view/branches/tomoyo-backport-2.6.35-to-2.6.32.diff

This patch is for backporting TOMOYO in 2.6.35 to 2.6.32.
---
 fs/namespace.c               |   20 -
 fs/open.c                    |   27 +
 include/linux/security.h     |   41 ++
 security/capability.c        |   19 +
 security/security.c          |   20 +
 security/tomoyo/Makefile     |    2 
 security/tomoyo/common.c     |  695 +++++++++++++++++++------------------
 security/tomoyo/common.h     |  655 ++++++++++++++++++++++++++++------
 security/tomoyo/domain.c     |  413 +++++++---------------
 security/tomoyo/file.c       |  807 ++++++++++++++++++++-----------------------
 security/tomoyo/gc.c         |  412 +++++++++++++++++++++
 security/tomoyo/path_group.c |  172 +++++++++
 security/tomoyo/realpath.c   |  312 +++++-----------
 security/tomoyo/realpath.h   |   66 ---
 security/tomoyo/tomoyo.c     |  155 +++++---
 security/tomoyo/tomoyo.h     |   96 -----
 16 files changed, 2328 insertions(+), 1584 deletions(-)

--- linux-2.6.32.28.orig/fs/namespace.c
+++ linux-2.6.32.28/fs/namespace.c
@@ -1928,6 +1928,16 @@ long do_mount(char *dev_name, char *dir_
        if (data_page)
                ((char *)data_page)[PAGE_SIZE - 1] = 0;
 
+       /* ... and get the mountpoint */
+       retval = kern_path(dir_name, LOOKUP_FOLLOW, &path);
+       if (retval)
+               return retval;
+
+       retval = security_sb_mount(dev_name, &path,
+                                  type_page, flags, data_page);
+       if (retval)
+               goto dput_out;
+
        /* Default to relatime unless overriden */
        if (!(flags & MS_NOATIME))
                mnt_flags |= MNT_RELATIME;
@@ -1952,16 +1962,6 @@ long do_mount(char *dev_name, char *dir_
                   MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
                   MS_STRICTATIME);
 
-       /* ... and get the mountpoint */
-       retval = kern_path(dir_name, LOOKUP_FOLLOW, &path);
-       if (retval)
-               return retval;
-
-       retval = security_sb_mount(dev_name, &path,
-                                  type_page, flags, data_page);
-       if (retval)
-               goto dput_out;
-
        if (flags & MS_REMOUNT)
                retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
                                    data_page);
--- linux-2.6.32.28.orig/fs/open.c
+++ linux-2.6.32.28/fs/open.c
@@ -587,6 +587,9 @@ SYSCALL_DEFINE1(chroot, const char __use
        error = -EPERM;
        if (!capable(CAP_SYS_CHROOT))
                goto dput_and_out;
+       error = security_path_chroot(&path);
+       if (error)
+               goto dput_and_out;
 
        set_fs_root(current->fs, &path);
        error = 0;
@@ -617,11 +620,15 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
        if (err)
                goto out_putf;
        mutex_lock(&inode->i_mutex);
+       err = security_path_chmod(dentry, file->f_vfsmnt, mode);
+       if (err)
+               goto out_unlock;
        if (mode == (mode_t) -1)
                mode = inode->i_mode;
        newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
        newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
        err = notify_change(dentry, &newattrs);
+out_unlock:
        mutex_unlock(&inode->i_mutex);
        mnt_drop_write(file->f_path.mnt);
 out_putf:
@@ -646,11 +653,15 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
        if (error)
                goto dput_and_out;
        mutex_lock(&inode->i_mutex);
+       error = security_path_chmod(path.dentry, path.mnt, mode);
+       if (error)
+               goto out_unlock;
        if (mode == (mode_t) -1)
                mode = inode->i_mode;
        newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
        newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
        error = notify_change(path.dentry, &newattrs);
+out_unlock:
        mutex_unlock(&inode->i_mutex);
        mnt_drop_write(path.mnt);
 dput_and_out:
@@ -664,9 +675,9 @@ SYSCALL_DEFINE2(chmod, const char __user
        return sys_fchmodat(AT_FDCWD, filename, mode);
 }
 
