff);
+ }
+ EXPORT_SYMBOL(do_mmap_pgoff);
+diff --git a/mm/mprotect.c b/mm/mprotect.c
+index 5a688a2..30b739d 100644
+--- a/mm/mprotect.c
++++ b/mm/mprotect.c
+@@ -27,6 +27,7 @@
+ #include <asm/pgtable.h>
+ #include <asm/cacheflush.h>
+ #include <asm/tlbflush.h>
++#include <rsbac/hooks.h>
+ 
+ #ifndef pgprot_modify
+ static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
+@@ -236,6 +237,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
+ 	struct vm_area_struct *vma, *prev;
+ 	int error = -EINVAL;
+ 	const int grows = prot & (PROT_GROWSDOWN|PROT_GROWSUP);
++
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++	int need_notify = FALSE;
++#endif
++
+ 	prot &= ~(PROT_GROWSDOWN|PROT_GROWSUP);
+ 	if (grows == (PROT_GROWSDOWN|PROT_GROWSUP)) /* can't be both */
+ 		return -EINVAL;
+@@ -304,6 +313,34 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
+ 		if (error)
+ 			goto out;
+ 
++#ifdef CONFIG_RSBAC
++		if ((prot & PROT_EXEC) && !(vma->vm_flags & PROT_EXEC)) {
++			rsbac_pr_debug(aef, "calling ADF\n");
++			if (vma->vm_file) {
++		                rsbac_target = T_FILE;
++				rsbac_target_id.file.device = vma->vm_file->f_dentry->d_inode->i_sb->s_dev;
++				rsbac_target_id.file.inode = vma->vm_file->f_dentry->d_inode->i_ino;
++				rsbac_target_id.file.dentry_p = vma->vm_file->f_dentry;
++			} else {
++				rsbac_target = T_NONE;
++				rsbac_target_id.dummy = 0;
++			}
++			rsbac_attribute_value.prot_bits = prot;
++			if (!rsbac_adf_request(R_MAP_EXEC,
++						  task_pid(current),
++						  rsbac_target,
++						  rsbac_target_id,
++						  A_prot_bits,
++						  rsbac_attribute_value))
++			{
++				rsbac_pr_debug(aef, "request NOT_GRANTED\n");
++				error = -EPERM;
++				goto out;
++			} else
++			  need_notify = TRUE;
++		}
++#endif
++
+ 		tmp = vma->vm_end;
+ 		if (tmp > end)
+ 			tmp = end;
+@@ -325,5 +362,28 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
+ 	}
+ out:
+ 	up_write(&current->mm->mmap_sem);
++
++        /* RSBAC: notify ADF of mapped segment */
++#ifdef CONFIG_RSBAC
++	if (need_notify && !error) {
++		union rsbac_target_id_t rsbac_new_target_id;
++
++		rsbac_pr_debug(aef, "calling ADF_set_attr\n");
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_MAP_EXEC,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_none,
++					rsbac_attribute_value))
++		{
++			rsbac_printk(KERN_WARNING
++					"sys_mprotect: rsbac_adf_set_attr() returned error\n");
++		}
++	}
++#endif
++
+ 	return error;
+ }
+diff --git a/mm/swapfile.c b/mm/swapfile.c
+index d3955f2..da586f1 100644
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -35,6 +35,7 @@
+ #include <asm/pgtable.h>
+ #include <asm/tlbflush.h>
+ #include <linux/swapops.h>
++#include <rsbac/hooks.h>
+ #include <linux/page_cgroup.h>
+ 
+ static bool swap_count_continued(struct swap_info_struct *, pgoff_t,
+@@ -1557,9 +1558,29 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile)
+ 	int i, type, prev;
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!capable(CAP_SYS_ADMIN))
+ 		return -EPERM;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_swap;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	pathname = getname(specialfile);
+ 	err = PTR_ERR(pathname);
+ 	if (IS_ERR(pathname))
+@@ -1571,6 +1592,35 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile)
+ 	if (IS_ERR(victim))
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF for DEV / FILE\n");
++	if (S_ISBLK(victim->f_dentry->d_inode->i_mode)) {
++		rsbac_target = T_DEV;
++		rsbac_target_id.dev.type = D_block;
++		rsbac_target_id.dev.major = RSBAC_MAJOR(victim->f_dentry->d_inode->i_rdev);
++		rsbac_target_id.dev.minor = RSBAC_MINOR(victim->f_dentry->d_inode->i_rdev);
++	} else
++		if (S_ISREG(victim->f_dentry->d_inode->i_mode)) {
++			rsbac_target = T_FILE;
++			rsbac_target_id.file.device = victim->f_dentry->d_sb->s_dev;
++			rsbac_target_id.file.inode  = victim->f_dentry->d_inode->i_ino;
++			rsbac_target_id.file.dentry_p = victim->f_dentry;
++		} else {
++			rsbac_target = T_NONE;
++			rsbac_target_id.dummy = 0;
++		}
++	rsbac_attribute_value.dummy = 0;
++	if ((rsbac_target != T_NONE) && !rsbac_adf_request(R_REMOVE_FROM_KERNEL,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		err = -EPERM;
++		goto out_dput;
++	}
++#endif
++
+ 	mapping = victim->f_mapping;
+ 	prev = -1;
+ 	spin_lock(&swap_lock);
+@@ -2019,9 +2069,28 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags)
+ 	struct page *page = NULL;
+ 	struct inode *inode = NULL;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t          rsbac_target;
++	union rsbac_target_id_t       rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!capable(CAP_SYS_ADMIN))
+ 		return -EPERM;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_swap;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++		return -EPERM;
++#endif
++
+ 	p = alloc_swap_info();
+ 	if (IS_ERR(p))
+ 		return PTR_ERR(p);
+@@ -2054,6 +2123,38 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags)
+ 	}
+ 
+ 	inode = mapping->host;
++
++/* RSBAC */
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "calling ADF for DEV / FILE\n");
++	if(S_ISBLK(inode->i_mode)) {
++		rsbac_target = T_DEV;
++		rsbac_target_id.dev.type = D_block;
++		rsbac_target_id.dev.major = RSBAC_MAJOR(inode->i_rdev);
++		rsbac_target_id.dev.minor = RSBAC_MINOR(inode->i_rdev);
++	} else if(S_ISREG(inode->i_mode)) {
++		rsbac_target = T_FILE;
++		rsbac_target_id.file.device = swap_file->f_dentry->d_sb->s_dev;
++		rsbac_target_id.file.inode  = inode->i_ino;
++		rsbac_target_id.file.dentry_p = swap_file->f_dentry;
++	} else {
++		rsbac_target = T_NONE;
++		rsbac_target_id.dummy = 0;
++	}
++	rsbac_attribute_value.dummy = 0;
++	if(   (rsbac_target != T_NONE)
++	   && !rsbac_adf_request(R_ADD_TO_KERNEL,
++	   			task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)
++	) {
++		error = -EPERM;
++		goto bad_swap;
++	}
++#endif
++
+ 	/* If S_ISREG(inode->i_mode) will do mutex_lock(&inode->i_mutex); */
+ 	error = claim_swapfile(p, inode);
+ 	if (unlikely(error))
+diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
+index f603e5b..12776d0 100644
+--- a/net/bridge/br_if.c
++++ b/net/bridge/br_if.c
+@@ -24,6 +24,8 @@
+ #include <linux/slab.h>
+ #include <net/sock.h>
+ 
++#include <rsbac/hooks.h>
++
+ #include "br_private.h"
+ 
+ /*
+@@ -322,6 +324,11 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
+ 	int err = 0;
+ 	bool changed_addr;
+ 
++#ifdef CONFIG_RSBAC_NET
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	/* Don't allow bridging non-ethernet like devices */
+ 	if ((dev->flags & IFF_LOOPBACK) ||
+ 	    dev->type != ARPHRD_ETHER || dev->addr_len != ETH_ALEN ||
+@@ -336,6 +343,34 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
+ 	if (br_port_exists(dev))
+ 		return -EBUSY;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	rsbac_pr_debug(aef, "calling ADF\n");
++	strncpy(rsbac_target_id.netdev, dev->name, RSBAC_IFNAMSIZ);
++	rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++#ifndef CONFIG_RSBAC_NET_DEV_VIRT
++	{
++		char * p = rsbac_target_id.netdev;
++		while (*p) {
++			if (*p == ':') {
++				*p=' ';
++				break;
++			}
++			p++;
++		}
++	}
++#endif
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++			task_pid(current),
++			T_NETDEV,
++			rsbac_target_id,
++			A_none,
++			rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	/* No bridging devices that dislike that (e.g. wireless) */
+ 	if (dev->priv_flags & IFF_DONT_BRIDGE)
+ 		return -EOPNOTSUPP;
+@@ -421,10 +456,45 @@ int br_del_if(struct net_bridge *br, struct net_device *dev)
+ 	struct net_bridge_port *p;
+ 	bool changed_addr;
+ 
++#ifdef CONFIG_RSBAC_NET
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	p = br_port_get_rtnl(dev);
+ 	if (!p || p->br != br)
+ 		return -EINVAL;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	rsbac_pr_debug(aef, "calling ADF\n");
++	strncpy(rsbac_target_id.netdev, dev->name, RSBAC_IFNAMSIZ);
++	rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++#ifndef CONFIG_RSBAC_NET_DEV_VIRT
++	{
++		char * p = rsbac_target_id.netdev;
++		while (*p)
++		{
++			if (*p == ':')
++			{
++				*p=' ';
++				break;
++			}
++			p++;
++		}
++	}
++#endif
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_NETDEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	del_nbp(p);
+ 
+ 	spin_lock_bh(&br->lock);
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 61a7baa..496d45a 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -138,6 +138,8 @@
+ #include <linux/ppp_defs.h>
+ #include <linux/net_tstamp.h>
+ 
++#include <rsbac/hooks.h>
++
+ #include "net-sysfs.h"
+ 
+ /* Instead of increasing this, you should create a hash table. */
+@@ -5091,6 +5093,11 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 	int ret;
+ 	char *colon;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	/* One special case: SIOCGIFCONF takes ifconf argument
+ 	   and requires shared lock, because it sleeps writing
+ 	   to user space.
+@@ -5110,10 +5117,20 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 
+ 	ifr.ifr_name[IFNAMSIZ-1] = 0;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV_VIRT
++	strncpy(rsbac_target_id.netdev, ifr.ifr_name, RSBAC_IFNAMSIZ);
++	rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++#endif
++
+ 	colon = strchr(ifr.ifr_name, ':');
+ 	if (colon)
+ 		*colon = 0;
+ 
++#if defined(CONFIG_RSBAC_NET_DEV) && !defined(CONFIG_RSBAC_NET_DEV_VIRT)
++	strncpy(rsbac_target_id.netdev, ifr.ifr_name, RSBAC_IFNAMSIZ);
++	rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++#endif
++
+ 	/*
+ 	 *	See which interface the caller is talking about.
+ 	 */
+@@ -5133,6 +5150,21 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 	case SIOCGIFMAP:
+ 	case SIOCGIFINDEX:
+ 	case SIOCGIFTXQLEN:
++
++#ifdef CONFIG_RSBAC_NET_DEV
++			rsbac_pr_debug(aef, "calling ADF\n");
++			rsbac_attribute_value.dummy = 0;
++			if (!rsbac_adf_request(R_GET_STATUS_DATA,
++						task_pid(current),
++						T_NETDEV,
++						rsbac_target_id,
++						A_none,
++						rsbac_attribute_value))
++			{
++				return -EPERM;
++			}
++#endif
++
+ 		dev_load(net, ifr.ifr_name);
+ 		rcu_read_lock();
+ 		ret = dev_ifsioc_locked(net, &ifr, cmd);
+@@ -5210,6 +5242,21 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 	case SIOCSHWTSTAMP:
+ 		if (!capable(CAP_NET_ADMIN))
+ 			return -EPERM;
++
++#ifdef CONFIG_RSBAC_NET_DEV
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++					task_pid(current),
++					T_NETDEV,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value))
++		{
++			return -EPERM;
++		}
++#endif
++
+ 		/* fall through */
+ 	case SIOCBONDSLAVEINFOQUERY:
+ 	case SIOCBONDINFOQUERY:
+@@ -5235,6 +5282,21 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 		if (cmd == SIOCWANDEV ||
+ 		    (cmd >= SIOCDEVPRIVATE &&
+ 		     cmd <= SIOCDEVPRIVATE + 15)) {
++
++#ifdef CONFIG_RSBAC_NET_DEV
++			rsbac_pr_debug(aef, "calling ADF\n");
++			rsbac_attribute_value.dummy = 0;
++			if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++						task_pid(current),
++						T_NETDEV,
++						rsbac_target_id,
++						A_none,
++						rsbac_attribute_value))
++			{
++				return -EPERM;
++			}
++#endif
++
+ 			dev_load(net, ifr.ifr_name);
+ 			rtnl_lock();
+ 			ret = dev_ifsioc(net, &ifr, cmd);
+diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
+index c02e63c..8cde146 100644
+--- a/net/core/fib_rules.c
++++ b/net/core/fib_rules.c
+@@ -16,6 +16,7 @@
+ #include <net/net_namespace.h>
+ #include <net/sock.h>
+ #include <net/fib_rules.h>
++#include <rsbac/hooks.h>
+ 
+ int fib_default_rule_add(struct fib_rules_ops *ops,
+ 			 u32 pref, u32 table, u32 flags)
+@@ -272,6 +273,10 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
+ 	struct fib_rule *rule, *r, *last = NULL;
+ 	struct nlattr *tb[FRA_MAX+1];
+ 	int err = -EINVAL, unresolved = 0;
++#ifdef CONFIG_RSBAC_NET
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
+ 
+ 	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh)))
+ 		goto errout;
+@@ -290,6 +295,22 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
+ 	if (err < 0)
+ 		goto errout;
+ 
++#ifdef CONFIG_RSBAC_NET
++	rsbac_pr_debug(aef, "fib_nl_newrule(): calling ADF\n");
++	rsbac_target_id.scd = ST_network;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		err = -EPERM;
++		goto errout;
++	}
++#endif
++
+ 	rule = kzalloc(ops->rule_size, GFP_KERNEL);
+ 	if (rule == NULL) {
+ 		err = -ENOMEM;
+@@ -421,6 +442,10 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
+ 	struct fib_rule *rule, *tmp;
+ 	struct nlattr *tb[FRA_MAX+1];
+ 	int err = -EINVAL;
++#ifdef CONFIG_RSBAC_NET
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
+ 
+ 	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh)))
+ 		goto errout;
+@@ -439,6 +464,22 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
+ 	if (err < 0)
+ 		goto errout;
+ 
++#ifdef CONFIG_RSBAC_NET
++	rsbac_pr_debug(aef, "fib_nl_delrule(): calling ADF\n");
++	rsbac_target_id.scd = ST_network;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		err = -EPERM;
++		goto errout;
++	}
++#endif
++
+ 	list_for_each_entry(rule, &ops->rules_list, list) {
+ 		if (frh->action && (frh->action != rule->action))
+ 			continue;
+@@ -534,6 +575,25 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
+ {
+ 	struct nlmsghdr *nlh;
+ 	struct fib_rule_hdr *frh;
++#ifdef CONFIG_RSBAC_NET
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC_NET
++	rsbac_pr_debug(aef, "fib_nl_fill_rule(): calling ADF\n");
++	rsbac_target_id.scd = ST_network;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
+ 
+ 	nlh = nlmsg_put(skb, pid, seq, type, sizeof(*frh), flags);
+ 	if (nlh == NULL)
+diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
+index 59a7041..e5d1ba7 100644
+--- a/net/ipv4/arp.c
++++ b/net/ipv4/arp.c
+@@ -123,6 +123,8 @@ EXPORT_SYMBOL(clip_tbl_hook);
+ 
+ #include <linux/netfilter_arp.h>
+ 
++#include <rsbac/hooks.h>
++
+ /*
+  *	Interface to generic neighbour cache.
