--- v29
+++ v24
@@ -6,7 +6,7 @@
 returned data from the new structure.
 
 Reviewed-by: Kees Cook <keescook@chromium.org>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
 Acked-by: Paul Moore <paul@paul-moore.com>
 Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
 Cc: netdev@vger.kernel.org
@@ -28,10 +28,10 @@
  12 files changed, 81 insertions(+), 123 deletions(-)
 
 diff --git a/drivers/android/binder.c b/drivers/android/binder.c
-index 36e41b9e08fd..1159b4e44b28 100644
+index f74a72867ec9..4c810ea52ab7 100644
 --- a/drivers/android/binder.c
 +++ b/drivers/android/binder.c
-@@ -2459,9 +2459,7 @@ static void binder_transaction(struct binder_proc *proc,
+@@ -2446,9 +2446,7 @@ static void binder_transaction(struct binder_proc *proc,
  	binder_size_t last_fixup_min_off = 0;
  	struct binder_context *context = proc->context;
  	int t_debug_id = atomic_inc_return(&binder_last_id);
@@ -42,10 +42,10 @@
  
  	e = binder_transaction_log_add(&binder_transaction_log);
  	e->debug_id = t_debug_id;
-@@ -2724,14 +2722,14 @@ static void binder_transaction(struct binder_proc *proc,
- 		 * case well anyway.
- 		 */
- 		security_task_getsecid_obj(proc->tsk, &blob);
+@@ -2702,14 +2700,14 @@ static void binder_transaction(struct binder_proc *proc,
+ 		size_t added_size;
+ 
+ 		security_task_getsecid(proc->tsk, &blob);
 -		ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz);
 +		ret = security_secid_to_secctx(&blob, &lsmctx);
  		if (ret) {
@@ -59,7 +59,7 @@
  		extra_buffers_size += added_size;
  		if (extra_buffers_size < added_size) {
  			/* integer overflow of extra_buffers_size */
-@@ -2758,24 +2756,22 @@ static void binder_transaction(struct binder_proc *proc,
+@@ -2736,24 +2734,22 @@ static void binder_transaction(struct binder_proc *proc,
  		t->buffer = NULL;
  		goto err_binder_alloc_buf_failed;
  	}
@@ -88,7 +88,7 @@
  	}
  	t->buffer->debug_id = t->debug_id;
  	t->buffer->transaction = t;
-@@ -2832,7 +2828,7 @@ static void binder_transaction(struct binder_proc *proc,
+@@ -2810,7 +2806,7 @@ static void binder_transaction(struct binder_proc *proc,
  	off_end_offset = off_start_offset + tr->offsets_size;
  	sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));
  	sg_buf_end_offset = sg_buf_offset + extra_buffers_size -
@@ -97,7 +97,7 @@
  	off_min = 0;
  	for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
  	     buffer_offset += sizeof(binder_size_t)) {
-@@ -3116,10 +3112,8 @@ static void binder_transaction(struct binder_proc *proc,
+@@ -3086,10 +3082,8 @@ static void binder_transaction(struct binder_proc *proc,
  	binder_alloc_free_buf(&target_proc->alloc, t->buffer);
  err_binder_alloc_buf_failed:
  err_bad_extra_size:
@@ -111,10 +111,10 @@
  	kfree(tcomplete);
  	binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
 diff --git a/include/linux/security.h b/include/linux/security.h
-index 580eec268138..eed281367895 100644
+index cfa19eb9533b..ead44674cea2 100644
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
-@@ -579,7 +579,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
+@@ -564,7 +564,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
  			 size_t size);
  int security_netlink_send(struct sock *sk, struct sk_buff *skb);
  int security_ismaclabel(const char *name);
@@ -123,7 +123,7 @@
  int security_secctx_to_secid(const char *secdata, u32 seclen,
  			     struct lsmblob *blob);
  void security_release_secctx(struct lsmcontext *cp);
-@@ -1434,7 +1434,7 @@ static inline int security_ismaclabel(const char *name)
+@@ -1390,7 +1390,7 @@ static inline int security_ismaclabel(const char *name)
  }
  