-static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
+static int chown_common(struct path *path, uid_t user, gid_t group)
 {
-       struct inode *inode = dentry->d_inode;
+       struct inode *inode = path->dentry->d_inode;
        int error;
        struct iattr newattrs;
 
@@ -683,7 +694,9 @@ static int chown_common(struct dentry * 
                newattrs.ia_valid |=
                        ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
        mutex_lock(&inode->i_mutex);
-       error = notify_change(dentry, &newattrs);
+       error = security_path_chown(path, user, group);
+       if (!error)
+               error = notify_change(path->dentry, &newattrs);
        mutex_unlock(&inode->i_mutex);
 
        return error;
@@ -700,7 +713,7 @@ SYSCALL_DEFINE3(chown, const char __user
        error = mnt_want_write(path.mnt);
        if (error)
                goto out_release;
-       error = chown_common(path.dentry, user, group);
+       error = chown_common(&path, user, group);
        mnt_drop_write(path.mnt);
 out_release:
        path_put(&path);
@@ -725,7 +738,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons
        error = mnt_want_write(path.mnt);
        if (error)
                goto out_release;
-       error = chown_common(path.dentry, user, group);
+       error = chown_common(&path, user, group);
        mnt_drop_write(path.mnt);
 out_release:
        path_put(&path);
@@ -744,7 +757,7 @@ SYSCALL_DEFINE3(lchown, const char __use
        error = mnt_want_write(path.mnt);
        if (error)
                goto out_release;
-       error = chown_common(path.dentry, user, group);
+       error = chown_common(&path, user, group);
        mnt_drop_write(path.mnt);
 out_release:
        path_put(&path);
@@ -767,7 +780,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd
                goto out_fput;
        dentry = file->f_path.dentry;
        audit_inode(NULL, dentry);
-       error = chown_common(dentry, user, group);
+       error = chown_common(&file->f_path, user, group);
        mnt_drop_write(file->f_path.mnt);
 out_fput:
        fput(file);
--- linux-2.6.32.28.orig/include/linux/security.h
+++ linux-2.6.32.28/include/linux/security.h
@@ -454,6 +454,22 @@ static inline void security_free_mnt_opt
  *     @new_dir contains the path structure for parent of the new link.
  *     @new_dentry contains the dentry structure of the new link.
  *     Return 0 if permission is granted.
+ * @path_chmod:
+ *     Check for permission to change DAC's permission of a file or directory.
+ *     @dentry contains the dentry structure.
+ *     @mnt contains the vfsmnt structure.
+ *     @mode contains DAC's mode.
+ *     Return 0 if permission is granted.
+ * @path_chown:
+ *     Check for permission to change owner/group of a file or directory.
+ *     @path contains the path structure.
+ *     @uid contains new owner's ID.
+ *     @gid contains new group's ID.
+ *     Return 0 if permission is granted.
+ * @path_chroot:
+ *     Check for permission to change root directory.
+ *     @path contains the path structure.
+ *     Return 0 if permission is granted.
  * @inode_readlink:
  *     Check the permission to read the symbolic link.
  *     @dentry contains the dentry structure for the file link.
@@ -1495,6 +1511,10 @@ struct security_operations {
                          struct dentry *new_dentry);
        int (*path_rename) (struct path *old_dir, struct dentry *old_dentry,
                            struct path *new_dir, struct dentry *new_dentry);
+       int (*path_chmod) (struct dentry *dentry, struct vfsmount *mnt,
+                          mode_t mode);
+       int (*path_chown) (struct path *path, uid_t uid, gid_t gid);
+       int (*path_chroot) (struct path *path);
 #endif
 