+  */
+@@ -1173,15 +1175,32 @@ int arp_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 	struct arpreq r;
+ 	struct net_device *dev = NULL;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	enum  rsbac_adf_request_t rsbac_request = R_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	switch (cmd) {
+ 	case SIOCDARP:
+ 	case SIOCSARP:
+ 		if (!capable(CAP_NET_ADMIN))
+ 			return -EPERM;
++
++#ifdef CONFIG_RSBAC_NET_DEV
++			rsbac_request = R_MODIFY_SYSTEM_DATA;
++#endif
++
+ 	case SIOCGARP:
+ 		err = copy_from_user(&r, arg, sizeof(struct arpreq));
+ 		if (err)
+ 			return -EFAULT;
++
++#ifdef CONFIG_RSBAC_NET_DEV
++			if (rsbac_request == R_NONE)
++				rsbac_request = R_GET_STATUS_DATA;
++#endif
++
+ 		break;
+ 	default:
+ 		return -EINVAL;
+@@ -1209,6 +1228,24 @@ int arp_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 		err = -EINVAL;
+ 		if ((r.arp_flags & ATF_COM) && r.arp_ha.sa_family != dev->type)
+ 			goto out;
++
++#ifdef CONFIG_RSBAC_NET_DEV
++		rsbac_pr_debug(aef, "calling ADF\n");
++		strncpy(rsbac_target_id.netdev, r.arp_dev, RSBAC_IFNAMSIZ);
++		rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(rsbac_request,
++					task_pid(current),
++					T_NETDEV,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value))
++		{
++			err = -EPERM;
++			goto out;
++		}
++#endif
++
+ 	} else if (cmd == SIOCGARP) {
+ 		err = -ENODEV;
+ 		goto out;
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index e41c40f..27377dc 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -66,6 +66,8 @@
+ 
+ #include "fib_lookup.h"
+ 
++#include <rsbac/hooks.h>
++
+ static struct ipv4_devconf ipv4_devconf = {
+ 	.data = {
+ 		[IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1,
+@@ -541,6 +543,11 @@ static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg
+ 	struct in_ifaddr *ifa, **ifap;
+ 	int err = -EINVAL;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	ASSERT_RTNL();
+ 
+ 	err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv4_policy);
+@@ -554,6 +561,37 @@ static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg
+ 		goto errout;
+ 	}
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	rsbac_pr_debug(aef, "calling ADF\n");
++	strncpy(rsbac_target_id.netdev, in_dev->dev->name, RSBAC_IFNAMSIZ);
++	rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++#ifndef CONFIG_RSBAC_NET_DEV_VIRT
++	{
++		char * p = rsbac_target_id.netdev;
++
++		while (*p)
++		{
++			if (*p == ':')
++			{
++				*p=' ';
++				break;
++			}
++			p++;
++		}
++	}
++#endif
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_BIND,
++				task_pid(current),
++				T_NETDEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		err = -EPERM;
++		goto errout;
++	}
++#endif
++
+ 	for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL;
+ 	     ifap = &ifa->ifa_next) {
+ 		if (tb[IFA_LOCAL] &&
+@@ -586,6 +624,11 @@ static struct in_ifaddr *rtm_to_ifaddr(struct net *net, struct nlmsghdr *nlh)
+ 	struct in_device *in_dev;
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv4_policy);
+ 	if (err < 0)
+ 		goto errout;
+@@ -605,6 +648,37 @@ static struct in_ifaddr *rtm_to_ifaddr(struct net *net, struct nlmsghdr *nlh)
+ 	if (in_dev == NULL)
+ 		goto errout;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	rsbac_pr_debug(aef, "calling ADF\n");
++	strncpy(rsbac_target_id.netdev, in_dev->dev->name, RSBAC_IFNAMSIZ);
++	rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++#ifndef CONFIG_RSBAC_NET_DEV_VIRT
++	{
++		char * p = rsbac_target_id.netdev;
++		while (*p)
++		{
++			if (*p == ':')
++			{
++				*p=' ';
++				break;
++			}
++			p++;
++		}
++	}
++#endif
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_BIND,
++				task_pid(current),
++				T_NETDEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		err = -EPERM;
++		goto errout;
++	}
++#endif
++
+ 	ifa = inet_alloc_ifa();
+ 	if (ifa == NULL)
+ 		/*
+@@ -695,6 +769,12 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 	int ret = -EFAULT;
+ 	int tryaddrmatch = 0;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	enum  rsbac_adf_request_t rsbac_request = R_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	/*
+ 	 *	Fetch the caller's info block into kernel space
+ 	 */
+@@ -703,6 +783,11 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 		goto out;
+ 	ifr.ifr_name[IFNAMSIZ - 1] = 0;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV_VIRT
++	strncpy(rsbac_target_id.netdev, ifr.ifr_name, RSBAC_IFNAMSIZ);
++	rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++#endif
++
+ 	/* save original address for comparison */
+ 	memcpy(&sin_orig, sin, sizeof(*sin));
+ 
+@@ -710,6 +795,11 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 	if (colon)
+ 		*colon = 0;
+ 
++#if defined(CONFIG_RSBAC_NET_DEV) && !defined(CONFIG_RSBAC_NET_DEV_VIRT)
++	strncpy(rsbac_target_id.netdev, ifr.ifr_name, RSBAC_IFNAMSIZ);
++	rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++#endif
++
+ 	dev_load(net, ifr.ifr_name);
+ 
+ 	switch (cmd) {
+@@ -724,12 +814,19 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 		tryaddrmatch = (sin_orig.sin_family == AF_INET);
+ 		memset(sin, 0, sizeof(*sin));
+ 		sin->sin_family = AF_INET;
++
++#ifdef CONFIG_RSBAC_NET_DEV
++		rsbac_request = R_GET_STATUS_DATA;
++#endif
+ 		break;
+ 
+ 	case SIOCSIFFLAGS:
+ 		ret = -EACCES;
+ 		if (!capable(CAP_NET_ADMIN))
+ 			goto out;
++#ifdef CONFIG_RSBAC_NET_DEV
++		rsbac_request = R_MODIFY_SYSTEM_DATA;
++#endif
+ 		break;
+ 	case SIOCSIFADDR:	/* Set interface address (and family) */
+ 	case SIOCSIFBRDADDR:	/* Set the broadcast address */
+@@ -741,6 +838,9 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 		ret = -EINVAL;
+ 		if (sin->sin_family != AF_INET)
+ 			goto out;
++#ifdef CONFIG_RSBAC_NET_DEV
++		rsbac_request = R_BIND;
++#endif
+ 		break;
+ 	default:
+ 		ret = -EINVAL;
+@@ -754,6 +854,21 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 	if (!dev)
+ 		goto done;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(rsbac_request,
++				task_pid(current),
++				T_NETDEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		ret = -EPERM;
++		goto done;
++	}
++#endif
++
+ 	if (colon)
+ 		*colon = ':';
+ 
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index 92fc5f6..d55205c 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -46,6 +46,8 @@
+ #include <net/rtnetlink.h>
+ #include <net/xfrm.h>
+ 
++#include <rsbac/hooks.h>
++
+ #ifndef CONFIG_IP_MULTIPLE_TABLES
+ 
+ static int __net_init fib4_rules_init(struct net *net)
+@@ -434,6 +436,11 @@ int ip_rt_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 	struct rtentry rt;
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC_NET
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	switch (cmd) {
+ 	case SIOCADDRT:		/* Add a route */
+ 	case SIOCDELRT:		/* Delete a route */
+@@ -443,6 +450,20 @@ int ip_rt_ioctl(struct net *net, unsigned int cmd, void __user *arg)
+ 		if (copy_from_user(&rt, arg, sizeof(rt)))
+ 			return -EFAULT;
+ 
++#ifdef CONFIG_RSBAC_NET
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.scd = ST_network;
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++					task_pid(current),
++					T_SCD,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			return -EPERM;
++		}
++#endif
++
+ 		rtnl_lock();
+ 		err = rtentry_to_fib_config(net, cmd, &rt, &cfg);
+ 		if (err == 0) {
+@@ -562,10 +583,30 @@ static int inet_rtm_delroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *ar
+ 	struct fib_table *tb;
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC_NET
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	err = rtm_to_fib_config(net, skb, nlh, &cfg);
+ 	if (err < 0)
+ 		goto errout;
+ 
++#ifdef CONFIG_RSBAC_NET
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_network;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		err = -EPERM;
++		goto errout;
++	}
++#endif
++
+ 	tb = fib_get_table(net, cfg.fc_table);
+ 	if (tb == NULL) {
+ 		err = -ESRCH;
+@@ -584,10 +625,30 @@ static int inet_rtm_newroute(struct sk_buff *skb, struct nlmsghdr *nlh, void *ar
+ 	struct fib_table *tb;
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC_NET
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	err = rtm_to_fib_config(net, skb, nlh, &cfg);
+ 	if (err < 0)
+ 		goto errout;
+ 
++#ifdef CONFIG_RSBAC_NET
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_network;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		err = -EPERM;
++		goto errout;
++	}
++#endif
++
+ 	tb = fib_new_table(net, cfg.fc_table);
+ 	if (tb == NULL) {
+ 		err = -ENOBUFS;
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index ccee270..6b858d7 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -34,6 +34,8 @@
+ 
+ #include <linux/inet_diag.h>
+ 
++#include <rsbac/hooks.h>
++
+ static const struct inet_diag_handler **inet_diag_table;
+ 
+ struct inet_diag_entry {
+@@ -859,6 +861,11 @@ unlock:
+ 
+ static int inet_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+ {
++#ifdef CONFIG_RSBAC_NET
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	int hdrlen = sizeof(struct inet_diag_req);
+ 
+ 	if (nlh->nlmsg_type >= INET_DIAG_GETSOCK_MAX ||
+@@ -869,6 +876,19 @@ static int inet_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+ 		if (nlmsg_attrlen(nlh, hdrlen)) {
+ 			struct nlattr *attr;
+ 
++#ifdef CONFIG_RSBAC_NET
++			rsbac_pr_debug(aef, "calling ADF\n");
++			rsbac_target_id.scd = ST_network;
++			rsbac_attribute_value.dummy = 0;
++			if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++					task_pid(current),
++					T_SCD,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value))
++				return -EPERM;
++#endif
++
+ 			attr = nlmsg_find_attr(nlh, hdrlen,
+ 					       INET_DIAG_REQ_BYTECODE);
+ 			if (attr == NULL ||
+diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
+index d2aae27..3a4a277 100644
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -67,6 +67,8 @@
+ #include <net/netlink.h>
+ #include <net/fib_rules.h>
+ 
++#include <rsbac/hooks.h>
++
+ #if defined(CONFIG_IP_PIMSM_V1) || defined(CONFIG_IP_PIMSM_V2)
+ #define CONFIG_IP_PIMSM	1
+ #endif
+@@ -1204,9 +1206,28 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi
+ 		return -ENOENT;
+ 
+ 	if (optname != MRT_INIT) {
++#ifdef CONFIG_RSBAC_NET_DEV
++		union rsbac_target_id_t rsbac_target_id;
++		union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 		if (sk != rcu_access_pointer(mrt->mroute_sk) &&
+ 		    !capable(CAP_NET_ADMIN))
+ 			return -EACCES;
++
++#ifdef CONFIG_RSBAC_NET_DEV
++		rsbac_pr_debug(aef, "calling ADF\n");
++		rsbac_target_id.scd = ST_network;
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_GET_STATUS_DATA,
++					task_pid(current),
++					T_SCD,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			return -EPERM;
++		}
++#endif
+ 	}
+ 
+ 	switch (optname) {
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index 24e556e..27c35d3 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -30,6 +30,8 @@
+ #include <net/netfilter/nf_log.h>
+ #include "../../netfilter/xt_repldata.h"
+ 
++#include <rsbac/hooks.h>
++
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Netfilter Core Team <coreteam@...>");
+ MODULE_DESCRIPTION("IPv4 packet filter");
+@@ -1137,6 +1139,24 @@ get_entries(struct net *net, struct ipt_get_entries __user *uptr,
+ 	struct ipt_get_entries get;
+ 	struct xt_table *t;
+ 
++#ifdef CONFIG_RSBAC_NET
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_firewall;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	if (*len < sizeof(get)) {
+ 		duprintf("get_entries: %u < %zu\n", *len, sizeof(get));
+ 		return -EINVAL;
+@@ -1847,9 +1867,29 @@ compat_do_ipt_set_ctl(struct sock *sk,	int cmd, void __user *user,
+ {
+ 	int ret;
+ 
++#ifdef CONFIG_RSBAC_NET
++        union rsbac_target_id_t       rsbac_target_id;
++        union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!capable(CAP_NET_ADMIN))
+ 		return -EPERM;
+ 
++#ifdef CONFIG_RSBAC_NET
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_firewall;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	  {
++	    return -EPERM;
++	  }
++#endif
++
+ 	switch (cmd) {
+ 	case IPT_SO_SET_REPLACE:
+ 		ret = compat_do_replace(sock_net(sk), user, len);
+@@ -1916,6 +1956,26 @@ compat_get_entries(struct net *net, struct compat_ipt_get_entries __user *uptr,
+ 	struct compat_ipt_get_entries get;
+ 	struct xt_table *t;
+ 
++#ifdef CONFIG_RSBAC_NET
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC_NET
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_firewall;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	{
++		return -EPERM;
++	}
++#endif
++
+ 	if (*len < sizeof(get)) {
+ 		duprintf("compat_get_entries: %u < %zu\n", *len, sizeof(get));
+ 		return -EINVAL;
+@@ -1984,9 +2044,29 @@ do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ {
+ 	int ret;
+ 
++#ifdef CONFIG_RSBAC_NET
++        union rsbac_target_id_t rsbac_target_id;
++        union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (!capable(CAP_NET_ADMIN))
+ 		return -EPERM;
+ 
++#ifdef CONFIG_RSBAC_NET
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_firewall;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++	  {
++	    return -EPERM;
++	  }
++#endif
++
+ 	switch (cmd) {
+ 	case IPT_SO_SET_REPLACE:
+ 		ret = do_replace(sock_net(sk), user, len);
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 94cdbc5..6da8418 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -112,6 +112,8 @@
+ #include <net/atmclip.h>
+ #include <net/secure_seq.h>
+ 
++#include <rsbac/hooks.h>
++
+ #define RT_FL_TOS(oldflp4) \
+ 	((oldflp4)->flowi4_tos & (IPTOS_RT_MASK | RTO_ONLINK))
+ 
+@@ -3085,6 +3087,26 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void
+ 	int mark;
+ 	struct sk_buff *skb;
+ 
++#ifdef CONFIG_RSBAC_NET
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC_NET
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_network;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		err = -EPERM;
++		goto errout;
++	}
++#endif
++
+ 	err = nlmsg_parse(nlh, sizeof(*rtm), tb, RTA_MAX, rtm_ipv4_policy);
+ 	if (err < 0)
+ 		goto errout;
+diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
+index a69d44f..0ad5d09 100644
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -31,6 +31,8 @@
+ #include <net/pkt_sched.h>
+ #include <net/pkt_cls.h>
+ 
++#include <rsbac/hooks.h>
++
+ /* The list of all installed classifier types */
+ 
+ static struct tcf_proto_ops *tcf_proto_base __read_mostly;
+@@ -139,6 +141,28 @@ static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
+ 	int err;
+ 	int tp_created = 0;
+ 
++#ifdef CONFIG_RSBAC_NET
++	enum  rsbac_adf_request_t rsbac_request;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++
++	rsbac_pr_debug(aef, "calling ADF\n");
++	if (n->nlmsg_type == RTM_GETTFILTER)
++		rsbac_request = R_GET_STATUS_DATA;
++	else
++		rsbac_request = R_MODIFY_SYSTEM_DATA;
++	rsbac_target_id.scd = ST_network;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(rsbac_request,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ replay:
+ 	t = NLMSG_DATA(n);
+ 	protocol = TC_H_MIN(t->tcm_info);
+@@ -422,6 +446,25 @@ static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb)
+ 	const struct Qdisc_class_ops *cops;
+ 	struct tcf_dump_args arg;
+ 
++#ifdef CONFIG_RSBAC_NET
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#ifdef CONFIG_RSBAC_NET
++	rsbac_pr_debug(aef, "calling ADF\n");
++	rsbac_target_id.scd = ST_network;
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_SCD,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	if (cb->nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*tcm)))
+ 		return skb->len;
+ 	dev = __dev_get_by_index(net, tcm->tcm_ifindex);
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index dca6c1a..8a9c25a 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -35,6 +35,8 @@
+ #include <net/netlink.h>
+ #include <net/pkt_sched.h>
+ 
++#include <rsbac/hooks.h>
++
+ static int qdisc_notify(struct net *net, struct sk_buff *oskb,
+ 			struct nlmsghdr *n, u32 clid,
+ 			struct Qdisc *old, struct Qdisc *new);
+@@ -976,10 +978,43 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
+ 	struct Qdisc *p = NULL;
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	enum  rsbac_adf_request_t rsbac_request;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#if !defined(CONFIG_RSBAC_NET_DEV_VIRT)
++	char * rsbac_colon;
++#endif
++#endif
++
+ 	dev = __dev_get_by_index(net, tcm->tcm_ifindex);
+ 	if (!dev)
+ 		return -ENODEV;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	rsbac_pr_debug(aef, "calling ADF\n");
++	if (n->nlmsg_type == RTM_DELQDISC)
++		rsbac_request = R_MODIFY_SYSTEM_DATA;
++	else
++		rsbac_request = R_GET_STATUS_DATA;
++	strncpy(rsbac_target_id.netdev, dev->name, RSBAC_IFNAMSIZ);
++	rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++#if !defined(CONFIG_RSBAC_NET_DEV_VIRT)
++	rsbac_colon = strchr(rsbac_target_id.netdev, ':');
++	if (rsbac_colon)
++		*rsbac_colon = 0;
++#endif
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(rsbac_request,
++				task_pid(current),
++				T_NETDEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);
+ 	if (err < 0)
+ 		return err;
+@@ -1039,6 +1074,13 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
+ 	struct Qdisc *q, *p;
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#if !defined(CONFIG_RSBAC_NET_DEV_VIRT)
++	char * rsbac_colon;
++#endif
++#endif
+ replay:
+ 	/* Reinit, just in case something touches this. */
+ 	tcm = NLMSG_DATA(n);
+@@ -1049,6 +1091,26 @@ replay:
+ 	if (!dev)
+ 		return -ENODEV;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	rsbac_pr_debug(aef, "tc_modify_qdisc(): calling ADF\n");
++	strncpy(rsbac_target_id.netdev, dev->name, RSBAC_IFNAMSIZ);
++	rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++#if !defined(CONFIG_RSBAC_NET_DEV_VIRT)
++	rsbac_colon = strchr(rsbac_target_id.netdev, ':');
++	if (rsbac_colon)
++		*rsbac_colon = 0;
++#endif
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_NETDEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);
+ 	if (err < 0)
+ 		return err;
+@@ -1313,6 +1375,13 @@ static int tc_dump_qdisc(struct sk_buff *skb, struct netlink_callback *cb)
+ 	int s_idx, s_q_idx;
+ 	struct net_device *dev;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#if !defined(CONFIG_RSBAC_NET_DEV_VIRT)
++	char * rsbac_colon;
++#endif
++#endif
+ 	s_idx = cb->args[0];
+ 	s_q_idx = q_idx = cb->args[1];