  static inline int security_secid_to_secctx(struct lsmblob *blob,
@@ -162,7 +162,7 @@
  		}
  	}
 diff --git a/kernel/audit.c b/kernel/audit.c
-index c17ec23158c4..841123390d41 100644
+index 902962ea9be6..ce90ea8373d3 100644
 --- a/kernel/audit.c
 +++ b/kernel/audit.c
 @@ -1190,9 +1190,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
@@ -233,7 +233,7 @@
 -	struct lsmcontext scaff; /* scaffolding */
 +	struct lsmcontext context;
  
- 	security_task_getsecid_subj(current, &blob);
+ 	security_task_getsecid(current, &blob);
  	if (!lsmblob_is_set(&blob))
  		return 0;
  
@@ -254,10 +254,10 @@
  
  error_path:
 diff --git a/kernel/auditsc.c b/kernel/auditsc.c
-index 1b1ddd62de6c..d198f307a4d8 100644
+index a73253515bc9..de2b2ecb3aea 100644
 --- a/kernel/auditsc.c
 +++ b/kernel/auditsc.c
-@@ -1002,9 +1002,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
+@@ -998,9 +998,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
  				 struct lsmblob *blob, char *comm)
  {
  	struct audit_buffer *ab;
@@ -268,7 +268,7 @@
  	int rc = 0;
  
  	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
-@@ -1015,13 +1013,12 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
+@@ -1011,13 +1009,12 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
  			 from_kuid(&init_user_ns, auid),
  			 from_kuid(&init_user_ns, uid), sessionid);
  	if (lsmblob_is_set(blob)) {
@@ -285,7 +285,7 @@
  		}
  	}
  	audit_log_format(ab, " ocomm=");
-@@ -1234,7 +1231,6 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
+@@ -1230,7 +1227,6 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
  
  static void show_special(struct audit_context *context, int *call_panic)
  {
@@ -293,7 +293,7 @@
  	struct audit_buffer *ab;
  	int i;
  
-@@ -1259,17 +1255,15 @@ static void show_special(struct audit_context *context, int *call_panic)
+@@ -1254,17 +1250,15 @@ static void show_special(struct audit_context *context, int *call_panic)
  				 from_kgid(&init_user_ns, context->ipc.gid),
  				 context->ipc.mode);
  		if (osid) {
@@ -314,7 +314,7 @@
  				security_release_secctx(&lsmcxt);
  			}
  		}
-@@ -1418,20 +1412,17 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
+@@ -1411,20 +1405,17 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
  				 MAJOR(n->rdev),
  				 MINOR(n->rdev));
  	if (n->osid != 0) {
@@ -340,7 +340,7 @@
  	}
  
 diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index bf32ab6f81c7..588e4d2dcd15 100644
+index a7e4c1b34b6c..ae073b642fa7 100644
 --- a/net/ipv4/ip_sockglue.c
 +++ b/net/ipv4/ip_sockglue.c
 @@ -132,8 +132,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
@@ -369,10 +369,10 @@
  }
  
 diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
-index de223234963d..0c3e1a8aaf2b 100644
+index 3b9cf2a1fed7..42570b8da17a 100644
 --- a/net/netfilter/nf_conntrack_netlink.c
 +++ b/net/netfilter/nf_conntrack_netlink.c
-@@ -339,8 +339,7 @@ static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
+@@ -336,8 +336,7 @@ static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
  static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
  {
  	struct nlattr *nest_secctx;
@@ -382,7 +382,7 @@
  	struct lsmblob blob;
  	struct lsmcontext context;
  
-@@ -348,7 +347,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
+@@ -345,7 +344,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
  	 * security_secid_to_secctx() will know which security module
  	 * to use to create the secctx.  */
  	lsmblob_init(&blob, ct->secmark);
@@ -391,7 +391,7 @@
  	if (ret)
  		return 0;
  