        int (*inode_alloc_security) (struct inode *inode);
@@ -2959,6 +2979,10 @@ int security_path_link(struct dentry *ol
                       struct dentry *new_dentry);
 int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
                         struct path *new_dir, struct dentry *new_dentry);
+int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
+                       mode_t mode);
+int security_path_chown(struct path *path, uid_t uid, gid_t gid);
+int security_path_chroot(struct path *path);
 #else  /* CONFIG_SECURITY_PATH */
 static inline int security_path_unlink(struct path *dir, struct dentry *dentry)
 {
@@ -3008,6 +3032,23 @@ static inline int security_path_rename(s
 {
        return 0;
 }
+
+static inline int security_path_chmod(struct dentry *dentry,
+                                     struct vfsmount *mnt,
+                                     mode_t mode)
+{
+       return 0;
+}
+
+static inline int security_path_chown(struct path *path, uid_t uid, gid_t gid)
+{
+       return 0;
+}
+
+static inline int security_path_chroot(struct path *path)
+{
+       return 0;
+}
 #endif /* CONFIG_SECURITY_PATH */
 
 #ifdef CONFIG_KEYS
--- linux-2.6.32.28.orig/security/capability.c
+++ linux-2.6.32.28/security/capability.c
@@ -308,6 +308,22 @@ static int cap_path_truncate(struct path
 {
        return 0;
 }
+
+static int cap_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
+                         mode_t mode)
+{
+       return 0;
+}
+
+static int cap_path_chown(struct path *path, uid_t uid, gid_t gid)
+{
+       return 0;
+}
+
+static int cap_path_chroot(struct path *root)
+{
+       return 0;
+}
 #endif
 
 static int cap_file_permission(struct file *file, int mask)
@@ -977,6 +993,9 @@ void security_fixup_ops(struct security_
        set_to_cap_if_null(ops, path_link);
        set_to_cap_if_null(ops, path_rename);
        set_to_cap_if_null(ops, path_truncate);
+       set_to_cap_if_null(ops, path_chmod);
+       set_to_cap_if_null(ops, path_chown);
+       set_to_cap_if_null(ops, path_chroot);
 #endif
        set_to_cap_if_null(ops, file_permission);
        set_to_cap_if_null(ops, file_alloc_security);
--- linux-2.6.32.28.orig/security/security.c
+++ linux-2.6.32.28/security/security.c
@@ -434,6 +434,26 @@ int security_path_truncate(struct path *
                return 0;
        return security_ops->path_truncate(path, length, time_attrs);
 }
+
+int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
+                       mode_t mode)
+{
+       if (unlikely(IS_PRIVATE(dentry->d_inode)))
+               return 0;
+       return security_ops->path_chmod(dentry, mnt, mode);
+}
+
+int security_path_chown(struct path *path, uid_t uid, gid_t gid)
+{
+       if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
+               return 0;
+       return security_ops->path_chown(path, uid, gid);
+}
+
+int security_path_chroot(struct path *path)
+{
+       return security_ops->path_chroot(path);
+}
 #endif
 
 int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
--- linux-2.6.32.28.orig/security/tomoyo/Makefile
+++ linux-2.6.32.28/security/tomoyo/Makefile
@@ -1 +1 @@
-obj-y = common.o realpath.o tomoyo.o domain.o file.o
+obj-y = common.o realpath.o tomoyo.o domain.o file.o gc.o path_group.o
--- linux-2.6.32.28.orig/security/tomoyo/common.c
+++ linux-2.6.32.28/security/tomoyo/common.c
@@ -10,11 +10,13 @@
  */
 
 #include <linux/uaccess.h>
+#include <linux/slab.h>
 #include <linux/security.h>
 #include <linux/hardirq.h>
-#include "realpath.h"
 #include "common.h"
-#include "tomoyo.h"
+
+/* Lock for protecting policy. */
+DEFINE_MUTEX(tomoyo_policy_lock);
 
 /* Has loading policy done? */
 bool tomoyo_policy_loaded;
@@ -74,6 +76,49 @@ static int tomoyo_write_control(struct f
                                const int buffer_len);
 