+ 
+@@ -1325,6 +1394,27 @@ static int tc_dump_qdisc(struct sk_buff *skb, struct netlink_callback *cb)
+ 			goto cont;
+ 		if (idx > s_idx)
+ 			s_q_idx = 0;
++
++#ifdef CONFIG_RSBAC_NET_DEV
++		rsbac_pr_debug(aef, "tc_dump_qdisc(): calling ADF\n");
++		strncpy(rsbac_target_id.netdev, dev->name, RSBAC_IFNAMSIZ);
++		rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++#if !defined(CONFIG_RSBAC_NET_DEV_VIRT)
++		rsbac_colon = strchr(rsbac_target_id.netdev, ':');
++		if(rsbac_colon)
++			*rsbac_colon = 0;
++#endif
++		rsbac_attribute_value.dummy = 0;
++		if (!rsbac_adf_request(R_GET_STATUS_DATA,
++					task_pid(current),
++					T_NETDEV,
++					rsbac_target_id,
++					A_none,
++					rsbac_attribute_value)) {
++			continue;
++		}
++#endif
++
+ 		q_idx = 0;
+ 
+ 		if (tc_dump_qdisc_root(dev->qdisc, skb, cb, &q_idx, s_q_idx) < 0)
+@@ -1372,10 +1462,38 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
+ 	u32 qid = TC_H_MAJ(clid);
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#if !defined(CONFIG_RSBAC_NET_DEV_VIRT)
++	char * rsbac_colon;
++#endif
++#endif
++
+ 	dev = __dev_get_by_index(net, tcm->tcm_ifindex);
+ 	if (!dev)
+ 		return -ENODEV;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	rsbac_pr_debug(aef, "tc_ctl_tclass(): calling ADF\n");
++	strncpy(rsbac_target_id.netdev, dev->name, RSBAC_IFNAMSIZ);
++	rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++#if !defined(CONFIG_RSBAC_NET_DEV_VIRT)
++	rsbac_colon = strchr(rsbac_target_id.netdev, ':');
++	if (rsbac_colon)
++		*rsbac_colon = 0;
++#endif
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_NETDEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		return -EPERM;
++	}
++#endif
++
+ 	err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);
+ 	if (err < 0)
+ 		return err;
+@@ -1615,12 +1733,40 @@ static int tc_dump_tclass(struct sk_buff *skb, struct netlink_callback *cb)
+ 	struct net_device *dev;
+ 	int t, s_t;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#if !defined(CONFIG_RSBAC_NET_DEV_VIRT)
++	char * rsbac_colon;
++#endif
++#endif
+ 	if (cb->nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*tcm)))
+ 		return 0;
+ 	dev = dev_get_by_index(net, tcm->tcm_ifindex);
+ 	if (!dev)
+ 		return 0;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	rsbac_pr_debug(aef, "calling ADF\n");
++	strncpy(rsbac_target_id.netdev, dev->name, RSBAC_IFNAMSIZ);
++	rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++#if !defined(CONFIG_RSBAC_NET_DEV_VIRT)
++	rsbac_colon = strchr(rsbac_target_id.netdev, ':');
++	if (rsbac_colon)
++		*rsbac_colon = 0;
++#endif
++	rsbac_attribute_value.dummy = 0;
++	if (!rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				T_NETDEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value)) {
++		dev_put(dev);
++		return -EPERM;
++	}
++#endif
++
+ 	s_t = cb->args[0];
+ 	t = 0;
+ 
+diff --git a/net/socket.c b/net/socket.c
+index 273cbce..ff2def1 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -89,6 +89,14 @@
+ #include <linux/magic.h>
+ #include <linux/slab.h>
+ 
++#ifdef CONFIG_RSBAC
++#include <net/af_unix.h>
++#include <net/scm.h>
++#include <rsbac/hooks.h>
++#define rsbac_unix_peer(sk) (unix_sk(sk)->peer)
++#define rsbac_unix_sk_peer(sk) (unix_sk(unix_sk(sk)->peer))
++#endif
++
+ #include <asm/uaccess.h>
+ #include <asm/unistd.h>
+ 
+@@ -546,6 +554,49 @@ static inline int __sock_sendmsg_nosec(struct kiocb *iocb, struct socket *sock,
+ 				       struct msghdr *msg, size_t size)
+ {
+ 	struct sock_iocb *si = kiocb_to_siocb(iocb);
++	int err;
++
++#if defined(CONFIG_RSBAC_NET_OBJ)
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	enum  rsbac_attribute_t rsbac_attribute = A_none;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
++#if defined(CONFIG_RSBAC_NET_OBJ)
++	rsbac_pr_debug(aef, "[sys_send(), sys_sendto(), sys_sendmsg()]: calling ADF\n");
++	if (sock->ops->family != AF_UNIX) {
++#if !defined(CONFIG_RSBAC_NET_OBJ_RW)
++		if(sock->type != SOCK_STREAM)
++#endif
++		{
++			rsbac_target = T_NETOBJ;
++			rsbac_target_id.netobj.sock_p = sock;
++			rsbac_target_id.netobj.local_addr = NULL;
++			rsbac_target_id.netobj.local_len = 0;
++			rsbac_target_id.netobj.remote_addr = msg->msg_name;
++			rsbac_target_id.netobj.remote_len = msg->msg_namelen;
++			if (   sock->sk->sk_peer_pid
++			    && (rsbac_attribute_value.process = sock->sk->sk_peer_pid)
++			    && (pid_nr(rsbac_attribute_value.process) > 0)
++			   ) {
++				rsbac_attribute = A_process;
++			} else {
++				rsbac_attribute = A_sock_type;
++				rsbac_attribute_value.sock_type = sock->type;
++			}
++			if (!rsbac_adf_request(R_SEND,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				rsbac_attribute,
++				rsbac_attribute_value))	{
++				return -EPERM;
++			}
++		}
++	}
++#endif
+ 
+ 	sock_update_classid(sock->sk);
+ 
+@@ -554,7 +605,26 @@ static inline int __sock_sendmsg_nosec(struct kiocb *iocb, struct socket *sock,
+ 	si->msg = msg;
+ 	si->size = size;
+ 
+-	return sock->ops->sendmsg(iocb, sock, msg, size);
++	err = sock->ops->sendmsg(iocb, sock, msg, size);
++
++#if defined(CONFIG_RSBAC_NET_OBJ)
++	if (!err && (rsbac_target != T_NONE)) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_SEND,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"sock_sendmsg() [sys_send(), sys_sendto(), sys_sendmsg()]: rsbac_adf_set_attr() returned error\n");
++		}
++	}
++#endif
++
++	return err;
+ }
+ 
+ static inline int __sock_sendmsg(struct kiocb *iocb, struct socket *sock,
+@@ -709,8 +779,72 @@ static inline int __sock_recvmsg_nosec(struct kiocb *iocb, struct socket *sock,
+ static inline int __sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 				 struct msghdr *msg, size_t size, int flags)
+ {
++#if defined(CONFIG_RSBAC_NET_OBJ)
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	enum  rsbac_attribute_t rsbac_attribute = A_none;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	int err = security_socket_recvmsg(sock, msg, size, flags);
+ 
++
++#if defined(CONFIG_RSBAC_NET_OBJ)
++	if (err > 0) {
++		rsbac_pr_debug(aef, "[sys_recv(), sys_recvfrom(), sys_recvmsg()]: calling ADF\n");
++		if (sock->ops->family != AF_UNIX) {
++#if !defined(CONFIG_RSBAC_NET_OBJ_RW)
++			if (sock->type != SOCK_STREAM)
++#endif
++			{
++				rsbac_target = T_NETOBJ;
++				rsbac_target_id.netobj.sock_p = sock;
++				rsbac_target_id.netobj.local_addr = NULL;
++				rsbac_target_id.netobj.local_len = 0;
++				rsbac_target_id.netobj.remote_addr = msg->msg_name;
++				rsbac_target_id.netobj.remote_len = msg->msg_namelen;
++				if (   sock->sk->sk_peer_pid
++				    && (rsbac_attribute_value.process = sock->sk->sk_peer_pid)
++				    && (pid_nr(rsbac_attribute_value.process) > 0)
++				   ) {
++					rsbac_attribute = A_process;
++				} else {
++					rsbac_attribute = A_sock_type;
++					rsbac_attribute_value.sock_type = sock->type;
++				}
++				if (!rsbac_adf_request(R_RECEIVE,
++						task_pid(current),
++						rsbac_target,
++						rsbac_target_id,
++						rsbac_attribute,
++						rsbac_attribute_value)) {
++					/* clear buffer */
++					memset(msg->msg_iov->iov_base - err, 0, err);
++					return -EPERM;
++				}
++			}
++		}
++	}
++#endif
++
++#if defined(CONFIG_RSBAC_NET_OBJ)
++	if ((err > 0) && (rsbac_target != T_NONE)) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_RECEIVE,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"sock_recvmsg() [sys_recv(), sys_recvfrom(), sys_recvmsg()]: rsbac_adf_set_attr() for RECEIVE returned error\n");
++		}
++	}
++#endif
++
+ 	return err ?: __sock_recvmsg_nosec(iocb, sock, msg, size, flags);
+ }
+ 
+@@ -1305,6 +1439,13 @@ SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol)
+ 	struct socket *sock;
+ 	int flags;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union  rsbac_target_id_t rsbac_target_id;
++	union  rsbac_target_id_t rsbac_new_target_id;
++	union  rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	/* Check the SOCK_* constants for consistency.  */
+ 	BUILD_BUG_ON(SOCK_CLOEXEC != O_CLOEXEC);
+ 	BUILD_BUG_ON((SOCK_MAX | SOCK_TYPE_MASK) != SOCK_TYPE_MASK);
+@@ -1323,10 +1464,58 @@ SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol)
+ 	if (retval < 0)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC
++	if (family == AF_UNIX) {
++		rsbac_target = T_IPC;
++		rsbac_target_id.ipc.type = I_anonunix;
++		rsbac_target_id.ipc.id.id_nr = SOCK_INODE(sock)->i_ino;
++	}
++#ifdef CONFIG_RSBAC_NET_OBJ
++	else {
++		rsbac_pr_debug(aef, "[sys_socket()]: calling ADF\n");
++		rsbac_target = T_NETOBJ;
++		rsbac_target_id.netobj.sock_p = sock;
++		rsbac_target_id.netobj.local_addr = NULL;
++		rsbac_target_id.netobj.local_len = 0;
++		rsbac_target_id.netobj.remote_addr = NULL;
++		rsbac_target_id.netobj.remote_len = 0;
++	}
++#endif
++	rsbac_attribute_value.sock_type = type;
++	if ((rsbac_target != T_NONE)
++			&& !rsbac_adf_request(R_CREATE,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_sock_type,
++				rsbac_attribute_value)) {
++		rsbac_pr_debug(aef, "[sys_socket()]: ADF returned NOT_GRANTED\n");
++		retval = -EPERM;
++		goto out_release;
++	}
++#endif
++
+ 	retval = sock_map_fd(sock, flags & (O_CLOEXEC | O_NONBLOCK));
+ 	if (retval < 0)
+ 		goto out_release;
+ 
++#ifdef CONFIG_RSBAC
++	if(rsbac_target != T_NONE) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_CREATE,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_sock_type,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"sys_socket(): rsbac_adf_set_attr() returned error\n");
++		}
++	}
++#endif
++
+ out:
+ 	/* It may be already another descriptor 8) Not kernel problem. */
+ 	return retval;
+@@ -1348,6 +1537,12 @@ SYSCALL_DEFINE4(socketpair, int, family, int, type, int, protocol,
+ 	struct file *newfile1, *newfile2;
+ 	int flags;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	flags = type & ~SOCK_TYPE_MASK;
+ 	if (flags & ~(SOCK_CLOEXEC | SOCK_NONBLOCK))
+ 		return -EINVAL;
+@@ -1365,10 +1560,43 @@ SYSCALL_DEFINE4(socketpair, int, family, int, type, int, protocol,
+ 	if (err < 0)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_socketcall()]: calling ADF\n");
++	rsbac_target_id.ipc.type = I_anonunix;
++	rsbac_target_id.ipc.id.id_nr = SOCK_INODE(sock1)->i_ino;
++	rsbac_attribute_value.sock_type = type;
++	if (!rsbac_adf_request(R_CREATE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_sock_type,
++				rsbac_attribute_value)) {
++		rsbac_pr_debug(aef, "[sys_socketcall()]: ADF returned NOT_GRANTED\n");
++		err = -EPERM;
++		goto out_release_1;
++	}
++#endif
++
+ 	err = sock_create(family, type, protocol, &sock2);
+ 	if (err < 0)
+ 		goto out_release_1;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_socketcall()]: calling ADF\n");
++	rsbac_target_id.ipc.type = I_anonunix;
++	rsbac_target_id.ipc.id.id_nr = SOCK_INODE(sock2)->i_ino;
++	if (!rsbac_adf_request(R_CREATE,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_sock_type,
++				rsbac_attribute_value)) {
++		rsbac_pr_debug(aef, "[sys_socketcall()]: ADF returned NOT_GRANTED\n");
++		err = -EPERM;
++		goto out_release_both;
++	}
++#endif
++
+ 	err = sock1->ops->socketpair(sock1, sock2);
+ 	if (err < 0)
+ 		goto out_release_both;
+@@ -1398,8 +1626,39 @@ SYSCALL_DEFINE4(socketpair, int, family, int, type, int, protocol,
+ 	err = put_user(fd1, &usockvec[0]);
+ 	if (!err)
+ 		err = put_user(fd2, &usockvec[1]);
+-	if (!err)
++
++	if (!err) {
++#ifdef CONFIG_RSBAC
++		rsbac_target_id.ipc.id.id_nr = SOCK_INODE(sock1)->i_ino;
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_CREATE,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_sock_type,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"sys_socketpair() [sys_socketcall()]: rsbac_adf_set_attr() for sock1 returned error\n");
++		}
++		rsbac_target_id.ipc.id.id_nr = SOCK_INODE(sock2)->i_ino;
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_CREATE,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_sock_type,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"sys_socketpair() [sys_socketcall()]: rsbac_adf_set_attr() for sock2 returned error\n");
++		}
++#endif
++
+ 		return 0;
++        }
+ 
+ 	sys_close(fd2);
+ 	sys_close(fd1);
+@@ -1427,10 +1686,38 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
+ 	struct sockaddr_storage address;
+ 	int err, fput_needed;
+ 
++#ifdef CONFIG_RSBAC_NET_OBJ
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t	rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (sock) {
+ 		err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
+ 		if (err >= 0) {
++#ifdef CONFIG_RSBAC_NET_OBJ
++			if (sock->ops->family != AF_UNIX) {
++				rsbac_target_id.netobj.sock_p = sock;
++				rsbac_target_id.netobj.local_addr = (struct sockaddr *)&address;
++				rsbac_target_id.netobj.local_len = addrlen;
++				rsbac_target_id.netobj.remote_addr = NULL;
++				rsbac_target_id.netobj.remote_len = 0;
++				rsbac_attribute_value.sock_type = sock->type;
++				rsbac_pr_debug(aef, "[sys_socketcall()]: calling ADF");
++				if(!rsbac_adf_request(R_BIND,
++							task_pid(current),
++							T_NETOBJ,
++							rsbac_target_id,
++							A_sock_type,
++							rsbac_attribute_value)) {
++					rsbac_pr_debug(aef, "[sys_socketcall()]: ADF returned NOT_GRANTED\n");
++					fput_light(sock->file, fput_needed);
++					return -EPERM;
++				}
++			}
++#endif
++
+ 			err = security_socket_bind(sock,
+ 						   (struct sockaddr *)&address,
+ 						   addrlen);
+@@ -1438,6 +1725,23 @@ SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
+ 				err = sock->ops->bind(sock,
+ 						      (struct sockaddr *)
+ 						      &address, addrlen);
++
++#ifdef CONFIG_RSBAC_NET_OBJ
++			if (!err && sock->ops && (sock->ops->family != AF_UNIX)) {
++				rsbac_new_target_id.dummy = 0;
++				if (rsbac_adf_set_attr(R_BIND,
++							task_pid(current),
++							T_NETOBJ,
++							rsbac_target_id,
++							T_NONE,
++							rsbac_new_target_id,
++							A_sock_type,
++							rsbac_attribute_value)) {
++					rsbac_printk(KERN_WARNING
++							"sys_bind() [sys_socketcall()]: rsbac_adf_set_attr() returned error\n");
++				}
++			}
++#endif
+ 		}
+ 		fput_light(sock->file, fput_needed);
+ 	}
+@@ -1454,10 +1758,60 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
+ {
+ 	struct socket *sock;
+ 	int err, fput_needed;
++
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	int somaxconn;
+ 
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (sock) {
++#ifdef CONFIG_RSBAC
++		rsbac_pr_debug(aef, "[sys_socketcall()]: calling ADF\n");
++		if (sock->ops->family == AF_UNIX) {
++			if (sock->file
++			&& sock->file->f_dentry
++			&& sock->file->f_dentry->d_inode) {
++				if (sock->file->f_dentry->d_sb->s_magic == SOCKFS_MAGIC) {
++					rsbac_target = T_IPC;
++					rsbac_target_id.ipc.type = I_anonunix;
++					rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino;
++				} else {
++					rsbac_target = T_UNIXSOCK;
++					rsbac_target_id.unixsock.device = sock->file->f_dentry->d_sb->s_dev;
++					rsbac_target_id.unixsock.inode  = sock->file->f_dentry->d_inode->i_ino;
++					rsbac_target_id.unixsock.dentry_p = sock->file->f_dentry;
++				}
++			}
++		}
++#ifdef CONFIG_RSBAC_NET_OBJ
++		else {
++			rsbac_target = T_NETOBJ;
++			rsbac_target_id.netobj.sock_p = sock;
++			rsbac_target_id.netobj.local_addr = NULL;
++			rsbac_target_id.netobj.local_len = 0;
++			rsbac_target_id.netobj.remote_addr = NULL;
++			rsbac_target_id.netobj.remote_len = 0;
++		}
++#endif
++		rsbac_attribute_value.sock_type = sock->type;
++		if ((rsbac_target != T_NONE)
++				&& !rsbac_adf_request(R_LISTEN,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					A_sock_type,
++					rsbac_attribute_value)) {
++			rsbac_pr_debug(aef, "sys_listen() [sys_socketcall()]: ADF returned NOT_GRANTED\n");
++			fput_light(sock->file, fput_needed);
++			return -EPERM;
++		}
++#endif
++
+ 		somaxconn = sock_net(sock->sk)->core.sysctl_somaxconn;
+ 		if ((unsigned)backlog > somaxconn)
+ 			backlog = somaxconn;
+@@ -1466,6 +1820,23 @@ SYSCALL_DEFINE2(listen, int, fd, int, backlog)
+ 		if (!err)
+ 			err = sock->ops->listen(sock, backlog);
+ 
++
++#ifdef CONFIG_RSBAC
++		if (!err && (rsbac_target != T_NONE)) {
++			rsbac_new_target_id.dummy = 0;
++			if (rsbac_adf_set_attr(R_LISTEN,
++						task_pid(current),
++						rsbac_target,
++						rsbac_target_id,
++						T_NONE,
++						rsbac_new_target_id,
++						A_sock_type,
++						rsbac_attribute_value))
++				rsbac_printk(KERN_WARNING
++						"sys_listen() [sys_socketcall()]: rsbac_adf_set_attr() returned error\n");
++		}
++#endif
++
+ 		fput_light(sock->file, fput_needed);
+ 	}
+ 	return err;
+@@ -1491,6 +1862,14 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+ 	int err, len, newfd, fput_needed;
+ 	struct sockaddr_storage address;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	enum  rsbac_attribute_t rsbac_attribute = A_none;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (flags & ~(SOCK_CLOEXEC | SOCK_NONBLOCK))
+ 		return -EINVAL;
+ 
+@@ -1530,6 +1909,100 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+ 	if (err < 0)
+ 		goto out_fd;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "[sys_socketcall()]: calling ADF\n");
++	if (sock->ops->family == AF_UNIX) {
++		if (sock->sk) {
++			if (unix_sk(unix_sk(sock->sk)->peer)) {
++				if (unix_sk(unix_sk(sock->sk)->peer)->dentry
++						&& unix_sk(unix_sk(sock->sk)->peer)->dentry->d_inode) {
++					rsbac_target = T_UNIXSOCK;
++					rsbac_target_id.unixsock.device = unix_sk(unix_sk(sock->sk)->peer)->dentry->d_sb->s_dev;
++					rsbac_target_id.unixsock.inode  = unix_sk(unix_sk(sock->sk)->peer)->dentry->d_inode->i_ino;
++					rsbac_target_id.unixsock.dentry_p = unix_sk(unix_sk(sock->sk)->peer)->dentry;
++				} else {
++					rsbac_target = T_IPC;
++					rsbac_target_id.ipc.type = I_anonunix;
++					if (unix_sk(unix_sk(sock->sk)->peer)->dentry
++							&& unix_sk(unix_sk(sock->sk)->peer)->dentry->d_inode
++							&& SOCKET_I(unix_sk(unix_sk(sock->sk)->peer)->dentry->d_inode)->file
++							&& SOCKET_I(unix_sk(unix_sk(sock->sk)->peer)->dentry->d_inode)->file->f_dentry
++							&& SOCKET_I(unix_sk(unix_sk(sock->sk)->peer)->dentry->d_inode)->file->f_dentry->d_inode)
++						rsbac_target_id.ipc.id.id_nr = SOCKET_I(unix_sk(unix_sk(sock->sk)->peer)->dentry->d_inode)->file->f_dentry->d_inode->i_ino;
++					else
++						if (sock->file
++								&& sock->file->f_dentry
++								&& sock->file->f_dentry->d_inode)
++							rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino;