-@@ -357,13 +356,12 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
+@@ -354,13 +353,12 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
  	if (!nest_secctx)
  		goto nla_put_failure;
  
@@ -406,7 +406,7 @@
  	security_release_secctx(&context);
  	return ret;
  }
-@@ -658,15 +656,15 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
+@@ -660,15 +658,15 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
  #ifdef CONFIG_NF_CONNTRACK_SECMARK
  	int len, ret;
  	struct lsmblob blob;
@@ -428,10 +428,10 @@
  	       + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
  #else
 diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
-index 3fcf44342b14..c8825e89a21e 100644
+index e2bdc851a477..c6112960fc73 100644
 --- a/net/netfilter/nf_conntrack_standalone.c
 +++ b/net/netfilter/nf_conntrack_standalone.c
-@@ -176,19 +176,16 @@ static void ct_seq_stop(struct seq_file *s, void *v)
+@@ -173,19 +173,16 @@ static void ct_seq_stop(struct seq_file *s, void *v)
  static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
  {
  	int ret;
@@ -454,7 +454,7 @@
  }
  #else
 diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
-index 3603bd938b74..4490bcb2a8b6 100644
+index dcc31cb7f287..84be5a49a157 100644
 --- a/net/netfilter/nfnetlink_queue.c
 +++ b/net/netfilter/nfnetlink_queue.c
 @@ -306,6 +306,7 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
@@ -480,7 +480,7 @@
  	return seclen;
  }
 diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
-index 7cb6f27c8cb2..596a75814fbf 100644
+index 32b6eea7ba0c..aa53a94115f4 100644
 --- a/net/netlabel/netlabel_unlabeled.c
 +++ b/net/netlabel/netlabel_unlabeled.c
 @@ -375,8 +375,6 @@ int netlbl_unlhsh_add(struct net *net,
@@ -517,7 +517,7 @@
  	struct lsmblob blob;
  
  	spin_lock(&netlbl_unlhsh_lock);
-@@ -509,11 +502,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
+@@ -510,11 +503,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
  		if (entry != NULL)
  			lsmblob_init(&blob, entry->secid);
  		if (entry != NULL &&
@@ -532,7 +532,7 @@
  			security_release_secctx(&context);
  		}
  		audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
-@@ -552,8 +543,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
+@@ -553,8 +544,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
  	struct audit_buffer *audit_buf;
  	struct net_device *dev;
  	struct lsmcontext context;
@@ -541,7 +541,7 @@
  	struct lsmblob blob;
  
  	spin_lock(&netlbl_unlhsh_lock);
-@@ -578,10 +567,9 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
+@@ -580,10 +569,9 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
  		if (entry != NULL)
  			lsmblob_init(&blob, entry->secid);
  		if (entry != NULL &&
@@ -555,7 +555,7 @@
  			security_release_secctx(&context);
  		}
  		audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
-@@ -1104,8 +1092,6 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
+@@ -1106,8 +1094,6 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
  	struct lsmcontext context;
  	void *data;
  	u32 secid;
@@ -564,7 +564,7 @@
  	struct lsmblob blob;
  
  	data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
-@@ -1165,15 +1151,13 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
+@@ -1167,15 +1153,13 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
  	 * security_secid_to_secctx() will know which security module
  	 * to use to create the secctx.  */
  	lsmblob_init(&blob, secid);
@@ -609,10 +609,10 @@
  	}
  
 diff --git a/security/security.c b/security/security.c
-index e9a56d44ab6e..f8d306b0dfb8 100644
+index 904ae6c46be0..aab6d3f86e4a 100644
 --- a/security/security.c
 +++ b/security/security.c
-@@ -2326,18 +2326,22 @@ int security_ismaclabel(const char *name)
+@@ -2252,18 +2252,22 @@ int security_ismaclabel(const char *name)
  }
  EXPORT_SYMBOL(security_ismaclabel);
  
@@ -639,5 +639,5 @@
  
  	return LSM_RET_DEFAULT(secid_to_secctx);
 -- 
-2.31.1
+2.25.4