 /**
+ * tomoyo_parse_name_union - Parse a tomoyo_name_union.
+ *
+ * @filename: Name or name group.
+ * @ptr:      Pointer to "struct tomoyo_name_union".
+ *
+ * Returns true on success, false otherwise.
+ */
+bool tomoyo_parse_name_union(const char *filename,
+                            struct tomoyo_name_union *ptr)
+{
+       if (!tomoyo_is_correct_path(filename, 0, 0, 0))
+               return false;
+       if (filename[0] == '@') {
+               ptr->group = tomoyo_get_path_group(filename + 1);
+               ptr->is_group = true;
+               return ptr->group != NULL;
+       }
+       ptr->filename = tomoyo_get_name(filename);
+       ptr->is_group = false;
+       return ptr->filename != NULL;
+}
+
+/**
+ * tomoyo_print_name_union - Print a tomoyo_name_union.
+ *
+ * @head: Pointer to "struct tomoyo_io_buffer".
+ * @ptr:  Pointer to "struct tomoyo_name_union".
+ *
+ * Returns true on success, false otherwise.
+ */
+static bool tomoyo_print_name_union(struct tomoyo_io_buffer *head,
+                                const struct tomoyo_name_union *ptr)
+{
+       int pos = head->read_avail;
+       if (pos && head->read_buf[pos - 1] == ' ')
+               head->read_avail--;
+       if (ptr->is_group)
+               return tomoyo_io_printf(head, " @%s",
+                                       ptr->group->group_name->name);
+       return tomoyo_io_printf(head, " %s", ptr->filename->name);
+}
+
+/**
  * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
  *
  * @str: Pointer to the string.
@@ -170,6 +215,33 @@ static void tomoyo_normalize_line(unsign
 }
 
 /**
+ * tomoyo_tokenize - Tokenize string.
+ *
+ * @buffer: The line to tokenize.
+ * @w:      Pointer to "char *".
+ * @size:   Sizeof @w .
+ *
+ * Returns true on success, false otherwise.
+ */
+bool tomoyo_tokenize(char *buffer, char *w[], size_t size)
+{
+       int count = size / sizeof(char *);
+       int i;
+       for (i = 0; i < count; i++)
+               w[i] = "";
+       for (i = 0; i < count; i++) {
+               char *cp = strchr(buffer, ' ');
+               if (cp)
+                       *cp = '\0';
+               w[i] = buffer;
+               if (!cp)
+                       break;
+               buffer = cp + 1;
+       }
+       return i < count || !*buffer;
+}
+
+/**
  * tomoyo_is_correct_path - Validate a pathname.
  * @filename:     The pathname to check.
  * @start_type:   Should the pathname start with '/'?
@@ -178,20 +250,19 @@ static void tomoyo_normalize_line(unsign
  *                1 = must / -1 = must not / 0 = don't care
  * @end_type:     Should the pathname end with '/'?
  *                1 = must / -1 = must not / 0 = don't care
- * @function:     The name of function calling me.
  *
  * Check whether the given filename follows the naming rules.
  * Returns true if @filename follows the naming rules, false otherwise.
  */
 bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
-                           const s8 pattern_type, const s8 end_type,
-                           const char *function)
+                           const s8 pattern_type, const s8 end_type)
 {
+       const char *const start = filename;
+       bool in_repetition = false;
        bool contains_pattern = false;
        unsigned char c;
        unsigned char d;
        unsigned char e;
-       const char *original_filename = filename;
 
        if (!filename)
                goto out;
@@ -212,9 +283,13 @@ bool tomoyo_is_correct_path(const char *
                if (c == '/')
                        goto out;
        }
-       while ((c = *filename++) != '\0') {
+       while (1) {
+               c = *filename++;
+               if (!c)
+                       break;
                if (c == '\\') {
-                       switch ((c = *filename++)) {
+                       c = *filename++;
+                       switch (c) {
                        case '\\':  /* "\\" */
                                continue;
                        case '$':   /* "\$" */
@@ -231,6 +306,22 @@ bool tomoyo_is_correct_path(const char *
                                        break; /* Must not contain pattern */
                                contains_pattern = true;
                                continue;
+                       case '{':   /* "/\{" */
+                               if (filename - 3 < start ||
+                                   *(filename - 3) != '/')
+                                       break;
+                               if (pattern_type == -1)
+                                       break; /* Must not contain pattern */
+                               contains_pattern = true;
+                               in_repetition = true;
+                               continue;
+                       case '}':   /* "\}/" */
+                               if (*filename != '/')
+                                       break;
+                               if (!in_repetition)
+                                       break;
+                               in_repetition = false;
+                               continue;
                        case '0':   /* "\ooo" */
                        case '1':
                        case '2':
@@ -246,6 +337,8 @@ bool tomoyo_is_correct_path(const char *
                                        continue; /* pattern is not \000 */
                        }
                        goto out;
+               } else if (in_repetition && c == '/') {
+                       goto out;
                } else if (tomoyo_is_invalid(c)) {
                        goto out;
                }
@@ -254,27 +347,24 @@ bool tomoyo_is_correct_path(const char *
                if (!contains_pattern)
                        goto out;
        }
+       if (in_repetition)
+               goto out;
        return true;
  out:
-       printk(KERN_DEBUG "%s: Invalid pathname '%s'\n", function,
-              original_filename);
        return false;
 }
 