++						else
++							rsbac_target_id.ipc.id.id_nr = 0;
++				}
++			} else {
++				if(   unix_sk(sock->sk)->dentry
++						&& unix_sk(sock->sk)->dentry->d_inode) {
++					rsbac_target = T_UNIXSOCK;
++					rsbac_target_id.unixsock.device = unix_sk(sock->sk)->dentry->d_sb->s_dev;
++					rsbac_target_id.unixsock.inode  = unix_sk(sock->sk)->dentry->d_inode->i_ino;
++					rsbac_target_id.unixsock.dentry_p = unix_sk(sock->sk)->dentry;
++				} else {
++					rsbac_target = T_IPC;
++					rsbac_target_id.ipc.type = I_anonunix;
++					if (sock->file
++							&& sock->file->f_dentry
++							&& sock->file->f_dentry->d_inode)
++						rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino;
++					else
++						rsbac_target_id.ipc.id.id_nr = 0;
++				}
++			}
++		}
++		if (   sock->sk
++		    && sock->sk->sk_peer_pid
++		    && (rsbac_attribute_value.process = sock->sk->sk_peer_pid)
++		    && (pid_nr(rsbac_attribute_value.process) > 0)
++		   ) {
++			rsbac_attribute = A_process;
++		} else {
++			rsbac_attribute = A_sock_type;
++			rsbac_attribute_value.sock_type = sock->type;
++		}
++	}
++#ifdef CONFIG_RSBAC_NET_OBJ
++	else {
++		rsbac_target = T_NETOBJ;
++		rsbac_target_id.netobj.sock_p = newsock;
++		rsbac_target_id.netobj.local_addr = NULL;
++		rsbac_target_id.netobj.local_len = 0;
++		if(newsock->ops->getname(newsock, (struct sockaddr *)&address, &len, 2) <0) {
++			rsbac_target_id.netobj.remote_addr = NULL;
++			rsbac_target_id.netobj.remote_len = 0;
++		} else {
++			rsbac_target_id.netobj.remote_addr = (struct sockaddr *)&address;
++			rsbac_target_id.netobj.remote_len = len;
++		}
++		if (sock->sk
++			&& sock->sk->sk_peer_pid) {
++			rsbac_attribute = A_process;
++			rsbac_attribute_value.process = sock->sk->sk_peer_pid;
++		} else {
++			rsbac_attribute = A_sock_type;
++			rsbac_attribute_value.sock_type = sock->type;
++		}
++	}
++#endif
++	if ((rsbac_target != T_NONE)
++		&& !rsbac_adf_request(R_ACCEPT,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				rsbac_attribute,
++				rsbac_attribute_value)) {
++		rsbac_pr_debug(aef, "[sys_socketcall()]: ADF returned NOT_GRANTED\n");
++		err = -EPERM;
++		goto out_fd;
++	}
++#endif
++
+ 	if (upeer_sockaddr) {
+ 		if (newsock->ops->getname(newsock, (struct sockaddr *)&address,
+ 					  &len, 2) < 0) {
+@@ -1547,6 +2020,22 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
+ 	fd_install(newfd, newfile);
+ 	err = newfd;
+ 
++#ifdef CONFIG_RSBAC
++	if (rsbac_target != T_NONE) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_ACCEPT,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value))
++			rsbac_printk(KERN_WARNING
++					"sys_accept() [sys_socketcall()]: rsbac_adf_set_attr() returned error\n");
++	}
++#endif
++
+ out_put:
+ 	fput_light(sock->file, fput_needed);
+ out:
+@@ -1582,6 +2071,12 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+ 	struct sockaddr_storage address;
+ 	int err, fput_needed;
+ 
++#ifdef CONFIG_RSBAC_NET_OBJ
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (!sock)
+ 		goto out;
+@@ -1594,8 +2089,50 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr,
+ 	if (err)
+ 		goto out_put;
+ 
++        /* RSBAC UNIX socket connects get intercepted in unix/af_unix.c */
++#ifdef CONFIG_RSBAC_NET_OBJ
++	if (sock->ops->family != AF_UNIX) {
++		rsbac_pr_debug(aef, "[sys_socketcall()]: calling ADF\n");
++		rsbac_target_id.netobj.sock_p = sock;
++		rsbac_target_id.netobj.local_addr = NULL;
++		rsbac_target_id.netobj.local_len = 0;
++		rsbac_target_id.netobj.remote_addr = (struct sockaddr *)&address;
++		rsbac_target_id.netobj.remote_len = addrlen;
++		rsbac_attribute_value.sock_type = sock->type;
++		if (!rsbac_adf_request(R_CONNECT,
++					task_pid(current),
++					T_NETOBJ,
++					rsbac_target_id,
++					A_sock_type,
++					rsbac_attribute_value)) {
++			rsbac_pr_debug(aef, "[sys_socketcall()]: ADF returned NOT_GRANTED\n");
++			err = -EPERM;
++			goto out_put;
++		}
++	}
++#endif
++
+ 	err = sock->ops->connect(sock, (struct sockaddr *)&address, addrlen,
+ 				 sock->file->f_flags);
++
++        /* RSBAC: notify ADF of opened socket connection */
++#ifdef CONFIG_RSBAC_NET_OBJ
++	if (!err
++		&& (sock->ops->family != AF_UNIX)) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_CONNECT,
++					task_pid(current),
++					T_NETOBJ,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_sock_type,
++					rsbac_attribute_value))
++			rsbac_printk(KERN_WARNING
++					"sys_connect() [sys_socketcall()]: rsbac_adf_set_attr() returned error\n");
++	}
++#endif
++
+ out_put:
+ 	fput_light(sock->file, fput_needed);
+ out:
+@@ -1614,6 +2151,12 @@ SYSCALL_DEFINE3(getsockname, int, fd, struct sockaddr __user *, usockaddr,
+ 	struct sockaddr_storage address;
+ 	int len, err, fput_needed;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (!sock)
+ 		goto out;
+@@ -1622,6 +2165,47 @@ SYSCALL_DEFINE3(getsockname, int, fd, struct sockaddr __user *, usockaddr,
+ 	if (err)
+ 		goto out_put;
+ 
++#if defined(CONFIG_RSBAC)
++	rsbac_pr_debug(aef, "calling ADF\n");
++	if (sock->ops->family == AF_UNIX) {
++		if (sock->file
++                && sock->file->f_dentry
++		&& sock->file->f_dentry->d_inode) {
++			if (sock->file->f_dentry->d_sb->s_magic == SOCKFS_MAGIC) {
++				rsbac_target = T_IPC;
++				rsbac_target_id.ipc.type = I_anonunix;
++				rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino;
++			} else {
++				rsbac_target = T_UNIXSOCK;
++				rsbac_target_id.unixsock.device = sock->file->f_dentry->d_sb->s_dev;
++				rsbac_target_id.unixsock.inode  = sock->file->f_dentry->d_inode->i_ino;
++				rsbac_target_id.unixsock.dentry_p = sock->file->f_dentry;
++			}
++		}
++	}
++#ifdef CONFIG_RSBAC_NET_OBJ
++	else {
++		rsbac_target = T_NETOBJ;
++		rsbac_target_id.netobj.sock_p = sock;
++		rsbac_target_id.netobj.local_addr = NULL;
++		rsbac_target_id.netobj.local_len = 0;
++		rsbac_target_id.netobj.remote_addr = NULL;
++		rsbac_target_id.netobj.remote_len = 0;
++	}
++#endif
++	rsbac_attribute_value.sock_type = sock->type;
++	if ((rsbac_target != T_NONE)
++		&& !rsbac_adf_request(R_GET_STATUS_DATA,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				A_sock_type,
++				rsbac_attribute_value)) {
++		err = -EPERM;
++		goto out_put;
++	}
++#endif
++
+ 	err = sock->ops->getname(sock, (struct sockaddr *)&address, &len, 0);
+ 	if (err)
+ 		goto out_put;
+@@ -1645,6 +2229,12 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
+ 	struct sockaddr_storage address;
+ 	int len, err, fput_needed;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (sock != NULL) {
+ 		err = security_socket_getpeername(sock);
+@@ -1653,6 +2243,47 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr,
+ 			return err;
+ 		}
+ 
++#if defined(CONFIG_RSBAC)
++		rsbac_pr_debug(aef, "calling ADF\n");
++		if (sock->ops->family == AF_UNIX) {
++			if (sock->file
++			&& sock->file->f_dentry
++			&& sock->file->f_dentry->d_inode) {
++				if (sock->file->f_dentry->d_sb->s_magic == SOCKFS_MAGIC) {
++					rsbac_target = T_IPC;
++					rsbac_target_id.ipc.type = I_anonunix;
++					rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino;
++				} else {
++					rsbac_target = T_UNIXSOCK;
++					rsbac_target_id.unixsock.device = sock->file->f_dentry->d_sb->s_dev;
++					rsbac_target_id.unixsock.inode  = sock->file->f_dentry->d_inode->i_ino;
++					rsbac_target_id.unixsock.dentry_p = sock->file->f_dentry;
++				}
++			}
++		}
++#ifdef CONFIG_RSBAC_NET_OBJ
++		else {
++			rsbac_target = T_NETOBJ;
++			rsbac_target_id.netobj.sock_p = sock;
++			rsbac_target_id.netobj.local_addr = NULL;
++			rsbac_target_id.netobj.local_len = 0;
++			rsbac_target_id.netobj.remote_addr = NULL;
++			rsbac_target_id.netobj.remote_len = 0;
++		}
++#endif
++		rsbac_attribute_value.sock_type = sock->type;
++		if ((rsbac_target != T_NONE)
++				&& !rsbac_adf_request(R_GET_STATUS_DATA,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					A_sock_type,
++					rsbac_attribute_value)) {
++			fput_light(sock->file, fput_needed);
++			return -EPERM;
++		}
++#endif
++
+ 		err =
+ 		    sock->ops->getname(sock, (struct sockaddr *)&address, &len,
+ 				       1);
+@@ -1791,6 +2422,12 @@ SYSCALL_DEFINE5(setsockopt, int, fd, int, level, int, optname,
+ 	int err, fput_needed;
+ 	struct socket *sock;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (optlen < 0)
+ 		return -EINVAL;
+ 
+@@ -1800,6 +2437,47 @@ SYSCALL_DEFINE5(setsockopt, int, fd, int, level, int, optname,
+ 		if (err)
+ 			goto out_put;
+ 
++#if defined(CONFIG_RSBAC)
++		rsbac_pr_debug(aef, "calling ADF\n");
++		if (sock->ops->family == AF_UNIX) {
++			if (sock->file
++			&& sock->file->f_dentry
++			&& sock->file->f_dentry->d_inode) {
++				if (sock->file->f_dentry->d_sb->s_magic == SOCKFS_MAGIC) {
++					rsbac_target = T_IPC;
++					rsbac_target_id.ipc.type = I_anonunix;
++					rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino;
++				} else {
++					rsbac_target = T_UNIXSOCK;
++					rsbac_target_id.unixsock.device = sock->file->f_dentry->d_sb->s_dev;
++					rsbac_target_id.unixsock.inode  = sock->file->f_dentry->d_inode->i_ino;
++					rsbac_target_id.unixsock.dentry_p = sock->file->f_dentry;
++				}
++			}
++		}
++#ifdef CONFIG_RSBAC_NET_OBJ
++		else {
++			rsbac_target = T_NETOBJ;
++			rsbac_target_id.netobj.sock_p = sock;
++			rsbac_target_id.netobj.local_addr = NULL;
++			rsbac_target_id.netobj.local_len = 0;
++			rsbac_target_id.netobj.remote_addr = NULL;
++			rsbac_target_id.netobj.remote_len = 0;
++		}
++#endif
++		rsbac_attribute_value.setsockopt_level = level;
++		if ((rsbac_target != T_NONE)
++				&& !rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					A_setsockopt_level,
++					rsbac_attribute_value)) {
++			err = -EPERM;
++			goto out_put;
++		}
++#endif
++
+ 		if (level == SOL_SOCKET)
+ 			err =
+ 			    sock_setsockopt(sock, level, optname, optval,
+@@ -1825,12 +2503,62 @@ SYSCALL_DEFINE5(getsockopt, int, fd, int, level, int, optname,
+ 	int err, fput_needed;
+ 	struct socket *sock;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (sock != NULL) {
+ 		err = security_socket_getsockopt(sock, level, optname);
+ 		if (err)
+ 			goto out_put;
+ 
++#if defined(CONFIG_RSBAC)
++		rsbac_pr_debug(aef, "calling ADF\n");
++		if (sock->ops->family == AF_UNIX) {
++			if (sock->file
++			&& sock->file->f_dentry
++			&& sock->file->f_dentry->d_inode
++			&& sock->file->f_dentry->d_inode->i_ino
++			&& sock->file->f_dentry->d_sb
++			&& sock->file->f_dentry->d_sb->s_dev) {
++				if (sock->file->f_dentry->d_sb->s_magic == SOCKFS_MAGIC) {
++					rsbac_target = T_IPC;
++					rsbac_target_id.ipc.type = I_anonunix;
++					rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino;
++				} else {
++					rsbac_target = T_UNIXSOCK;
++					rsbac_target_id.unixsock.device = sock->file->f_dentry->d_sb->s_dev;
++					rsbac_target_id.unixsock.inode  = sock->file->f_dentry->d_inode->i_ino;
++					rsbac_target_id.unixsock.dentry_p = sock->file->f_dentry;
++				}
++			}
++		}
++#ifdef CONFIG_RSBAC_NET_OBJ
++		else {
++			rsbac_target = T_NETOBJ;
++			rsbac_target_id.netobj.sock_p = sock;
++			rsbac_target_id.netobj.local_addr = NULL;
++			rsbac_target_id.netobj.local_len = 0;
++			rsbac_target_id.netobj.remote_addr = NULL;
++			rsbac_target_id.netobj.remote_len = 0;
++		}
++#endif
++		rsbac_attribute_value.sock_type = sock->type;
++		if ((rsbac_target != T_NONE)
++				&& !rsbac_adf_request(R_GET_STATUS_DATA,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					A_sock_type,
++					rsbac_attribute_value)) {
++			err = -EPERM;
++			goto out_put;
++		}
++#endif
++
+ 		if (level == SOL_SOCKET)
+ 			err =
+ 			    sock_getsockopt(sock, level, optname, optval,
+@@ -1854,11 +2582,83 @@ SYSCALL_DEFINE2(shutdown, int, fd, int, how)
+ 	int err, fput_needed;
+ 	struct socket *sock;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++#ifdef CONFIG_RSBAC_NET_OBJ
++	union rsbac_target_id_t rsbac_new_target_id;
++#endif
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (sock != NULL) {
+ 		err = security_socket_shutdown(sock, how);
++
++#ifdef CONFIG_RSBAC
++		if (!err) {
++			rsbac_pr_debug(aef, "[sys_socketcall()]: calling ADF\n");
++			if (sock->ops->family == AF_UNIX) {
++				if (sock->file
++				&& sock->file->f_dentry
++				&& sock->file->f_dentry->d_inode) {
++					if (sock->file->f_dentry->d_sb->s_magic == SOCKFS_MAGIC) {
++						rsbac_target = T_IPC;
++						rsbac_target_id.ipc.type = I_anonunix;
++						rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino;
++					} else {
++						rsbac_target = T_UNIXSOCK;
++						rsbac_target_id.unixsock.device = sock->file->f_dentry->d_sb->s_dev;
++						rsbac_target_id.unixsock.inode  = sock->file->f_dentry->d_inode->i_ino;
++						rsbac_target_id.unixsock.dentry_p = sock->file->f_dentry;
++					}
++				}
++			}
++#ifdef CONFIG_RSBAC_NET_OBJ
++			else {
++				rsbac_target = T_NETOBJ;
++				rsbac_target_id.netobj.sock_p = sock;
++				rsbac_target_id.netobj.local_addr = NULL;
++				rsbac_target_id.netobj.local_len = 0;
++				rsbac_target_id.netobj.remote_addr = NULL;
++				rsbac_target_id.netobj.remote_len = 0;
++			}
++#endif
++			rsbac_attribute_value.sock_type = sock->type;
++			if ((rsbac_target != T_NONE)
++					&& !rsbac_adf_request(R_NET_SHUTDOWN,
++						task_pid(current),
++						rsbac_target,
++						rsbac_target_id,
++						A_sock_type,
++						rsbac_attribute_value)) {
++				err = -EPERM;
++			}
++		}
++#endif
++
+ 		if (!err)
+ 			err = sock->ops->shutdown(sock, how);
++
++#ifdef CONFIG_RSBAC_NET_OBJ
++		if (!err && (rsbac_target != T_NONE)) {
++			rsbac_pr_debug(aef, "calling rsbac_adf_set_attr() for NET_SHUTDOWN on netobj\n");
++			rsbac_new_target_id.dummy = 0;
++			rsbac_attribute_value.dummy = 0;
++			if (rsbac_adf_set_attr(R_NET_SHUTDOWN,
++						task_pid(current),
++						rsbac_target,
++						rsbac_target_id,
++						T_NONE,
++						rsbac_new_target_id,
++						A_sock_type,
++						rsbac_attribute_value)) {
++				rsbac_printk(KERN_WARNING
++						"sys_shutdown(): rsbac_adf_set_attr() for NET_SHUTDOWN on socket returned error\n");
++			}
++		}
++#endif
++
+ 		fput_light(sock->file, fput_needed);
+ 	}
+ 	return err;
+@@ -2534,6 +3334,10 @@ static int __init sock_init(void)
+ 	if (err)
+ 		goto out_fs;
+ 	sock_mnt = kern_mount(&sock_fs_type);
++#ifdef CONFIG_RSBAC
++	if (!IS_ERR(sock_mnt))
++		rsbac_mount(sock_mnt);
++#endif
+ 	if (IS_ERR(sock_mnt)) {
+ 		err = PTR_ERR(sock_mnt);
+ 		goto out_mount;
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index d99678a..60487cd 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -115,6 +115,8 @@
+ #include <net/checksum.h>
+ #include <linux/security.h>
+ 
++#include <rsbac/hooks.h>
++
+ static struct hlist_head unix_socket_table[UNIX_HASH_SIZE + 1];
+ static DEFINE_SPINLOCK(unix_table_lock);
+ static atomic_long_t unix_nr_socks;
+@@ -679,11 +681,26 @@ static int unix_release(struct socket *sock)
+ {
+ 	struct sock *sk = sock->sk;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t       rsbac_target_id;
++#endif
++
+ 	if (!sk)
+ 		return 0;
+ 
+ 	sock->sk = NULL;
+ 
++#ifdef CONFIG_RSBAC
++	if (   sock->file
++		&& sock->file->f_dentry
++		&& sock->file->f_dentry->d_inode
++	   ) {
++		rsbac_target_id.ipc.type = I_anonunix;
++		rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino;
++		rsbac_remove_target(T_IPC, rsbac_target_id);
++	}
++#endif
++
+ 	return unix_release_sock(sk, 0);
+ }
+ 
+@@ -697,12 +714,41 @@ static int unix_autobind(struct socket *sock)
+ 	int err;
+ 	unsigned int retries = 0;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	mutex_lock(&u->readlock);
+ 
+ 	err = 0;
+ 	if (u->addr)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "unix_autobind() [sys_bind()]: calling ADF\n");
++	rsbac_target_id.ipc.type = I_anonunix;
++	if (   sock->file
++	    && sock->file->f_dentry
++	    && sock->file->f_dentry->d_inode
++	   )
++		rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino;
++	else
++		rsbac_target_id.ipc.id.id_nr = 0;
++	rsbac_attribute_value.sock_type = sock->type;
++	if (!rsbac_adf_request(R_BIND,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				A_sock_type,
++				rsbac_attribute_value)) {
++		rsbac_pr_debug(aef, "unix_autobind() [sys_bind() etc.]: ADF returned NOT_GRANTED\n");
++		err = -EPERM;
++		goto out;
++	}
++#endif
++
+ 	err = -ENOMEM;
+ 	addr = kzalloc(sizeof(*addr) + sizeof(short) + 16, GFP_KERNEL);
+ 	if (!addr)
+@@ -742,6 +788,20 @@ retry:
+ 	spin_unlock(&unix_table_lock);
+ 	err = 0;
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_new_target_id.dummy = 0;
++	if (rsbac_adf_set_attr(R_BIND,
++				task_pid(current),
++				T_IPC,
++				rsbac_target_id,
++				T_NONE,
++				rsbac_new_target_id,
++				A_sock_type,
++				rsbac_attribute_value))
++		rsbac_printk(KERN_WARNING
++				"unix_autobind() [sys_bind() etc.]: rsbac_adf_set_attr() returned error\n");
++#endif
++
+ out:	mutex_unlock(&u->readlock);
+ 	return err;
+ }
+@@ -816,6 +876,12 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+ 	struct unix_address *addr;
+ 	struct hlist_head *list;
+ 
++#ifdef CONFIG_RSBAC
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	err = -EINVAL;
+ 	if (sunaddr->sun_family != AF_UNIX)
+ 		goto out;
+@@ -836,6 +902,31 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+ 	if (u->addr)
+ 		goto out_up;
+ 
++#ifdef CONFIG_RSBAC
++	if (!sunaddr->sun_path[0]) {
++		rsbac_pr_debug(aef, "unix_bind() [sys_bind()]: calling ADF\n");
++		rsbac_target_id.ipc.type = I_anonunix;
++		if (   sock->file
++		    && sock->file->f_dentry
++		    && sock->file->f_dentry->d_inode
++		   )
++			rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino;
++		else
++			rsbac_target_id.ipc.id.id_nr = 0;
++		rsbac_attribute_value.sock_type = sock->type;
++		if (!rsbac_adf_request(R_BIND,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					A_sock_type,
++					rsbac_attribute_value)) {
++			rsbac_pr_debug(aef, "unix_bind() [sys_bind()]: ADF returned NOT_GRANTED\n");
++			err = -EPERM;
++			goto out_up;
++		}
++	}
++#endif
++
+ 	err = -ENOMEM;
+ 	addr = kmalloc(sizeof(*addr)+addr_len, GFP_KERNEL);
+ 	if (!addr)
+@@ -858,6 +949,11 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+ 		if (IS_ERR(dentry))
+ 			goto out_mknod_parent;
+ 
++#ifdef CONFIG_RSBAC
++		/* RSBAC add: set credentials so connect and send can copy them */
++		init_peercred(sk);
++#endif
++
+ 		/*
+ 		 * All right, let's create it.