 /**
  * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
  * @domainname:   The domainname to check.
- * @function:     The name of function calling me.
  *
  * Returns true if @domainname follows the naming rules, false otherwise.
  */
-bool tomoyo_is_correct_domain(const unsigned char *domainname,
-                             const char *function)
+bool tomoyo_is_correct_domain(const unsigned char *domainname)
 {
        unsigned char c;
        unsigned char d;
        unsigned char e;
-       const char *org_domainname = domainname;
 
        if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME,
                                   TOMOYO_ROOT_NAME_LEN))
@@ -317,8 +407,6 @@ bool tomoyo_is_correct_domain(const unsi
        } while (*domainname);
        return true;
  out:
-       printk(KERN_DEBUG "%s: Invalid domainname '%s'\n", function,
-              org_domainname);
        return false;
 }
 
@@ -339,10 +427,9 @@ bool tomoyo_is_domain_def(const unsigned
  *
  * @domainname: The domainname to find.
  *
- * Caller must call down_read(&tomoyo_domain_list_lock); or
- * down_write(&tomoyo_domain_list_lock); .
- *
  * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
 {
@@ -351,7 +438,7 @@ struct tomoyo_domain_info *tomoyo_find_d
 
        name.name = domainname;
        tomoyo_fill_path_info(&name);
-       list_for_each_entry(domain, &tomoyo_domain_list, list) {
+       list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
                if (!domain->is_deleted &&
                    !tomoyo_pathcmp(&name, domain->domainname))
                        return domain;
@@ -360,33 +447,6 @@ struct tomoyo_domain_info *tomoyo_find_d
 }
 
 /**
- * tomoyo_path_depth - Evaluate the number of '/' in a string.
- *
- * @pathname: The string to evaluate.
- *
- * Returns path depth of the string.
- *
- * I score 2 for each of the '/' in the @pathname
- * and score 1 if the @pathname ends with '/'.
- */
-static int tomoyo_path_depth(const char *pathname)
-{
-       int i = 0;
-
-       if (pathname) {
-               const char *ep = pathname + strlen(pathname);
-               if (pathname < ep--) {
-                       if (*ep != '/')
-                               i++;
-                       while (pathname <= ep)
-                               if (*ep-- == '/')
-                                       i += 2;
-               }
-       }
-       return i;
-}
-
-/**
  * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
  *
  * @filename: The string to evaluate.
@@ -444,11 +504,10 @@ void tomoyo_fill_path_info(struct tomoyo
        ptr->is_dir = len && (name[len - 1] == '/');
        ptr->is_patterned = (ptr->const_len < len);
        ptr->hash = full_name_hash(name, len);
-       ptr->depth = tomoyo_path_depth(name);
 }
 