+ 		 */
+@@ -892,6 +988,21 @@ out_mknod_drop_write:
+ 		}
+ 
+ 		list = &unix_socket_table[addr->hash];
++
++#ifdef CONFIG_RSBAC
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_BIND,
++					task_pid(current),
++					T_IPC,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					A_sock_type,
++					rsbac_attribute_value))
++			rsbac_printk(KERN_WARNING
++					"unix_bind() [sys_bind()]: rsbac_adf_set_attr() returned error\n");
++#endif
++
+ 	} else {
+ 		list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
+ 		u->dentry = path.dentry;
+@@ -956,6 +1067,14 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
+ 	unsigned hash;
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC
++	enum rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	enum  rsbac_attribute_t rsbac_attribute = A_none;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (addr->sa_family != AF_UNSPEC) {
+ 		err = unix_mkname(sunaddr, alen, &hash);
+ 		if (err < 0)
+@@ -971,6 +1090,46 @@ restart:
+ 		if (!other)
+ 			goto out;
+ 
++#ifdef CONFIG_RSBAC
++		rsbac_pr_debug(aef, "[sys_connect() [sys_socketcall()]]: calling ADF\n");
++		/* Named socket? */
++		if(sunaddr->sun_path[0]) {
++			rsbac_target = T_UNIXSOCK;
++			rsbac_target_id.unixsock.device = unix_sk(other)->dentry->d_sb->s_dev;
++			rsbac_target_id.unixsock.inode  = unix_sk(other)->dentry->d_inode->i_ino;
++			rsbac_target_id.unixsock.dentry_p = unix_sk(other)->dentry;
++		} else {
++			rsbac_target = T_IPC;
++			rsbac_target_id.ipc.type = I_anonunix;
++			rsbac_target_id.ipc.id.id_nr = unix_sk(other)->dentry->d_inode->i_ino;
++		}
++		if (   other->sk_peer_pid
++		    && (rsbac_attribute_value.process = other->sk_peer_pid)
++		    && (pid_nr(rsbac_attribute_value.process) > 0)
++		   ) {
++			rsbac_attribute = A_process;
++		} else if (   sk->sk_peer_pid
++			   && (rsbac_attribute_value.process = sk->sk_peer_pid)
++			   && (pid_nr(rsbac_attribute_value.process) > 0)
++		          ) {
++			rsbac_attribute = A_process;
++		} else {
++			rsbac_attribute = A_sock_type;
++			rsbac_attribute_value.sock_type = sock->type;
++		}
++		if (!rsbac_adf_request(R_CONNECT,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value)) {
++			rsbac_pr_debug(aef, "[sys_connect() [sys_socketcall()]]: ADF returned NOT_GRANTED\n");
++			err = -EPERM;
++			sock_put(other);
++			goto out;
++		}
++#endif
++
+ 		unix_state_double_lock(sk, other);
+ 
+ 		/* Apparently VFS overslept socket death. Retry. */
+@@ -1011,6 +1170,23 @@ restart:
+ 		unix_peer(sk) = other;
+ 		unix_state_double_unlock(sk, other);
+ 	}
++
++#ifdef CONFIG_RSBAC
++	if (rsbac_target != T_NONE) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_CONNECT,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value))
++			rsbac_printk(KERN_WARNING
++					"unix_dgram_connect() [sys_connect() [sys_socketcall()]]: rsbac_adf_set_attr() returned error\n");
++	}
++#endif
++
+ 	return 0;
+ 
+ out_unlock:
+@@ -1056,6 +1232,15 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+ 	int err;
+ 	long timeo;
+ 
++#ifdef CONFIG_RSBAC
++	enum rsbac_target_t rsbac_target = T_NONE;
++	enum rsbac_target_t rsbac_new_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	enum  rsbac_attribute_t rsbac_attribute = A_none;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	err = unix_mkname(sunaddr, addr_len, &hash);
+ 	if (err < 0)
+ 		goto out;
+@@ -1090,6 +1275,48 @@ restart:
+ 	if (!other)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC
++	if (unix_sk(other)->dentry && unix_sk(other)->dentry->d_inode) {
++		rsbac_pr_debug(aef, "[sys_connect() [sys_socketcall()]]: calling ADF\n");
++		/* Named socket? */
++		if (sunaddr->sun_path[0]) {
++			rsbac_target = T_UNIXSOCK;
++			rsbac_target_id.unixsock.device = unix_sk(other)->dentry->d_sb->s_dev;
++			rsbac_target_id.unixsock.inode  = unix_sk(other)->dentry->d_inode->i_ino;
++			rsbac_target_id.unixsock.dentry_p = unix_sk(other)->dentry;
++		} else {
++			rsbac_target = T_IPC;
++			rsbac_target_id.ipc.type = I_anonunix;
++			rsbac_target_id.ipc.id.id_nr = unix_sk(other)->dentry->d_inode->i_ino;
++		}
++		if (   other->sk_peer_pid
++		    && (rsbac_attribute_value.process = other->sk_peer_pid)
++		    && (pid_nr(rsbac_attribute_value.process) > 0)
++		   ) {
++			rsbac_attribute = A_process;
++		} else if (   sk->sk_peer_pid
++			   && (rsbac_attribute_value.process = sk->sk_peer_pid)
++			   && (pid_nr(rsbac_attribute_value.process) > 0)
++		          ) {
++			rsbac_attribute = A_process;
++		} else {
++			rsbac_attribute = A_sock_type;
++			rsbac_attribute_value.sock_type = sock->type;
++		}
++		if (!rsbac_adf_request(R_CONNECT,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value)) {
++			rsbac_pr_debug(aef, "[sys_connect() [sys_socketcall()]]:"
++					" ADF returned NOT_GRANTED\n");
++			err = -EPERM;
++			goto out;
++		}
++	}
++#endif
++
+ 	/* Latch state of peer */
+ 	unix_state_lock(other);
+ 
+@@ -1161,6 +1388,55 @@ restart:
+ 		goto out_unlock;
+ 	}
+ 
++#ifdef CONFIG_RSBAC
++	rsbac_pr_debug(aef, "unix_stream_connect() [sys_connect()]: calling ADF\n");
++	/* Named socket? */
++	if (unix_sk(other)->dentry && unix_sk(other)->dentry->d_inode) {
++		rsbac_target = T_UNIXSOCK;
++		rsbac_target_id.unixsock.device = unix_sk(other)->dentry->d_sb->s_dev;
++		rsbac_target_id.unixsock.inode  = unix_sk(other)->dentry->d_inode->i_ino;
++		rsbac_target_id.unixsock.dentry_p = unix_sk(other)->dentry;
++	} else {
++		if (other->sk_socket
++                    && other->sk_socket->file
++                    && other->sk_socket->file->f_dentry
++                    && other->sk_socket->file->f_dentry->d_inode
++		   ) {
++			rsbac_target = T_IPC;
++			rsbac_target_id.ipc.type = I_anonunix;
++			rsbac_target_id.ipc.id.id_nr = other->sk_socket->file->f_dentry->d_inode->i_ino;
++		}
++	}
++	if (rsbac_target != T_NONE) {
++		if (   other->sk_peer_pid
++		    && (rsbac_attribute_value.process = other->sk_peer_pid)
++		    && (pid_nr(rsbac_attribute_value.process) > 0)
++		   ) {
++			rsbac_attribute = A_process;
++		} else if (   sk->sk_peer_pid
++			   && (rsbac_attribute_value.process = sk->sk_peer_pid)
++			   && (pid_nr(rsbac_attribute_value.process) > 0)
++		          ) {
++			rsbac_attribute = A_process;
++		} else {
++			rsbac_attribute = A_sock_type;
++			rsbac_attribute_value.sock_type = sock->type;
++		}
++		if (!rsbac_adf_request(R_CONNECT,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value)) {
++			rsbac_pr_debug(aef, "[sys_connect() [sys_socketcall()]]:"
++					" ADF returned NOT_GRANTED\n");
++			err = -EPERM;
++			unix_state_unlock(sk);
++			goto out_unlock;
++		}
++	}
++#endif
++
+ 	/* The way is open! Fastly set all the necessary fields... */
+ 
+ 	sock_hold(sk);
+@@ -1200,6 +1476,53 @@ restart:
+ 	spin_unlock(&other->sk_receive_queue.lock);
+ 	unix_state_unlock(other);
+ 	other->sk_data_ready(other, 0);
++
++#ifdef CONFIG_RSBAC
++	if (rsbac_target != T_NONE) {
++		if (newu->dentry && newu->dentry->d_inode) {
++			rsbac_new_target = T_UNIXSOCK;
++			rsbac_new_target_id.unixsock.device = newu->dentry->d_sb->s_dev;
++			rsbac_new_target_id.unixsock.inode  = newu->dentry->d_inode->i_ino;
++			rsbac_new_target_id.unixsock.dentry_p = newu->dentry;
++		} else {
++			if (newsk->sk_socket
++	                    && newsk->sk_socket->file
++	                    && newsk->sk_socket->file->f_dentry
++	                    && newsk->sk_socket->file->f_dentry->d_inode
++			   ) {
++				rsbac_new_target = T_IPC;
++				rsbac_new_target_id.ipc.type = I_anonunix;
++				rsbac_new_target_id.ipc.id.id_nr = newsk->sk_socket->file->f_dentry->d_inode->i_ino;
++			}
++		}
++		if (rsbac_adf_set_attr(R_CONNECT,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					rsbac_new_target,
++					rsbac_new_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value))
++			rsbac_printk(KERN_WARNING
++					"unix_stream_connect() [sys_connect() [sys_socketcall()]]: rsbac_adf_set_attr() returned error\n");
++#ifdef CONFIG_RSBAC_NET
++#ifdef CONFIG_RSBAC_DEBUG
++		if (   rsbac_debug_aef_net
++		    && sk->sk_socket
++		    && newsk->sk_socket
++		    && other->sk_socket
++		   ) {
++			rsbac_printk("unix_stream_connect() [sys_connect()]: connected from %u to %u (type %u), orig %u\n",
++			sk->sk_socket->file->f_dentry->d_inode->i_ino,
++			newsk->sk_socket->file->f_dentry->d_inode->i_ino,
++			rsbac_target,
++			other->sk_socket->file->f_dentry->d_inode->i_ino);
++		}
++#endif
++#endif
++	}
++#endif
++
+ 	sock_put(other);
+ 	return 0;
+ 
+@@ -1252,6 +1575,11 @@ static int unix_accept(struct socket *sock, struct socket *newsock, int flags)
+ 	if (sk->sk_state != TCP_LISTEN)
+ 		goto out;
+ 
++#ifdef CONFIG_RSBAC
++	/* set credentials again, because accepting process might be another */
++	init_peercred(sk);
++#endif
++
+ 	/* If socket state is TCP_LISTEN it cannot change (for now...),
+ 	 * so that no locks are necessary.
+ 	 */
+@@ -1271,6 +1599,21 @@ static int unix_accept(struct socket *sock, struct socket *newsock, int flags)
+ 	/* attach accepted sock to socket */
+ 	unix_state_lock(tsk);
+ 	newsock->state = SS_CONNECTED;
++
++#ifdef CONFIG_RSBAC
++	/* copy dentry and mnt, if there */
++	if (unix_sk(sk)->dentry) {
++		if (!unix_sk(tsk)->dentry) {
++			unix_sk(tsk)->dentry = dget(unix_sk(sk)->dentry);
++			unix_sk(tsk)->mnt = mntget(unix_sk(sk)->mnt);
++		}
++		if (newsock->sk && !unix_sk(newsock->sk)->dentry) {
++			unix_sk(newsock->sk)->dentry = dget(unix_sk(sk)->dentry);
++			unix_sk(newsock->sk)->mnt = mntget(unix_sk(sk)->mnt);
++		}
++	}
++#endif
++
+ 	sock_graft(tsk, newsock);
+ 	unix_state_unlock(tsk);
+ 	return 0;
+@@ -1432,6 +1775,14 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 	struct scm_cookie tmp_scm;
+ 	int max_level;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	enum  rsbac_attribute_t rsbac_attribute = A_none;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (NULL == siocb->scm)
+ 		siocb->scm = &tmp_scm;
+ 	wait_for_unix_gc();
+@@ -1541,6 +1892,55 @@ restart:
+ 			goto out_unlock;
+ 	}
+ 
++#if defined(CONFIG_RSBAC)
++	if (other->sk_socket) {
++		rsbac_pr_debug(aef, "unix_dgram_sendmsg() [sys_send(), sys_sendto(), sys_sendmsg()]: calling ADF\n");
++		if (   other->sk_socket->sk
++		    && unix_sk(other->sk_socket->sk)->dentry
++		    && unix_sk(other->sk_socket->sk)->dentry->d_inode
++		   ) {
++			rsbac_target = T_UNIXSOCK;
++			rsbac_target_id.unixsock.device = unix_sk(other->sk_socket->sk)->dentry->d_sb->s_dev;
++			rsbac_target_id.unixsock.inode  = unix_sk(other->sk_socket->sk)->dentry->d_inode->i_ino;
++			rsbac_target_id.unixsock.dentry_p = unix_sk(other->sk_socket->sk)->dentry;
++		} else {
++			rsbac_target = T_IPC;
++			rsbac_target_id.ipc.type = I_anonunix;
++			if (   other->sk_socket->file
++			    && other->sk_socket->file->f_dentry
++			    && other->sk_socket->file->f_dentry->d_inode
++			   )
++				rsbac_target_id.ipc.id.id_nr = other->sk_socket->file->f_dentry->d_inode->i_ino;
++			else
++				rsbac_target_id.ipc.id.id_nr = 0;
++		}
++		if (   sk->sk_peer_pid
++		    && (rsbac_attribute_value.process = sk->sk_peer_pid)
++		    && (pid_nr(rsbac_attribute_value.process) > 0)
++		   ) {
++			rsbac_attribute = A_process;
++		} else if (   other->sk_socket->sk
++		    && other->sk_socket->sk->sk_peer_pid
++		    && (rsbac_attribute_value.process = other->sk_socket->sk->sk_peer_pid)
++		    && (pid_nr(rsbac_attribute_value.process) > 0)
++		   ) {
++			rsbac_attribute = A_process;
++		} else {
++			rsbac_attribute = A_sock_type;
++			rsbac_attribute_value.sock_type = sock->type;
++		}
++		if(!rsbac_adf_request(R_SEND,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value))	{
++			err = -EPERM;
++			goto out_unlock;
++		}
++	}
++#endif
++
+ 	if (unix_peer(other) != sk && unix_recvq_full(other)) {
+ 		if (!timeo) {
+ 			err = -EAGAIN;
+@@ -1566,6 +1966,24 @@ restart:
+ 	other->sk_data_ready(other, len);
+ 	sock_put(other);
+ 	scm_destroy(siocb->scm);
++
++#if defined(CONFIG_RSBAC)
++	if (len > 0 && (rsbac_target != T_NONE)) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_SEND,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"unix_dgram_sendmsg() [sys_send(), sys_sendto(), sys_sendmsg()]: rsbac_adf_set_attr() returned error\n");
++		}
++	}
++#endif
++
+ 	return len;
+ 
+ out_unlock:
+@@ -1593,6 +2011,14 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 	bool fds_sent = false;
+ 	int max_level;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	enum  rsbac_attribute_t rsbac_attribute = A_none;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	if (NULL == siocb->scm)
+ 		siocb->scm = &tmp_scm;
+ 	wait_for_unix_gc();
+@@ -1617,6 +2043,55 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 	if (sk->sk_shutdown & SEND_SHUTDOWN)
+ 		goto pipe_err;
+ 
++#if defined(CONFIG_RSBAC)
++	if (other->sk_socket) {
++		rsbac_pr_debug(aef, "unix_stream_sendmsg() [sys_send(), sys_sendto(), sys_sendmsg()]: calling ADF\n");
++		if (   other->sk_socket->sk
++		    && unix_sk(other->sk_socket->sk)->dentry
++		    && unix_sk(other->sk_socket->sk)->dentry->d_inode
++		   ) {
++			rsbac_target = T_UNIXSOCK;
++			rsbac_target_id.unixsock.device = unix_sk(other->sk_socket->sk)->dentry->d_sb->s_dev;
++			rsbac_target_id.unixsock.inode  = unix_sk(other->sk_socket->sk)->dentry->d_inode->i_ino;
++			rsbac_target_id.unixsock.dentry_p = unix_sk(other->sk_socket->sk)->dentry;
++		} else {
++			rsbac_target = T_IPC;
++			rsbac_target_id.ipc.type = I_anonunix;
++			if (   other->sk_socket->file
++			    && other->sk_socket->file->f_dentry
++			    && other->sk_socket->file->f_dentry->d_inode
++			   )
++				rsbac_target_id.ipc.id.id_nr = other->sk_socket->file->f_dentry->d_inode->i_ino;
++			else
++				rsbac_target_id.ipc.id.id_nr = 0;
++		}
++		if (   sk->sk_peer_pid
++		    && (rsbac_attribute_value.process = sk->sk_peer_pid)
++		    && (pid_nr(rsbac_attribute_value.process) > 0)
++		   ) {
++			rsbac_attribute = A_process;
++		} else if (   other->sk_socket->sk
++		    && other->sk_socket->sk->sk_peer_pid
++		    && (rsbac_attribute_value.process = other->sk_socket->sk->sk_peer_pid)
++		    && (pid_nr(rsbac_attribute_value.process) > 0)
++		   ) {
++			rsbac_attribute = A_process;
++		} else {
++			rsbac_attribute = A_sock_type;
++			rsbac_attribute_value.sock_type = sock->type;
++		}
++		if(!rsbac_adf_request(R_SEND,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value))	{
++			err = -EPERM;
++			goto out_err;
++		}
++	}
++#endif
++
+ 	while (sent < len) {
+ 		/*
+ 		 *	Optimisation for the fact that under 0.01% of X
+@@ -1685,6 +2160,23 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
+ 	scm_destroy(siocb->scm);
+ 	siocb->scm = NULL;
+ 
++#if defined(CONFIG_RSBAC)
++	if (sent && (rsbac_target != T_NONE)) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_SEND,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"unix_stream_sendmsg() [sys_send(), sys_sendto(), sys_sendmsg()]: rsbac_adf_set_attr() returned error\n");
++		}
++	}
++#endif
++
+ 	return sent;
+ 
+ pipe_err_free:
+@@ -1697,6 +2189,24 @@ pipe_err:
+ out_err:
+ 	scm_destroy(siocb->scm);
+ 	siocb->scm = NULL;
++
++#if defined(CONFIG_RSBAC)
++	if (sent) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_SEND,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"unix_stream_sendmsg() [sys_send(), sys_sendto(), sys_sendmsg()]: rsbac_adf_set_attr() returned error\n");
++		}
++	}
++#endif
++
+ 	return sent ? : err;
+ }
+ 
+@@ -1754,10 +2264,78 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	struct sk_buff *skb;
+ 	int err;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	enum  rsbac_attribute_t rsbac_attribute = A_none;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	err = -EOPNOTSUPP;
+ 	if (flags&MSG_OOB)
+ 		goto out;
+ 
++#if defined(CONFIG_RSBAC)
++	rsbac_pr_debug(aef, "unix_dgram_recvmsg() [sys_recv(), sys_recvfrom(), sys_recvmsg()]: calling ADF\n");
++	if (unix_peer(sk)) {
++		if (   unix_sk(unix_peer(sk))->dentry
++		    && unix_sk(unix_peer(sk))->dentry->d_inode
++		   ) {
++			rsbac_target = T_UNIXSOCK;
++			rsbac_target_id.unixsock.device = unix_sk(unix_peer(sk))->dentry->d_sb->s_dev;
++			rsbac_target_id.unixsock.inode  = unix_sk(unix_peer(sk))->dentry->d_inode->i_ino;
++			rsbac_target_id.unixsock.dentry_p = unix_sk(unix_peer(sk))->dentry;
++		} else {
++			rsbac_target = T_IPC;
++			rsbac_target_id.ipc.type = I_anonunix;
++			if (   unix_peer(sk)->sk_socket
++			    && unix_peer(sk)->sk_socket->file
++			    && unix_peer(sk)->sk_socket->file->f_dentry
++			    && unix_peer(sk)->sk_socket->file->f_dentry->d_inode
++			   )
++				rsbac_target_id.ipc.id.id_nr = unix_peer(sk)->sk_socket->file->f_dentry->d_inode->i_ino;
++		}
++	} else {
++		if (   unix_sk(sk)->dentry
++		    && unix_sk(sk)->dentry->d_inode
++		   ) {
++			rsbac_target = T_UNIXSOCK;
++			rsbac_target_id.unixsock.device = unix_sk(sk)->dentry->d_sb->s_dev;
++			rsbac_target_id.unixsock.inode  = unix_sk(sk)->dentry->d_inode->i_ino;
++			rsbac_target_id.unixsock.dentry_p = unix_sk(sk)->dentry;
++		} else {
++			rsbac_target = T_IPC;
++			rsbac_target_id.ipc.type = I_anonunix;
++			if (   sock->file
++			    && sock->file->f_dentry
++			    && sock->file->f_dentry->d_inode
++			   )
++				rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino;
++			else
++				rsbac_target_id.ipc.id.id_nr = 0;
++		}
++	}
++	if (   sk->sk_peer_pid
++	    && (rsbac_attribute_value.process = sk->sk_peer_pid)
++	    && (pid_nr(rsbac_attribute_value.process) > 0)
++	   ) {
++		rsbac_attribute = A_process;
++	} else {
++		rsbac_attribute = A_sock_type;
++		rsbac_attribute_value.sock_type = sock->type;
++	}
++	if(!rsbac_adf_request(R_RECEIVE,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				rsbac_attribute,
++				rsbac_attribute_value))	{
++		err = -EPERM;
++		goto out;
++	}
++#endif
++
+ 	msg->msg_namelen = 0;
+ 
+ 	err = mutex_lock_interruptible(&u->readlock);
+@@ -1830,6 +2408,24 @@ out_free:
+ out_unlock:
+ 	mutex_unlock(&u->readlock);
+ out:
++
++#if defined(CONFIG_RSBAC)
++	if (err > 0) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_RECEIVE,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"unix_dgram_recvmsg() [sys_recv(), sys_recvfrom(), sys_recvmsg()]: rsbac_adf_set_attr() returned error\n");
++		}
++	}
++#endif
++
+ 	return err;
+ }
+ 
+@@ -1882,6 +2478,14 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	int err = 0;
+ 	long timeo;
+ 
++#ifdef CONFIG_RSBAC
++	enum  rsbac_target_t rsbac_target = T_NONE;
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_target_id_t rsbac_new_target_id;
++	enum  rsbac_attribute_t rsbac_attribute = A_none;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#endif
++
+ 	err = -EINVAL;
+ 	if (sk->sk_state != TCP_ESTABLISHED)
+ 		goto out;
+@@ -1890,6 +2494,66 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	if (flags&MSG_OOB)
+ 		goto out;
+ 
++#if defined(CONFIG_RSBAC)
++	rsbac_pr_debug(aef, "unix_stream_recvmsg() [sys_recv(), sys_recvfrom(), sys_recvmsg()]: calling ADF\n");
++	if (unix_peer(sk)) {
++		if (   unix_sk(unix_peer(sk))->dentry
++		    && unix_sk(unix_peer(sk))->dentry->d_inode
++		   ) {
++			rsbac_target = T_UNIXSOCK;
++			rsbac_target_id.unixsock.device = unix_sk(unix_peer(sk))->dentry->d_sb->s_dev;
++			rsbac_target_id.unixsock.inode  = unix_sk(unix_peer(sk))->dentry->d_inode->i_ino;
++			rsbac_target_id.unixsock.dentry_p = unix_sk(unix_peer(sk))->dentry;
++		} else {
++			rsbac_target = T_IPC;
++			rsbac_target_id.ipc.type = I_anonunix;
++			if (   unix_peer(sk)->sk_socket
++			    && unix_peer(sk)->sk_socket->file
++			    && unix_peer(sk)->sk_socket->file->f_dentry
++			    && unix_peer(sk)->sk_socket->file->f_dentry->d_inode
++			   )
++				rsbac_target_id.ipc.id.id_nr = unix_peer(sk)->sk_socket->file->f_dentry->d_inode->i_ino;
++		}
++	} else {
++		if (   unix_sk(sk)->dentry
++		    && unix_sk(sk)->dentry->d_inode
++		   ) {
++			rsbac_target = T_UNIXSOCK;
++			rsbac_target_id.unixsock.device = unix_sk(sk)->dentry->d_sb->s_dev;
++			rsbac_target_id.unixsock.inode  = unix_sk(sk)->dentry->d_inode->i_ino;
++			rsbac_target_id.unixsock.dentry_p = unix_sk(sk)->dentry;
++		} else {
++			rsbac_target = T_IPC;
++			rsbac_target_id.ipc.type = I_anonunix;
++			if (   sock->file
++			    && sock->file->f_dentry
++			    && sock->file->f_dentry->d_inode
++			   )
++				rsbac_target_id.ipc.id.id_nr = sock->file->f_dentry->d_inode->i_ino;
++			else
++				rsbac_target_id.ipc.id.id_nr = 0;
++		}
++	}
++	if (   sk->sk_peer_pid
++	    && (rsbac_attribute_value.process = sk->sk_peer_pid)
++	    && (pid_nr(rsbac_attribute_value.process) > 0)
++	   ) {
++		rsbac_attribute = A_process;
++	} else {
++		rsbac_attribute = A_sock_type;
++		rsbac_attribute_value.sock_type = sock->type;
++	}
++	if(!rsbac_adf_request(R_RECEIVE,
++				task_pid(current),
++				rsbac_target,
++				rsbac_target_id,
++				rsbac_attribute,
++				rsbac_attribute_value))	{
++		err = -EPERM;
++		goto out;
++	}
++#endif
++
+ 	target = sock_rcvlowat(sk, flags&MSG_WAITALL, size);
+ 	timeo = sock_rcvtimeo(sk, flags&MSG_DONTWAIT);
+ 
+@@ -2006,6 +2670,23 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
+ 	mutex_unlock(&u->readlock);
+ 	scm_recv(sock, msg, siocb->scm, flags);
+ out:
++#if defined(CONFIG_RSBAC)
++	if (copied > 0) {
++		rsbac_new_target_id.dummy = 0;
++		if (rsbac_adf_set_attr(R_RECEIVE,
++					task_pid(current),
++					rsbac_target,
++					rsbac_target_id,
++					T_NONE,
++					rsbac_new_target_id,
++					rsbac_attribute,
++					rsbac_attribute_value)) {
++			rsbac_printk(KERN_WARNING
++					"unix_stream_recvmsg() [sys_recv(), sys_recvfrom(), sys_recvmsg()]: rsbac_adf_set_attr() returned error\n");
++		}
++	}
++#endif
++
+ 	return copied ? : err;
+ }
+ 
+diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
+index 0af7f54..6bb74a0 100644
+--- a/net/wireless/wext-core.c
++++ b/net/wireless/wext-core.c
+@@ -20,6 +20,8 @@
+ #include <net/wext.h>
+ #include <net/net_namespace.h>
+ 
++#include <rsbac/hooks.h>
++
+ typedef int (*wext_ioctl_func)(struct net_device *, struct iwreq *,
+ 			       unsigned int, struct iw_request_info *,
+ 			       iw_handler);
+@@ -948,9 +950,37 @@ static int wext_ioctl_dispatch(struct net *net, struct ifreq *ifr,
+ {
+ 	int ret = wext_permission_check(cmd);
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	union rsbac_target_id_t rsbac_target_id;
++	union rsbac_attribute_value_t rsbac_attribute_value;
++#ifndef CONFIG_RSBAC_NET_DEV_VIRT
++	char * rsbac_colon;
++#endif
++#endif
++
+ 	if (ret)
+ 		return ret;
+ 
++#ifdef CONFIG_RSBAC_NET_DEV
++	rsbac_pr_debug(aef, " calling ADF\n");
++	strncpy(rsbac_target_id.netdev, ifr->ifr_name, RSBAC_IFNAMSIZ);
++	rsbac_target_id.netdev[RSBAC_IFNAMSIZ] = 0;
++#ifndef CONFIG_RSBAC_NET_DEV_VIRT
++	rsbac_colon = strchr(rsbac_target_id.netdev, ':');
++	if (rsbac_colon)
++		*rsbac_colon = 0;
++#endif
++	rsbac_attribute_value.dummy = 0;
++
++	if (!rsbac_adf_request(R_MODIFY_SYSTEM_DATA,
++				task_pid(current),
++				T_NETDEV,
++				rsbac_target_id,
++				A_none,
++				rsbac_attribute_value))
++		return -EPERM;
++#endif
++
+ 	dev_load(net, ifr->ifr_name);
+ 	rtnl_lock();
+ 	ret = wireless_process_ioctl(net, ifr, cmd, info, standard, private);
+diff --git a/rsbac/Kconfig b/rsbac/Kconfig
+new file mode 100644
+index 0000000..04238fd
+--- /dev/null
++++ b/rsbac/Kconfig
+@@ -0,0 +1,2342 @@
++#
++# RSBAC configuration
++# (c) 1999-2010 Amon Ott <ao@...>
++#
++
++menuconfig RSBAC
++	bool "Rule Set Based Access Control (RSBAC)"
++	default y
++	---help---
++	  RSBAC adds 'real' access control to the kernel. Currently there are
++	  the following policies supported: Mandatory Access Control,
++	  Functional Control, Privacy Model, Dazuko, File Flags,
++	  Role Compatibility, Authentication Enforcement, User Management,
++	  Access Control Lists, System Resources, Linux Capabilities and Jail.