 /**
- * tomoyo_file_matches_to_pattern2 - Pattern matching without '/' character
+ * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
  * and "\-" pattern.
  *
  * @filename:     The start of string to check.
@@ -458,10 +517,10 @@ void tomoyo_fill_path_info(struct tomoyo
  *
  * Returns true if @filename matches @pattern, false otherwise.
  */
-static bool tomoyo_file_matches_to_pattern2(const char *filename,
-                                           const char *filename_end,
-                                           const char *pattern,
-                                           const char *pattern_end)
+static bool tomoyo_file_matches_pattern2(const char *filename,
+                                        const char *filename_end,
+                                        const char *pattern,
+                                        const char *pattern_end)
 {
        while (filename < filename_end && pattern < pattern_end) {
                char c;
@@ -519,7 +578,7 @@ static bool tomoyo_file_matches_to_patte
                case '*':
                case '@':
                        for (i = 0; i <= filename_end - filename; i++) {
-                               if (tomoyo_file_matches_to_pattern2(
+                               if (tomoyo_file_matches_pattern2(
                                                    filename + i, filename_end,
                                                    pattern + 1, pattern_end))
                                        return true;
@@ -550,7 +609,7 @@ static bool tomoyo_file_matches_to_patte
                                        j++;
                        }
                        for (i = 1; i <= j; i++) {
-                               if (tomoyo_file_matches_to_pattern2(
+                               if (tomoyo_file_matches_pattern2(
                                                    filename + i, filename_end,
                                                    pattern + 1, pattern_end))
                                        return true;
@@ -567,7 +626,7 @@ static bool tomoyo_file_matches_to_patte
 }
 
 /**
- * tomoyo_file_matches_to_pattern - Pattern matching without without '/' character.
+ * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
  *
  * @filename:     The start of string to check.
  * @filename_end: The end of string to check.
@@ -576,7 +635,7 @@ static bool tomoyo_file_matches_to_patte
  *
  * Returns true if @filename matches @pattern, false otherwise.
  */
-static bool tomoyo_file_matches_to_pattern(const char *filename,
+static bool tomoyo_file_matches_pattern(const char *filename,
                                           const char *filename_end,
                                           const char *pattern,
                                           const char *pattern_end)
@@ -589,10 +648,10 @@ static bool tomoyo_file_matches_to_patte
                /* Split at "\-" pattern. */
                if (*pattern++ != '\\' || *pattern++ != '-')
                        continue;
-               result = tomoyo_file_matches_to_pattern2(filename,
-                                                        filename_end,
-                                                        pattern_start,
-                                                        pattern - 2);
+               result = tomoyo_file_matches_pattern2(filename,
+                                                     filename_end,
+                                                     pattern_start,
+                                                     pattern - 2);
                if (first)
                        result = !result;
                if (result)
@@ -600,13 +659,79 @@ static bool tomoyo_file_matches_to_patte
                first = false;
                pattern_start = pattern;
        }
-       result = tomoyo_file_matches_to_pattern2(filename, filename_end,
-                                                pattern_start, pattern_end);
+       result = tomoyo_file_matches_pattern2(filename, filename_end,
+                                             pattern_start, pattern_end);
        return first ? result : !result;
 }
 