++
++	  Additionally, you can add your own policies, e.g. as a kernel module
++	  (see Module Registration (REG)).
++
++	  Since RSBAC exclusively uses the virtual file system, files on all
++	  mounted filesystems are monitored. Still, on some filesystems, no
++	  access control information is stored, it is instead kept in kernel
++	  memory. These file system types are currently PROC, NFS, CODAFS, SMBFS
++	  NCPFS, ISO9660 and (configurable below) all MSDOS types (inodes may
++	  change between boots). You can make attribute backups and restore them
++	  on each boot to keep them persistent.
++
++	  RSBAC will increase your kernel size by up to 520K with all options
++	  turned on, plus allocated memory for dynamical data structures.
++	  If you are tight on memory, it is generally a good idea to turn off
++	  those features which you do not need.
++
++	  Please read the RSBAC docs in Documentation/rsbac or
++	  http://www.rsbac.org/documentation before installing a RSBAC enabled
++	  kernel, since you can easily make your system unaccessible when
++	  changing the RSBAC configuration...
++
++if RSBAC
++
++menu "General RSBAC options"
++	depends on RSBAC=y
++
++config RSBAC_INIT_THREAD
++	bool 'Initialize RSBAC in separate kernel thread'
++	---help---
++	  Some people experienced system hangs, oopses etc. during RSBAC
++	  initialization. If you experience this, enabling this option might
++	  help.
++
++	  At least, init can be timed out and the system more or less comes up -
++	  if you are in softmode or maintenance mode, that is. The timeout value
++	  is indicated by the RSBAC_MAX_INIT_TIME configure option below.
++
++config RSBAC_MAX_INIT_TIME
++	int 'Initialization timeout in seconds'
++	default 60
++	depends on RSBAC_INIT_THREAD=y
++	---help---
++	  Maximum time in seconds the init process waits for rsbac_initd to
++	  complete the RSBAC initialization process via rsbac_do_init(). After
++	  this time, RSBAC initialization is considered as failed and
++	  rsbac_initd is killed.
++
++config RSBAC_PROC
++	bool 'RSBAC proc support'
++	depends on PROC_FS
++	default y
++	---help---
++	  If enabled, RSBAC adds one directory to the main proc dir, called
++	  rsbac-info.
++	  The files in rsbac-info give read access to RSBAC statistics, and
++	  read and write access to many RSBAC settings.
++
++	  If unsure, say Y.
++
++	  See <file:Documentation/rsbac/README-proc> for details.
++
++config RSBAC_INIT_CHECK
++	bool 'Check on init'
++	default y
++	---help---
++	  Check RSBAC attribute consistency at boot time.
++
++	  NOTE: This cannot check attributes on other than the root filesystem.
++	        You should run rsbac_check regularly, e.g. once per day from
++	        cron.
++
++config RSBAC_NO_WRITE
++	bool 'Disable RSBAC writing to disk'
++	---help---
++	  If enabled, RSBAC treats all file system types as read-only. No
++	  attributes are saved and all settings are instead kept in memory.
++	  If off, only PROC, NFS, CODAFS, SMBFS, NCPFS, ISO9660 and all MSDOS
++	  filesystems are read-only.
++
++	  If you only want to turn off automatical writing, but keep the
++	  syscall sys_rsbac_write() to write by hand, set auto write to 0
++	  instead.
++
++	  This switch is intended for testing purposes only and off by
++	  default.
++
++	  If unsure, say N.
++
++config RSBAC_MSDOS_WRITE
++	bool 'Allow attribute writing on MSDOS filesystems'
++	depends on RSBAC_NO_WRITE=n
++	---help---
++	  This setting allows attribute writing on MSDOS filesystems, like FAT,
++	  VFAT, UMSDOS. Turning it on makes these attributes persistent through
++	  reboots.
++	  Unfortunately, MSDOS filesystems do not guarantee reproducable inode
++	  numbers on reboots - so attributes might be applied to wrong files or
++	  get lost. Watch for warning messages from rsbac_check.
++
++	  As a more reliable alternative, disable this feature, and make regular
++	  attribute backups, which you can restore each time after mounting
++	  the disk.
++
++	  If unsure, say N.
++
++config RSBAC_AUTO_WRITE
++	int 'RSBAC auto write to disk interval in seconds'
++	default 5
++	depends on RSBAC_NO_WRITE=n
++	---help---
++	  If not 0, a kernel daemon saves all changed RSBAC attributes to disk
++	  every n seconds. You can also initiate each saving through the
++	  sys_rsbac_write() syscall. This interval can alternatively be changed
++	  via the proc interface.
++
++config RSBAC_RCU_RATE
++	int 'RSBAC attribute change burst per second'
++	default 1000
++	---help---
++	  Normally, RSBAC removes list items in the background while the
++	  process continues without delay. Keeping the items longer needs
++	  extra memory, so a rate limit ensures that memory does not get
++	  exhausted.
++
++	  When the limit has been reached, deleting items is still
++	  possible, but the process gets delayed until all possible
++	  readers of the deleted item have finished reading and the item
++	  is deleted immediately. This slows down attribute changes
++	  somewhat, but should only be noticable on mass changes like at
++	  a restore.
++
++	  The default value of 1000 should be fine for normal system use
++	  even with FD cache. Valid values are 100 to 100000.
++	  The value can later be changed at boot time with
++	  rsbac_list_rcu_rate=n kernel parameter and at runtime through
++	  /proc/rsbac-info/debug.
++
++config RSBAC_LIST_MAX_HASHES
++	int 'Maximum number of list hashes'
++	default 128
++	---help---
++	  IMPORTANT: Use values of 2^n, like 64, 128, 512. If you do not,
++	  the value will be automatically reduced to the next lower 2^n.
++	  (e.g.: 127 would be converted to list hashes of size 64.)
++
++	  Define the maximum number of internal hashes per generic list.
++	  Bigger values may need more memory, but allow to distribute many
++          list items over more and thus smaller lists behind the hashes.
++	  It is safe to change this value at any time, but it may not
++	  go below 8 or above 2048. The system will not use more hashes
++	  per list than necessary. Default is 128.
++
++config RSBAC_LIST_CHECK_INTERVAL
++	int 'Interval of automatic list check and cleanup'
++	default 1800
++	depends on CONFIG_RSBAC_AUTO_WRITE!=0
++	---help---
++	  Check all lists and remove items over ttl at this interval.
++	  Uses rsbacd and thus uses CONFIG_RSBAC_AUTO_WRITE granularity.
++
++	  Default is 1800, one half hour.
++
++config RSBAC_LIST_STATS
++	bool 'List access statistics'
++	default n
++	---help---
++	  Count read and write accesses to each list for optimization.
++	  The values are shown in /proc/rsbac-info/gen_list_counts.
++
++config RSBAC_LIST_TRANS
++	bool 'Support transactions'
++	default y
++	---help---
++	  This option enables support for RSBAC configuration transactions.
++	  RSBAC transactions are a set of temporary changes within a list that
++	  are either commited or forgotten.
++
++	  Any user can start a transaction with the rsbac_list_ta() syscall
++	  (e.g. via the rsbac_list_ta admin tool), and use the returned
++	  transaction number for further administration calls which collect a
++	  set of allowed changes.
++
++	  When finished, a simple commit through rsbac_list_ta applies all these
++	  changes atomically to the system, while the forget command or a
++	  transaction timeout (see next option) remove the complete set of
++	  proposes changes.
++
++	  The number of transactions in parallel is not limited, but each list,
++	  which has been changed by one transaction, is locked against changes
++	  by all other transactions. Such change attempts return the error
++	  -RSBAC_EBUSY, while using invalid transaction numbers returns the
++	  error -RSBAC_EINVALIDTRANSACTION. This means that when using
++	  transactions, both error codes should be checked for each call. When
++	  a list is BUSY, it is the user's choice to retry later, forget all
++	  changes or leave it as it is.
++
++	  Changes with transaction number 0 (no transaction) and automatic
++	  changes by the system always affect both the real lists and all
++	  transaction lists.
++
++config RSBAC_LIST_TRANS_MAX_TTL
++	int 'Maximum transaction time in seconds'
++	default 3600
++	depends on RSBAC_LIST_TRANS
++	---help---
++	  When starting a transaction, the ttl parameter sets its maximum
++	  lifetime, after which it will be automatically removed, if
++	  it has not been renewed in time.
++	  This option sets the maximum allowed lifetime for any transaction in
++	  seconds. The default value is 3600 (one hour).
++
++config RSBAC_LIST_TRANS_RANDOM_TA
++	bool 'Randomize transaction numbers'
++	default y
++	depends on RSBAC_LIST_TRANS
++	---help---
++	  Usually, transaction numbers start with one and increase with every
++	  new transaction. With this option, they will be randomized to make
++	  it a bit more difficult to tamper with other admins' transactions.
++
++	  However, this is no real protection and makes transactions less human
++	  friendly because of large numbers - use the transaction key or the
++	  user limit to get more security for transaction handling.
++
++config RSBAC_FD_CACHE
++	bool 'Cache FD attribute values'
++	default n
++	---help---
++	  This option allows to cache inherited attribute values for some
++	  modules. It speeds up attribute lookup, but increases memory
++	  usage significantly.
++
++config RSBAC_FD_CACHE_TTL
++	int 'Time to live for FD cache items'
++	default 1800
++	depends on RSBAC_FD_CACHE
++	---help---
++	  After the time given here in seconds, FD cache items will be
++	  removed at the next list cleanup. You can change the value at
++	  boottime with kernel parameter rsbac_fd_cache_ttl= and at
++	  runtime through /proc/rsbac-info/debug interface.
++	  Please also adjust CONFIG_RSBAC_LIST_CHECK_INTERVAL
++	  accordingly to get items over ttl expunged timely.
++
++	  Default is 1800, one half hour.
++
++config RSBAC_FD_CACHE_MAX_ITEMS
++	int 'Maximum number of FD cache items per hash'
++	default 1000
++	depends on RSBAC_FD_CACHE
++	---help---
++	  Specify the maximum number of cache FD items allowed per
++	  hashed list. Multiply by max number of hashes per list to get
++	  total maximum number of cache entries.
++
++	  Default is 1000.
++
++config RSBAC_DEBUG
++	bool 'RSBAC debugging support'
++	default y
++	---help---
++	  This option enables many debugging switches to examine RSBAC internals
++	  as well as request sanity checks.
++	  Most of the debugging switches can be set with rsbac_debug_* kernel
++	  parameters or via proc interface at /proc/rsbac-info/debug.
++	  See <file:Documentation/rsbac/README-proc> for details.
++
++	  This option is recommended to be on, but you may as well turn it off,
++	  if performance really matters and your RSBAC system runs without
++	  problems.
++
++	  If unsure, say Y.
++
++config RSBAC_DEV_USER_BACKUP
++	bool 'Provide DEV and USER backup files'
++	depends on RSBAC_PROC=y
++	---help---
++	  If enabled, you will find images of the USER and DEV target general
++	  attribute list files in /proc/rsbac-info/backup. Since attribute
++	  backup should be done with tools, this is usually not needed and
++	  thus off by default.
++
++	  If unsure, say N.
++
++config RSBAC_SECOFF_UID
++	int 'RSBAC default security officer user ID'
++	default 400
++	---help---
++	  The number n given here specifies which user IDs should be used for
++	  the Security Officer/Role Admin/Supervisor (n), the PM model Data
++	  Protection Officer (n+1) and the PM model TP Manager (n+2) in the
++	  default configuration at first boot.
++
++	  WARNING: This value should only be changed if you have a severe
++	           conflict with the default values of 400 to 402. After the
++		   first boot, the defaults are set and saved, and changes to
++		   this option will not have any effect.
++
++config RSBAC_INIT_DELAY
++	bool 'Delayed init for initial ramdisk'
++	---help---
++	  This option allows to delay RSBAC initialization until the first mount
++	  of a real disk partition (major number > 1). It is intended to be used
++	  with initial ramdisks, which mount the final root partition during
++	  boot.
++
++	  You can trigger initialization at a specific partition mount with the
++	  kernel parameter rsbac_delayed_root=major:minor. If the given
++	  partition is not mounted and thus RSBAC not initialized, you can also
++	  call the rsbac_init() system call at any time, e.g. with the
++	  rsbac_init utility.
++
++	  To disable delayed init, you have to use the kernel parameter
++	  rsbac_no_delay_init. This will force the standard initialization after
++	  the first root mount. If this is your initrd, the RSBAC setup in there
++	  will be used instead of the configuration on your real root device.
++
++	  WARNING: The delayed init option requires the RSBAC init code to be
++	           kept in memory all the time, which increases your kernel
++	           memory usage by a few 10s of KB. It should only be used in
++	           combination with an initial ramdisk.
++
++config RSBAC_GEN_NR_P_LISTS
++	int 'Number of GEN process lists'
++	default 4
++	---help---
++	  When using network support, every process in the system accepting a
++	  network connection and all its sub-processes will get individual
++	  attributes set. This means that with many active processes, the list
++	  lookups will become slower.
++
++	  To speed them up, RSBAC uses a hash table to split the GENeral process
++	  attribute lists into several shorter ones. This option sets the number
++	  of these lists.
++
++	  In most cases, the default of 4 will be sufficient. However, if you
++	  plan to have very many processes, a higher value will reduce lookup
++	  time at the cost of additional list headers.
++endmenu
++
++menuconfig RSBAC_UM
++	depends on RSBAC=y
++	bool 'User Management'
++	---help---
++	  Enable RSBAC User Management, a fully passwd/shadow compatible, but
++	  kernel based Linux user and group database. All changes are access
++	  controlled with USER and GROUP targets.
++
++	  You will need the PAM and NSS modules from the RSBAC admin tools
++	  contrib section to make transparent use of this feature.
++
++	  If the SHA1 algorithm is available through the crypto API, passwords
++	  can also optionally be encrypted (next option).
++
++if RSBAC_UM
++config RSBAC_UM_DIGEST
++	bool 'Use Crypto API Digest SHA1'
++	depends on RSBAC_UM=y
++	select CRYPTO
++	select CRYPTO_SHA1
++	default y
++	---help---
++	   If enabled, all passwords are hashed with SHA1 digests. To make the
++	   resulting hash values unique, the password functions add a 32 Bit
++	   salt value to the password string before hashing.
++
++config RSBAC_UM_USER_MIN
++	int 'Minimum auto user ID'
++	depends on RSBAC_UM=y
++	default 2000
++	---help---
++	  When users get added without giving a desired ID, the system picks the
++	  lowest available number starting from the set value.
++
++config RSBAC_UM_GROUP_MIN
++	int 'Minimum auto group ID'
++	depends on RSBAC_UM=y
++	default 2000
++	---help---
++	  When groups get added without giving a desired ID, the system picks
++	  the lowest available number starting from the set value.
++
++config RSBAC_UM_EXCL
++	bool 'Exclusive user management'
++	depends on RSBAC_UM=y
++	---help---
++	  With this option, RSBAC makes sure that only user and group IDs it
++	  knows about can be used within the system. The User Management
++	  component will only make consistency checks, but the AUTH module will
++	  enforce the exclusive use.
++
++config RSBAC_UM_MIN_PASS_LEN
++	int 'Minimum password length'
++	default 6
++	depends on RSBAC_UM=y
++	---help---
++	  Set this to the minimum length a password set by the user must have.