 /**
+ * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
+ *
+ * @f: The start of string to check.
+ * @p: The start of pattern to compare.
+ *
+ * Returns true if @f matches @p, false otherwise.
+ */
+static bool tomoyo_path_matches_pattern2(const char *f, const char *p)
+{
+       const char *f_delimiter;
+       const char *p_delimiter;
+
+       while (*f && *p) {
+               f_delimiter = strchr(f, '/');
+               if (!f_delimiter)
+                       f_delimiter = f + strlen(f);
+               p_delimiter = strchr(p, '/');
+               if (!p_delimiter)
+                       p_delimiter = p + strlen(p);
+               if (*p == '\\' && *(p + 1) == '{')
+                       goto recursive;
+               if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
+                                                p_delimiter))
+                       return false;
+               f = f_delimiter;
+               if (*f)
+                       f++;
+               p = p_delimiter;
+               if (*p)
+                       p++;
+       }
+       /* Ignore trailing "\*" and "\@" in @pattern. */
+       while (*p == '\\' &&
+              (*(p + 1) == '*' || *(p + 1) == '@'))
+               p += 2;
+       return !*f && !*p;
+ recursive:
+       /*
+        * The "\{" pattern is permitted only after '/' character.
+        * This guarantees that below "*(p - 1)" is safe.
+        * Also, the "\}" pattern is permitted only before '/' character
+        * so that "\{" + "\}" pair will not break the "\-" operator.
+        */
+       if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' ||
+           *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\')
+               return false; /* Bad pattern. */
+       do {
+               /* Compare current component with pattern. */
+               if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2,
+                                                p_delimiter - 2))
+                       break;
+               /* Proceed to next component. */
+               f = f_delimiter;
+               if (!*f)
+                       break;
+               f++;
+               /* Continue comparison. */
+               if (tomoyo_path_matches_pattern2(f, p_delimiter + 1))
+                       return true;
+               f_delimiter = strchr(f, '/');
+       } while (f_delimiter);
+       return false; /* Not matched. */
+}
+
+/**
  * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
+ *
  * @filename: The filename to check.
  * @pattern:  The pattern to compare.
  *
@@ -615,24 +740,24 @@ static bool tomoyo_file_matches_to_patte
  * The following patterns are available.
  *   \\     \ itself.
  *   \ooo   Octal representation of a byte.
- *   \*     More than or equals to 0 character other than '/'.
- *   \@     More than or equals to 0 character other than '/' or '.'.
+ *   \*     Zero or more repetitions of characters other than '/'.
+ *   \@     Zero or more repetitions of characters other than '/' or '.'.
  *   \?     1 byte character other than '/'.
- *   \$     More than or equals to 1 decimal digit.
+ *   \$     One or more repetitions of decimal digits.
  *   \+     1 decimal digit.
- *   \X     More than or equals to 1 hexadecimal digit.
+ *   \X     One or more repetitions of hexadecimal digits.
  *   \x     1 hexadecimal digit.
- *   \A     More than or equals to 1 alphabet character.
+ *   \A     One or more repetitions of alphabet characters.
  *   \a     1 alphabet character.
+ *
  *   \-     Subtraction operator.
+ *
+ *   /\{dir\}/   '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
+ *               /dir/dir/dir/ ).
  */
 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
                                 const struct tomoyo_path_info *pattern)
 {
-       /*
-         if (!filename || !pattern)
-         return false;
-       */
        const char *f = filename->name;
        const char *p = pattern->name;
        const int len = pattern->const_len;
@@ -640,37 +765,15 @@ bool tomoyo_path_matches_pattern(const s
        /* If @pattern doesn't contain pattern, I can use strcmp(). */
        if (!pattern->is_patterned)
                return !tomoyo_pathcmp(filename, pattern);
-       /* Dont compare if the number of '/' differs. */
-       if (filename->depth != pattern->depth)
+       /* Don't compare directory and non-directory. */
+       if (filename->is_dir != pattern->is_dir)
                return false;
        /* Compare the initial length without patterns. */
        if (strncmp(f, p, len))
                return false;
        f += len;
        p += len;
-       /* Main loop. Compare each directory component. */
-       while (*f && *p) {
-               const char *f_delimiter = strchr(f, '/');
-               const char *p_delimiter = strchr(p, '/');
-               if (!f_delimiter)
-                       f_delimiter = f + strlen(f);
-               if (!p_delimiter)
-                       p_delimiter = p + strlen(p);
-               if (!tomoyo_file_matches_to_pattern(f, f_delimiter,
-                                                   p, p_delimiter))
-                       return false;
-               f = f_delimiter;
-               if (*f)
-                       f++;
-               p = p_delimiter;
-               if (*p)
-                       p++;
-       }
-       /* Ignore trailing "\*" and "\@" in @pattern. */
-       while (*p == '\\' &&
-              (*(p + 1) == '*' || *(p + 1) == '@'))
-               p += 2;
-       return !*f && !*p;
+       return tomoyo_path_matches_pattern2(f, p);
 }
 