++	  The default minimum length is 6, but using at least 8 is recommended
++	  for production systems.
++
++	  Passwords set by admins with MODIFY_PERMISSIONS_DATA right to the user
++	  will not be restricted!
++
++config RSBAC_UM_NON_ALPHA
++	bool 'Require non-alphabetic character in password'
++	default y
++	depends on RSBAC_UM=y
++	---help---
++	  This option requires that a password set by the user must have at
++	  least one non-alphabetic character.
++
++	  Passwords set by admins with MODIFY_PERMISSIONS_DATA right on the
++	  user will not be restricted!
++
++config RSBAC_UM_PWHISTORY
++	bool 'Remember password history'
++	default y
++	depends on RSBAC_UM=y
++	---help---
++	  This option requires that the password set by the user must not be
++	  the same as the RSBAC_UM_HISTORY_SIZE previous ones.
++
++	  Passwords set by admins with MODIFY_PERMISSIONS_DATA right on the
++	  user will not be restricted!
++
++config RSBAC_UM_PWHISTORY_MAX
++	int 'Number of successive passwords to remember'
++	default 8
++	depends on RSBAC_UM_PWHISTORY=y
++	---help---
++	  This is the number of passwords RSBAC User Management will
++	  remember and check against when changing a password.
++
++config RSBAC_UM_ONETIME
++	bool 'Support one-time passwords'
++	default n
++	depends on RSBAC_UM=y
++	---help---
++	  With this option you can add additional passwords to every user
++	  account, which can only be used once.
++
++config RSBAC_UM_ONETIME_MAX
++	int 'Max number of one-time passwords per account'
++	default 100
++	depends on RSBAC_UM_ONETIME=y
++	---help---
++	  Set the number of one-time passwords, which can be set at
++	  each account.
++
++config RSBAC_UM_VIRTUAL
++	bool 'Support virtual users'
++	default n
++	depends on RSBAC_UM=y
++	---help---
++	  If enabled, RSBAC User Management supports virtual users,
++	  which are organized in sets with 32 Bit ID numbers. ID 0 is
++          the main set.
++
++config RSBAC_UM_VIRTUAL_ISOLATE
++	bool 'Isolate virtual user sets'
++	default y
++	depends on RSBAC_UM_VIRTUAL=y
++	---help---
++	  Select this option to ensure that users in virtual sets > 0
++	  never see users and groups in other virtual sets.
++endif
++
++if NET
++menu 'RSBAC networking options'
++	depends on RSBAC
++
++config RSBAC_NET
++	bool 'RSBAC network support'
++	depends on NET
++	default y
++	---help---
++	  The net support switch adds generic network device, network template
++	  and network object attribute support.
++
++	  Also, general settings of IPv4 (INET) networks are controlled through
++	  the SCD targets 'network' and 'firewall'.
++
++	  To get network device or object access control, you have to enable
++	  the conditional switches below, as well as the individual model
++	  switches for network access control.
++
++config RSBAC_NET_DEV
++	bool 'Net device control'
++	default y
++	depends on RSBAC_NET
++	---help---
++	  With this option turned on, reading and modifying network device
++	  settings, like binding addresses to devices etc., are controlled as
++	  NETDEV targets. NETDEV objects are identified by their device name.
++
++config RSBAC_NET_DEV_VIRT
++	bool 'Treat virtual devices as individuals'
++	depends on RSBAC_NET_DEV
++	---help---
++	  Turn this on, if you want to provide access control over virtual
++	  devices independently from their base device. Due to the possible
++	  number of virtual devices, be careful with this option.
++
++config RSBAC_IND_NETDEV_LOG
++	bool 'Individual network device logging'
++	default y
++	depends on RSBAC_NET_DEV
++	---help---
++	  Enable individual log levels for every request type for network
++	  devices. Log levels are none, denied requests, full, request based.
++	  Default value is request based for all request types.
++
++	  If this option is off, only general log levels for requests are used
++	  (same as individual logging for all objects set to request based).
++
++config RSBAC_NET_OBJ
++	bool 'Net object control (sockets)'
++	default y
++	depends on RSBAC_NET
++	depends on INET
++	---help---
++	  This option enables access control for all socket based
++	  communication, except the UNIX address family (controlled by extra
++	  option).
++
++	  Access control is based on network object (NETOBJ) targets. Default
++	  values for NETOBJ attributes are derived from the network template
++	  (NETTEMP object), whose description matches this particular network
++	  object.
++
++	  Matching is performed from lowest to highest template number. If no
++	  template matches, general NETOBJ default values will be used.
++	  NOTE: The behaviour in this case is model dependent!
++
++	  Socket system calls are matched to special request types with
++	  matching names.
++
++	  NETTEMP objects themselves are protected as NETTEMP targets with
++	  repective requests.
++
++config RSBAC_NET_OBJ_RW
++	bool 'Also intercept network object read and write'
++	depends on RSBAC_NET_OBJ
++	---help---
++	  If on, READ and WRITE requests on sockets are also checked.
++
++config RSBAC_IND_NETOBJ_LOG
++	bool 'Individual network object logging'
++	default y
++	depends on RSBAC_NET_OBJ
++	---help---
++	  Enable individual log levels for every request type for network
++	  objects.
++	  Log levels are none, denied requests, full, request based.
++	  Default value is request based for all request types.
++
++	  For easier setup, the log levels are set on the network templates,
++	  not the individual network objects.
++
++	  If this option is off, only general log levels for requests are used
++	  (same as individual logging for all objects set to request based).
++endmenu
++endif
++
++config RSBAC_MAINT
++	bool 'RSBAC Maintenance Kernel (Use with care!)'
++	---help---
++	  A maintenance kernel is useful, if the system got unaccessible,
++	  e.g. because the user attributes for Administrator (root), Security
++	  Officer (400) or Data Protection Officer (401, PM only) got lost and
++	  have to be reset.
++	  However, in most cases enabling softmode can have the same effect for
++	  you, but gives the additional benefit of logging the usually denied
++	  accesses.
++
++	  This option turns some of the RSBAC configuration options below
++	  off and disables all access control. Still, you should keep those
++	  modules turned on, which you would like to administrate in
++	  maintenance mode, because only then their data structures are
++	  accessible.
++
++menu 'Decision modules (policy) options'
++	depends on RSBAC
++
++config RSBAC_REG
++	bool 'Support for Registration of decision modules (REG)'
++	default y
++	---help---
++	  If enabled, RSBAC supports runtime registering and unregistering of
++	  additional decision module functions, e.g. from kernel modules.
++
++	  Possible functions are for decision, notification and file contents
++	  overwrite decisions and for write-to-disk notifications.
++
++	  Additionally, syscall functions can be registered to the REG syscall
++	  dispatcher.
++
++	  See <file:Documentation/rsbac/README-reg>,
++	  and the module examples in <file:Documentation/rsbac/reg_sample>
++	  for details.
++
++config RSBAC_REG_SAMPLES
++	bool 'Build REG sample modules'
++	depends on RSBAC_REG && USB
++	---help---
++	  Build the REG sample kernel modules. These modules show how to use
++	  the RSBAC infrastructure, but do not perform any access control.
++
++	  The modules will be named reg_sample1, reg_sample2 and reg_sample3.
++
++menuconfig RSBAC_AUTH
++	bool 'AUTH policy support'
++	default y
++	--help---
++	  This module can be seen as a support module for all others. It
++	  restricts CHANGE_OWNER on process targets (setuid) for a process: the
++	  request is only granted, if the process has either the
++	  auth_may_setuid flag set or the target user ID is in its capability
++	  set.
++	  The auth_may_setuid flag and the capability set are inherited on
++	  execute from the program file.
++
++	  Those file capabilities can be set, if all modules grant a
++	  MODIFY_ATTRIBUTE request for A_auth_add_f_cap or A_auth_remove_f_cap.
++	  Process capabilities can only be added by other processes that have
++	  the auth_may_set_cap flag set, which is also inherited from the
++	  executed file.
++
++	  This way an enforcement of daemon based authentification is possible,
++	  as well as a restriction of system daemons to a set of user IDs.
++
++	  WARNING: If enabled without a login program having auth_may_setuid or
++	           a capability set and without a capability setting daemon,
++		   you will not be able to login to your system!
++	           Use kernel parameter rsbac_auth_enable_login in emergencies
++		   or at the first boot to set auth_may_setuid for /bin/login.
++
++	  Also see AUTH model description in
++	  <http://www.rsbac.org/documentation> for details.
++
++	  If unsure, say Y.
++
++if RSBAC_AUTH
++config RSBAC_AUTH_AUTH_PROT
++	bool 'AUTH module and attribute protection'
++	default y
++	---help---
++	  Only, if this option is on, the AUTH module cares for its own
++	  protection, otherwise it fully depends on other modules
++	  (CONFIG_RSBAC_XX_AUTH_PROT).
++	  This is meant for more sophisticated access control than a simple
++	  system_role setting to security_officer.
++
++	  As a special effect, capability sets are cleared on every write
++	  access to reduce system access after tampering.
++
++	  See AUTH model description for details.
++
++config RSBAC_AUTH_OTHER_PROT
++	bool 'Protect switching of other modules'
++	depends on RSBAC_SWITCH
++	---help---
++         This option makes AUTH care for the switching of other modules.
++         Useful if you want to prevent switching a module back on,
++         because it cannot protect itself in this case.
++
++config RSBAC_AUTH_UM_PROT
++	bool 'AUTH protection for User Management'
++	depends on RSBAC_UM
++	default y
++	---help---
++	  This option makes AUTH care for User Management settings, e.g.
++	  creation, change or deletion of users or groups.
++
++	  See User Management description for details.
++
++config RSBAC_AUTH_DAC_OWNER
++	bool 'AUTH support for effective and fs owner control'
++	---help---
++	  If enabled, AUTH also controls the requests CHANGE_DAC_EFF_OWNER
++	  (change process effective owner) and CHANGE_DAC_FS_OWNER (change
++	  process filesystem owner) on process targets. Changes to these Linux
++	  DAC (Discrete Access Control) model owner settings do not affect
++	  RSBAC, so this option is off by default.
++
++	  This option also requires the 'Control DAC process owner (seteuid,
++	  setfsuid)' option from the 'Other options', which enables the
++	  requests mentioned above.
++
++config RSBAC_AUTH_ALLOW_SAME
++	bool 'Always allow setting to same id'
++	---help---
++	  Normally, AUTH restricts all setuid and setgid calls, including those
++	  to the same uid. Enabling this option allows these calls to be
++	  unrestricted by the AUTH module if the same id is given.
++
++config RSBAC_AUTH_GROUP
++	bool 'AUTH support for Linux group control'
++	---help---
++	  If enabled, AUTH also controls the request CHANGE_GROUP
++	  (change process group) on process targets. Changes to these Linux
++	  DAC (Discrete Access Control) model group settings do not affect
++	  RSBAC, so this option is off by default.
++
++config RSBAC_AUTH_DAC_GROUP
++	bool 'AUTH support for effective and fs group control'
++	depends on RSBAC_AUTH_GROUP
++	---help---
++	  If enabled, AUTH also controls the requests CHANGE_DAC_EFF_GROUP
++	  (change process effective group) and CHANGE_DAC_FS_GROUP (change
++	  process filesystem group) on process targets. Changes to these Linux
++	  DAC (Discrete Access Control) model owner settings do not affect
++	  RSBAC, so this option is off by default.
++
++	  This option also requires the 'Control DAC process group (setegid,
++	  setfsgid)' option from the 'Other options', which enables the
++	  requests mentioned above.
++
++config RSBAC_AUTH_LEARN
++	bool 'AUTH learning mode support'
++	---help---
++	  If set, you can enable AUTH learning mode with the rsbac_auth_learn
++	  kernel parameter. In learning mode, the AUTH module will automatically
++	  add all missing auth capabilities.
++
++	  WARNING: This option is useful, but dangerous, so it should be off on
++	           production systems.
++config RSBAC_AUTH_LEARN_TA
++	int 'Learning mode transaction number'
++	default 0
++	depends on RSBAC_AUTH_LEARN
++	depends on RSBAC_LIST_TRANS
++	---help---
++	  Put learned items into transaction with this number. The
++	  transaction is created, if it does not exist. The default
++	  value 0 means do not use transactions, all extra rights
++	  get added immediately.
++
++	  Note: As the additional rights only appear in the transaction,
++	        the same rights may seem to be added repeatedly, until
++	        the transaction is committed.
++	  Note: All transactions have a maximum lifetime, after which
++	        all data is lost, unless you commit or refresh in time,
++		e.g. with the rsbac_list_ta command line tool.
++	        Increase RSBAC_LIST_TRANS_MAX_TTL as desired.
++
++endif
++
++menuconfig RSBAC_RC
++	bool 'RC policy support'
++	default y
++	---help---
++	  The Role Compatibility model is a powerful and flexible role based
++	  model. It supports an unlimited number of roles and types. Types are
++	  grouped per target type. Each role definition has compatibility
++	  vectors for all types and other roles.
++
++	  Additionally, there are default create/chown/execute types and
++	  several special values for inheritance options.
++	  Roles can also be forced by executable file attributes, similar to
++	  the setuid/setgid mechanism in Unix file systems.
++
++	  See <http://www.rsbac.org/documentation> for details.
++
++	  If unsure, say Y.
++
++if RSBAC_RC
++config RSBAC_RC_AUTH_PROT
++	bool 'RC protection for AUTH module'
++	default y
++	---help---
++	  This option makes RC care for AUTH module settings, e.g. attributes
++	  auth_may_setuid, auth_may_set_cap and the kernel-only pseudo
++	  attributes auth_add_f_cap, auth_remove_f_cap, auth_get_caplist.
++
++	  These settings are protected by SCD type compatibility with type
++	  auth_administration, which is set for default role 1 (Role Admin).
++
++	  See AUTH model description for details.
++
++config RSBAC_RC_UM_PROT
++	bool 'RC protection for User Management'
++	depends on RSBAC_UM
++	default y
++	---help---
++	  This option makes RC care for User Management settings, e.g. creation,
++	  change or deletion of users or groups.
++
++	  See User Management description for details.
++
++config RSBAC_RC_GEN_PROT
++	bool 'RC protection for GENeral attributes'
++	default y
++	---help---
++	  If on, RC protects general attributes (GEN module) like its own, e.g.,
++	  in default setup only Role Admins may change them.
++
++config RSBAC_RC_BACKUP
++	bool 'Provide RC backup files'
++	depends on RSBAC_PROC
++	---help---
++	  If enabled, RC provides its binary ACI data files in
++	  /proc/rsbac-info/backup.
++
++	  Because of better backup options with admin tools, this is off by
++	  default.
++
++	  If unsure, say N.
++
++config RSBAC_RC_NET_DEV_PROT
++	bool 'RC network device protection'
++	default y
++	depends on RSBAC_NET_DEV
++	---help---
++	  If on, protect network devices based on RC NETDEV type
++	  compatibilities.
++
++config RSBAC_RC_NET_OBJ_PROT
++	bool 'RC network object protection'
++	default y
++	depends on RSBAC_NET_OBJ
++	---help---
++	  Turn this on to have real RC access control on network objects based
++	  on RC type compatibilities.
++
++	  The NETOBJ default type values are derived from those of the matching
++	  network template.
++
++	  Templates themselves are protected through their own template type
++	  in attribute rc_type_nt and the nettemp type compatibility settings.
++
++config RSBAC_RC_NET_OBJ_UNIX_PROCESS
++	bool 'RC check access to UNIX partner process'
++	default n
++	---help---
++	  This option enables additional checks for UNIX sockets: If a peer
++	  process is known (via peer credential), the requesting process also
++	  needs the same right as in the request to the RC type of the
++	  other process.
++
++	  Affected request types are CONNECT, ACCEPT, SEND and RECEIVE. If
++	  READ and WRITE checking of network sockets is enabled, these request
++	  types are checked as RECEIVE and SEND to avoid possible confusion
++	  about read and write accesses to processes.
++
++config RSBAC_RC_LEARN
++	bool 'Enable learning mode for missing role rights to types'
++	depends on RSBAC_DEBUG
++	---help---
++	  This option allows to enable a learning mode per global switch.
++	  In learning mode, missing role rights to types will be added
++	  automatically. However, it will never add new roles or types
++	  even when this would be a much better solution.
++	  Enable temporarily for all roles with the rsbac_rc_learn
++	  kernel parameter or temporarily at runtime via proc interface.
++
++	  Please check <http://www.rsbac.org/documentation>
++	  for more info about how the RC model works.
++
++config RSBAC_RC_LEARN_TA
++	int 'Learning mode transaction number'
++	default 0
++	depends on RSBAC_RC_LEARN
++	depends on RSBAC_LIST_TRANS
++	---help---
++	  Put learned items into transaction with this number. The
++	  transaction is created, if it does not exist. The default
++	  value 0 means do not use transactions, all extra rights
++	  get added immediately.
++
++	  Note: As the additional rights only appear in the transaction,
++	        the same rights may seem to be added repeatedly, until
++	        the transaction is committed.
++	  Note: All transactions have a maximum lifetime, after which
++	        all data is lost, unless you commit or refresh in time,
++		e.g. with the rsbac_list_ta command line tool.
++	        Increase RSBAC_LIST_TRANS_MAX_TTL as desired.
++
++config RSBAC_RC_NR_P_LISTS
++	int 'RC number of process lists'
++	default 8
++	---help---
++	  When using RC model, every process in the system will get individual
++	  attributes set. This means that with many active processes, the list
++	  lookups will become slower.
++
++	  To speed them up, RSBAC uses a hash table to split the RC process
++	  attribute lists into several shorter ones. This option sets the
++	  initial number of these lists, it will automatically grow when
++	  needed.
++
++config RSBAC_RC_KERNEL_PROCESS_TYPE
++	int 'RC kernel process type'
++	default 999999
++	---help---
++	  This is the type being assigned to all kernel processes, despite the
++	  initiating process owner role's def_process_create_type.
++
++	  The default value is 999999. It should only be changed, if you have
++	  role number conflicts with your existing configuration.
++endif
++
++menuconfig RSBAC_ACL
++	bool 'ACL policy support'
++	default y
++	---help---
++	  This turns on the Access Control List module. ACLs are kept on all
++	  targets but those of type USER. For the IPC and PROCESS targets
++	  there is only one default ACL each.
++
++	  Each ACL entry contains subject type (user, rc_role, acl_group),
++	  subject id and the rights this subject has. Also, rights are inherited
++	  from parents and from a target specific default ACL.
++
++	  Most settings have a time-to-live (TTL) option, which automatically
++	  removes them after a certain amount of time.
++
++	  See <http://www.rsbac.org/documentation> for details.
++
++if RSBAC_ACL
++config RSBAC_ACL_SUPER_FILTER
++	bool 'Allow masking out of SUPERVISOR right'
++	---help---
++	  Normally, inheritance masks can never filter out the SUPERVISOR right
++	  (which contains all other rights) - it is always inherited.
++
++	  If this switch is on, SUPERVISOR *can* be filtered out. This allows
++	  separation of duties and privacy, but is also dangerous, because
++	  administration can easily become impossible. In this case, you have to
++	  reboot into a maintenance kernel to regain access.
++
++	  For safety reasons, you must have a USER ACL entry at the target
++	  containing the SUPERVISOR right to set a new mask without SUPERVISOR.
++
++config RSBAC_ACL_AUTH_PROT
++	bool 'ACL protection for AUTH module'
++	default y
++	---help---
++	  This option makes ACL care for AUTH module settings, e.g. attributes
++	  auth_may_setuid, auth_may_set_cap and the kernel-only pseudo
++	  attributes auth_add_f_cap, auth_remove_f_cap, auth_get_caplist. Those
++	  settings are protected by SCD 'auth_administration' ACL.
++
++	  See AUTH model description for AUTH details.
++
++config RSBAC_ACL_UM_PROT
++	bool 'ACL protection for User Management'
++	depends on RSBAC_UM
++	default y
++	---help---
++	  This option makes ACL care for User Management settings, e.g.
++	  creation, change or deletion of users or groups.
++
++	  See User Management description for details.
++
++config RSBAC_ACL_GEN_PROT
++	bool 'ACL protection for GENeral attributes'
++	default y
++	---help---
++	  If on, ACL protects general attributes (GEN module) through
++	  the MODIFY_ATTRIBUTE right.
++	  In default setup, only user 400 may change them.
++
++config RSBAC_ACL_BACKUP
++	bool 'Provide ACL backup files'
++	depends on RSBAC_PROC
++	---help---
++	  If on, ACL provides its binary group and group membership data files
++	  in /proc/rsbac-info/backup.
++
++config RSBAC_ACL_LEARN
++	bool 'ACL learning mode support'
++	---help---
++	  If enabled, you can enable ACL learning mode with rsbac_acl_learn or
++	  rsbac_acl_learn_fd kernel parameter. In learning mode, ACL module will
++	  automatically add all missing acl entries for filesystem objects.
++
++	  WARNING: This option is useful, but dangerous, so it should be off on
++	           production systems.
++
++config RSBAC_ACL_LEARN_TA
++	int 'Learning mode transaction number'
++	default 0
++	depends on RSBAC_ACL_LEARN
++	depends on RSBAC_LIST_TRANS
++	---help---
++	  Put learned items into transaction with this number. The
++	  transaction is created, if it does not exist. The default
++	  value 0 means do not use transactions, all extra rights
++	  get added immediately.
++
++	  Note: As the additional rights only appear in the transaction,
++	        the same rights may seem to be added repeatedly, until
++	        the transaction is committed.
++	  Note: All transactions have a maximum lifetime, after which
++	        all data is lost, unless you commit or refresh in time,
++		e.g. with the rsbac_list_ta command line tool.
++	        Increase RSBAC_LIST_TRANS_MAX_TTL as desired.
++
++config RSBAC_ACL_NET_DEV_PROT
++	bool 'ACL network device protection'
++	default y
++	depends on RSBAC_NET_DEV
++	---help---
++	  If on, protect network devices based on individual and default ACLs.
++
++config RSBAC_ACL_NET_OBJ_PROT
++	bool 'ACL network object protection'
++	default y
++	depends on RSBAC_NET_OBJ
++	---help---
++	  Turn this on to have real ACL access control on network objects based
++	  on inherited ACLs.
++
++	  When determining a subject's right to a network object (NETOBJ), the
++	  following inheritance scheme is used:
++	    - If there is an ACL entry at the NETOBJ itself, use it, else
++	    - If there is an ACL entry at the matching template, use that, but
++	      filter through individual mask, else
++	    - If there is an ACL entry in the NETOBJ default ACL, use that, but
++	      filter through individual mask and matching template's mask.
++
++	  Certainly, user, role and group rights are accumulated as usual.
++
++	  Templates themselves are protected through their own individual and
++	  default ACLs, which are configured using the NETTEMP_NT target.
++endif
++
++menuconfig RSBAC_MAC
++	bool 'MAC policy support'
++	---help---
++	  Mandatory Access Control follows the Bell-LaPadula security model,
++	  in which all users and resources are classified in levels of
++	  confidentiality. Additionally, each subject and object has a set out
++	  of 64 categories.
++
++	  To read from a resource, a user's level must be at least as high as
++	  that of the resource, and the user's category set must be a superset
++	  of the category set of the resource.
++	  To write to a resource, it must be at least as confidential as the
++	  user, and its category set must be a superset of the user's.
++
++	  See <http://www.rsbac.org/documentation> for details.
++
++if RSBAC_MAC
++config RSBAC_MAC_DEF_INHERIT
++	bool 'MAC inherit as default'
++	default y
++	---help---
++	  If enabled, the inheritable attributes security_level and
++	  mac_categories for files, fifos and directories get the default value
++	  'inherit' instead of the old style real value. This reduces the amount
++	  of attributes to be set significantly, because files, fifos and dirs
++	  inherit their parent dir's attribute values automatically. Inheritance
++	  ends at root dir /.
++
++	  This setting should be kept constant between different RSBAC kernels
++	  in use to avoid confusion for administrators/security officers,
++	  rsbac_check() and backup.
++
++	  Please note that inheritance is not conforming to the Bell-LaPadula
++	  model, where all objects must be individually labeled.
++
++config RSBAC_MAC_SMART_INHERIT
++	bool 'Smart inherit'
++	default y
++	depends on RSBAC_MAC_DEF_INHERIT
++	---help---
++	  If enabled, the MAC model checks whether the values of attributes
++	  security_level and mac_categories for new objects would already be in
++	  effect via inheritance. Only if the inherited value differs, the new
++	  values are set explicitely. Otherwise the default value 'inherit' is
++	  automatically applied.
++
++	  This option largely reduces the amount of new attribute objects needed
++	  for whole created directory trees with same values. It thus saves
++	  memory and CPU cycles.
++
++	  However, inheritance is not conforming to the Bell-LaPadula model,
++	  where all objects must be individually labeled - here we are even
++	  denying explicit labeling of new objects. Use with care.
++
++config RSBAC_MAC_AUTH_PROT
++	bool 'MAC protection for AUTH module'
++	---help---
++	  This option makes MAC care for AUTH module settings, e.g. attributes
++	  auth_may_setuid, auth_may_set_cap and the kernel-only pseudo
++	  attributes auth_add_f_cap, auth_remove_f_cap, auth_get_caplist. These
++	  settings are treated like MAC settings.
++
++	  See AUTH model description for details.
++
++config RSBAC_MAC_UM_PROT
++	bool 'MAC protection for User Management'
++	depends on RSBAC_UM
++	default y
++	---help---
++	  This option makes MAC care for User Management settings, e.g.
++	  creation, change or deletion of users or groups.
++
++	  See User Management description for details.
++
++config RSBAC_MAC_GEN_PROT
++	bool 'MAC protection for GENeral attributes'
++	---help---
++	  If on, MAC protects general attributes (GEN module) like its own,
++	  i.e., only security officers may change them.
++
++config RSBAC_MAC_LIGHT
++	bool 'Light MAC edition'
++	---help---
++	  This option makes MAC easier to use, but a bit less conforming to the
++	  Bell-LaPadula model.
++	   1. Allow R_CREATE of new files WITHOUT any checking. This way, higher
++	      level objects can be created in a lower level directory.
++	   2. Allow R_MOUNT and R_UMOUNT to ANY user (only Administrator in base
++	      MAC version).
++
++config RSBAC_MAC_TRUSTED_READ
++	bool 'Give trusted processes full read access'
++	---help---
++	  Normally, a mac_trusted process may only violate *-property, i.e., it
++	  may write to any level within its owner's level range from
++	  min_security_level to security_level, regardless of its current level
++	  and the max_read boundary. This makes a user's trusted flag equivalent
++	  to the combination of write_up and write_down flag.
++
++	  With this option turned on, a trusted process may also read from any
++	  such level despite its current level and the min_write boundary. This
++	  adds the meaning of the read_up flag to the trusted flag.
++
++	  Please note that the mac_auto privilege with automatic current level
++	  and read/write boundary adjustment as well as the object mac_shared
++	  flag are always tried before trusted, write_up, write_down and
++	  read_up.
++
++config RSBAC_MAC_RESET_CURR
++	bool 'Reset current level on each execute'
++	---help---
++	  If enabled, the current process level is reset to the user's initial
++	  level on every execute.
++
++config RSBAC_MAC_LOG_LEVEL_CHANGE
++	bool 'Log all automatic changes to current level'
++	default y
++	---help---
++	  If both the effective mac_auto flag at an executable and the
++	  mac_allow_auto flag at the user executing it are set, current levels
++	  may be automatically adjusted to allow access, where it would
++	  otherwise be denied.
++
++	  This option logs each such automatic change to the process current
++	  level, because it means a change to the current access rights.
++
++config RSBAC_MAC_NET_DEV_PROT
++	bool 'MAC network device protection'
++	depends on RSBAC_NET_DEV
++	---help---
++	  If enabled, The MAC module protects network devices in that only
++	  System Administrators may configure them.
++
++config RSBAC_MAC_NET_OBJ_PROT
++	bool 'MAC network object protection'
++	depends on RSBAC_NET_OBJ
++	---help---
++	  Turn this on to have real MAC access control on network objects based
++	  on security levels and categories.
++
++	  The default attribute values are derived from those of the matching
++	  network template.
++
++config RSBAC_MAC_NR_P_LISTS
++	int 'MAC number of process lists'
++	default 4
++	---help---
++	  When using MAC model, every process in the system will get individual
++	  attributes set. This means that with many active processes, the list
++	  lookups will become slower.
++
++	  To speed them up, RSBAC uses a hash table to split the MAC process
++	  attribute lists into several shorter ones. This option sets the number
++	  of these lists.
++
++	  In most cases, the default of 4 will be sufficient. However, if you
++	  plan to have very many processes, a higher value will reduce lookup
++	  time at the cost of additional list headers.
++endif
++
++menuconfig RSBAC_PAX
++	bool 'PAX policy support'
++	default y
++	depends on PAX
++	---help---
++	  The PAX module allows to administrate the PaX flags of programs and
++	  processes. To have these flags enforced, you need to enable
++	  "direct" MAC integration in the PaX control menu under the security
++	  menu (CONFIG_PAX_NO_ACL_FLAGS).
++
++	  PaX is a separate Linux kernel patch available at
++	  <http://pax.grsecurity.net>.
++	  Please have a look at the homepage to get some more information.
++
++if RSBAC_PAX
++config RSBAC_PAX_DEFAULT
++	bool 'Change PAX default flags (PeMRxS)'
++	        help
++	  This option allows to change the PaX default flags for all files from
++	  PeMRxS to any other value.
++	  Please be careful, if you change this setting, specially with existing
++	  configurations - unexpected failures of previously running programs
++	  might happen. Nothing you could not fix by reconfiguration, though.
++
++config RSBAC_PAX_PAGEEXEC
++	bool 'PAX Default P: Enable paging based non-exec pages'
++	        depends on RSBAC_PAX_DEFAULT
++	default y
++
++config RSBAC_PAX_EMUTRAMP
++	bool 'PAX Default E: Emulate Trampolines'
++	        depends on RSBAC_PAX_DEFAULT
++
++config RSBAC_PAX_MPROTECT
++	bool 'PAX Default M: Restrict mprotect'
++	        depends on RSBAC_PAX_DEFAULT
++	default y
++
++config RSBAC_PAX_RANDMMAP
++	bool 'PAX Default R: Randomize mmap() base'
++	        depends on RSBAC_PAX_DEFAULT
++	default y
++
++config RSBAC_PAX_RANDEXEC
++	bool 'PAX Default X: Randomize ET_EXEC base'
++	        depends on RSBAC_PAX_DEFAULT
++
++config RSBAC_PAX_SEGMEXEC
++	bool 'PAX Default S: Segmentation based non-exec pages'
++	        depends on RSBAC_PAX_DEFAULT
++	default y
++endif
++
++menuconfig RSBAC_DAZ
++	bool 'DAZuko policy support'
++	---help---
++	  The Dazuko policy provides the Dazuko malware scanning interface.
++	  Scanning results may optionally be cached, see CONFIG_RSBAC_DAZ_CACHE
++	  below.
++
++	  Only programs marked as scanners may connect to the Dazuko interface,
++	  and only DAZ security administrators are allowed to modify daz_scanner
++	  or daz_scanned.
++
++if RSBAC_DAZ
++config RSBAC_DAZ_SELECT
++	bool 'Let scanners subselect paths'
++	default y
++	---help---
++	  Through Dazuko interface, scanners can define a set of paths
++	  they are interested in. Without this option, RSBAC will ignore
++	  these paths for the sake of speed and full mandatory control.
++
++	  Please note that with RSBAC the daz_do_scan attribute on FD
++	  objects controls which paths get scanned or not. The scanner
++	  selection only reduces the set of paths, never increases.
++
++	  In previous RSBAC versions, subselection by scanners was
++	  always on. It now defaults to on, will be off in next RSBAC
++	  version.
++
++config RSBAC_DAZ_CACHE
++	bool 'Cache scanning results'
++	default y
++	---help---
++	  With this option, all scanning results get cached for the time
++	  specified below.
++
++config RSBAC_DAZ_TTL
++	int 'Scanning result lifetime in seconds'
++	default 86400
++	depends on RSBAC_DAZ_CACHE
++	---help---
++	  Specify the time in seconds a scanning result is kept. After this time
++	  the object will be rescanned on the next access.
++
++	  Use 0 for unlimited, default is 86400 (1 day). Set to 1 to force a
++	  fast rescan.
++
++config RSBAC_DAZ_PERSIST
++	bool 'Keep scanning results over reboot'
++	depends on RSBAC_DAZ_CACHE
++	---help---
++	  If on, file scanning results, which are younger than their life time
++	  limit, are kept persistently during reboots.
++
++	  Using this option can reduce the amount of scanning, but it cannot
++	  protect against file modifications while another kernel is booted.
++
++config RSBAC_DAZ_DEV_MAJOR
++	int	'Dazuko device major number'
++	default 250
++	---help---
++	  Specify the major char device number for /dev/dazuko,
++	  which is used for scanner registration and communication.
++
++	  Use 0 to let the system pick one.
++endif
++
++menuconfig RSBAC_CAP
++	bool 'CAP (Linux CAP) policy support'
++	default y
++	---help---
++	  The Linux Capability (CAP) module allows to set minimum and maximum
++	  Linux capability sets for single users and programs. These boundaries
++	  are applied at CHANGE_OWNER on processes (setuid) and EXECUTE.
++
++	  Minimum settings have precedence over maximums, and program settings
++	  have precedence over user settings.
++
++	  Use this module to run programs that need root privileges from normal
++	  user accounts, e.g. file server daemons, or to restrict programs run
++	  by root, e.g. certain mail daemons.
++
++	  If softmode is enabled and turned on, only the minimum sets are
++	  applied.
++
++
++if RSBAC_CAP
++config RSBAC_CAP_PROC_HIDE
++	bool 'Support CAP process hiding'
++	default y
++	---help---
++	  If enabled, you can hide the process properties shown in /proc from
++	  other users, e.g. command line and current state. The hiding level is
++	  set with the cap_process_hiding process attribute. There are three
++	  possible values:
++	  0 / off: no hiding.
++	  1 / from other users: only processes running for the same user, a CAP
++	      security officer or a CAP system admin may read the properties.
++	  2 / full: only this process and CAP security officers may read the
++	      properties.
++
++	  The kernel command line switch rsbac_cap_process_hiding changes the
++	  default value from 0 to 1. Thus, every normal user can only see her
++	  own process properties.
++
++config RSBAC_CAP_AUTH_PROT
++	bool 'CAP protection for AUTH module'
++	---help---
++	  This option makes CAP care for AUTH module settings, e.g. attributes
++	  auth_may_setuid, auth_may_set_cap and the kernel-only pseudo
++	  attributes auth_add_f_cap, auth_remove_f_cap, auth_get_caplist. Those
++	  settings are protected by the cap_roles admin (read) and security
++	  officer (rw).
++
++	  See AUTH model description for AUTH details.
++
++config RSBAC_CAP_LOG_MISSING
++	bool 'Log missing capabilities in capable()'
++	---help---
++	  If checked, the Linux capability check function capable() can log
++	  all queries for capabilities, which are missing from the effective
++	  set. Enable with the rsbac_cap_log_missing kernel parameter, or at
++	  runtime via proc interface.
++	  The only exception is CAP_SYS_ADMIN, which fails much too often
++	  and thus never gets logged.
++
++	  Background: If you limit Linux capabilities for users or programs
++	  with the CAP module, some programs fail in secure mode without
++	  "NOT_GRANTED" RSBAC log messages, because this Linux internal check
++	  failed.
++
++	  Please check <http://www.rsbac.org/documentation>
++	  for more info about how the CAP module works.
++
++config RSBAC_CAP_LEARN
++	bool 'Learn missing capabilities in capable()'
++	---help---
++	  If checked, the Linux capability check function capable() will
++	  set all capabilities in the max_caps set of user or program,
++	  which are missing from the current process effective set because
++	  of RSBAC max_caps restrictions.
++	  Enable with the rsbac_cap_learn kernel parameter or at runtime
++	  via proc interface.
++	  Warning: In learning mode, a program with reduced max_caps might
++	  temporarily get more effective caps assigned than granted by
++	  standard kernel!
++
++	  Background: If you limit Linux capabilities for users or programs
++	  with the CAP module, some programs fail in secure mode without
++	  "NOT_GRANTED" RSBAC log messages, because this Linux internal check
++	  failed.
++
++	  Please check <http://www.rsbac.org/documentation>
++	  for more info about how the CAP module works.
++
++config RSBAC_CAP_LEARN_TA
++	int 'Learning mode transaction number'
++	default 0
++	depends on RSBAC_CAP_LEARN
++	depends on RSBAC_LIST_TRANS
++	---help---
++	  Put learned items into transaction with this number. The
++	  transaction is created, if it does not exist. The default
++	  value 0 means do not use transactions, all extra rights
++	  get added immediately.
++
++	  Note: As the additional rights only appear in the transaction,
++	        the same rights may seem to be added repeatedly, until
++	        the transaction is committed.
++	  Note: All transactions have a maximum lifetime, after which
++	        all data is lost, unless you commit or refresh in time,
++		e.g. with the rsbac_list_ta command line tool.
++	        Increase RSBAC_LIST_TRANS_MAX_TTL as desired.
++endif
++
++menuconfig RSBAC_JAIL
++	bool 'JAIL policy support'
++	default y
++	---help---
++	  The JAIL module gives you an extended chroot facility, similar to
++	  FreeBSD Jails. To put a process into a jail, start it with the
++	  rsbac_jail wrapper or make it call the sys_rsbac_jail syscall
++	  directly.
++
++	  With RSBAC network object support, jailed processes can only use a
++	  designated IP address (if designated address is not 0.0.0.0), and
++	  UNIX or INET sockets of type STREAM, DGRAM or RDM. All other families
++	  and types, e.g. RAW network access, are generally prohibited.
++
++	  From within a jail, only processes and IPC objects of the same jail
++	  can be accessed. Jails can be created from within jails, but get
++	  limited to the parent jail's filesystem root, IP and flags.
++
++	  Additionally, most kernel based administration tasks are forbidden,
++	  e.g. creating device special files, setting network addresses,
++	  getting or setting RSBAC attributes, changing system settings like
++	  name or rlimits etc.
++
++	  Several sys_rsbac_jail flags change the jail behaviour:
++	    - allow_external_ipc: allow to access IPC objects outside this jail
++	    - allow_rlimit: allow to change rlimit
++	    - allow_all_net_family: allow to use all network families, not only
++	      UNIX and INET (IPv4)
++	    - allow_inet_raw: allow to use RAW INET sockets, e.g. for ping
++	    - auto_adjust_inet_any: also allow to bind to INET ANY address
++	      (0.0.0.0), but always change it to specified address
++	      (requires CONFIG_RSBAC_JAIL_NET_ADJUST)
++
++if RSBAC_JAIL
++config RSBAC_JAIL_NET_ADJUST
++	bool 'JAIL allow to auto-adjust INET ANY (0.0.0.0) address'
++	default y
++	depends on RSBAC_NET_OBJ
++	---help---
++	  Turn this option on to allow automatic adjusting of the INET ANY
++	  address 0.0.0.0 to the specified address with the
++	  auto_adjust_inet_any syscall flag.
++
++config RSBAC_JAIL_NET_DEV_PROT
++	bool 'JAIL network device protection'
++	default y
++	depends on RSBAC_NET_DEV
++	---help---
++	  Only with this option enabled can the JAIL module prevent network
++	  device configuration from within a jail. Recommended.
++
++config RSBAC_JAIL_NR_P_LISTS
++	int 'JAIL number of process lists'
++	default 4
++	---help---
++	  When using JAIL model, every process in the system will get individual
++	  attributes set. This means that with many active processes, the list
++	  lookups will become slower.
++
++	  To speed them up, RSBAC uses a hash table to split the JAIL process
++	  attribute lists into several shorter ones. This option sets the number
++	  of these lists.
++
++	  In most cases, the default of 4 will be sufficient. However, if you
++	  plan to have very many processes, a higher value will reduce lookup
++	  time at the cost of additional list headers.
++
++config RSBAC_JAIL_LOG_MISSING
++	bool 'Log missing capabilities in capable()'
++	---help---
++	  If checked, the Linux capability check function capable() can log
++	  all queries for capabilities, which are missing from the effective
++	  set. Enable with the rsbac_jail_log_missing kernel parameter, or at
++	  runtime via proc interface.
++
++	  Background: If you limit Linux capabilities for users or programs
++	  within a JAIL, some programs fail in secure mode without
++	  "NOT_GRANTED" RSBAC log messages, because this Linux internal check
++	  failed.
++
++	  Please check
++	  <http://www.rsbac.org/documentation>
++	  for more info about how the JAIL module works.
++endif
++
++config RSBAC_RES
++	bool 'RES (System Resources) policy support'
++	default y
++	---help---
++	  The Linux Resources (RES) module allows to set minimum and maximum
++	  Linux resource sets for single users and programs. These boundaries
++	  are applied at CHANGE_OWNER on processes (setuid) and EXECUTE.
++
++	  Minimum settings have precedence over maximums, and program settings
++	  have precedence over user settings.
++
++	  Default values for all users can be set at user