 /**
@@ -706,7 +809,7 @@ bool tomoyo_io_printf(struct tomoyo_io_b
  *
  * Returns the tomoyo_realpath() of current process on success, NULL otherwise.
  *
- * This function uses tomoyo_alloc(), so the caller must call tomoyo_free()
+ * This function uses kzalloc(), so the caller must call kfree()
  * if this function didn't return NULL.
  */
 static const char *tomoyo_get_exe(void)
@@ -787,6 +890,8 @@ bool tomoyo_verbose_mode(const struct to
  * @domain: Pointer to "struct tomoyo_domain_info".
  *
  * Returns true if the domain is not exceeded quota, false otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain)
 {
@@ -795,61 +900,29 @@ bool tomoyo_domain_quota_is_ok(struct to
 
        if (!domain)
                return true;
-       down_read(&tomoyo_domain_acl_info_list_lock);
-       list_for_each_entry(ptr, &domain->acl_info_list, list) {
-               if (ptr->type & TOMOYO_ACL_DELETED)
-                       continue;
-               switch (tomoyo_acl_type2(ptr)) {
-                       struct tomoyo_single_path_acl_record *acl1;
-                       struct tomoyo_double_path_acl_record *acl2;
-                       u16 perm;
-               case TOMOYO_TYPE_SINGLE_PATH_ACL:
-                       acl1 = container_of(ptr,
-                                   struct tomoyo_single_path_acl_record,
-                                           head);
-                       perm = acl1->perm;
-                       if (perm & (1 << TOMOYO_TYPE_EXECUTE_ACL))
-                               count++;
-                       if (perm &
-                           ((1 << TOMOYO_TYPE_READ_ACL) |
-                            (1 << TOMOYO_TYPE_WRITE_ACL)))
-                               count++;
-                       if (perm & (1 << TOMOYO_TYPE_CREATE_ACL))
-                               count++;
-                       if (perm & (1 << TOMOYO_TYPE_UNLINK_ACL))
-                               count++;
-                       if (perm & (1 << TOMOYO_TYPE_MKDIR_ACL))
-                               count++;
-                       if (perm & (1 << TOMOYO_TYPE_RMDIR_ACL))
-                               count++;
-                       if (perm & (1 << TOMOYO_TYPE_MKFIFO_ACL))
-                               count++;
-                       if (perm & (1 << TOMOYO_TYPE_MKSOCK_ACL))
-                               count++;
-                       if (perm & (1 << TOMOYO_TYPE_MKBLOCK_ACL))
-                               count++;
-                       if (perm & (1 << TOMOYO_TYPE_MKCHAR_ACL))
-                               count++;
-                       if (perm & (1 << TOMOYO_TYPE_TRUNCATE_ACL))
-                               count++;
-                       if (perm & (1 << TOMOYO_TYPE_SYMLINK_ACL))
-                               count++;
-                       if (perm & (1 << TOMOYO_TYPE_REWRITE_ACL))
-                               count++;
-                       break;
-               case TOMOYO_TYPE_DOUBLE_PATH_ACL:
-                       acl2 = container_of(ptr,
-                                   struct tomoyo_double_path_acl_record,
-                                           head);
-                       perm = acl2->perm;
-                       if (perm & (1 << TOMOYO_TYPE_LINK_ACL))
-                               count++;
-                       if (perm & (1 << TOMOYO_TYPE_RENAME_ACL))
-                               count++;
+       list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
+               switch (ptr->type) {
+                       struct tomoyo_path_acl *acl;
+                       u32 perm;
+                       u8 i;
+               case TOMOYO_TYPE_PATH_ACL:
+                       acl = container_of(ptr, struct tomoyo_path_acl, head);
+                       perm = acl->perm | (((u32) acl->perm_high) << 16);
+                       for (i = 0; i < TOMOYO_MAX_PATH_OPERATION; i++)
+                               if (perm & (1 << i))
+                                       count++;
+                       if (perm & (1 << TOMOYO_TYPE_READ_WRITE))
+                               count -= 2;
+                       break;
+               case TOMOYO_TYPE_PATH2_ACL:
+                       perm = container_of(ptr, struct tomoyo_path2_acl, head)
+                               ->perm;
+                       for (i = 0; i < TOMOYO_MAX_PATH2_OPERATION; i++)
+                               if (perm & (1 << i))
+                                       count++;
                        break;
                }
        }
-       up_read(&tomoyo_domain_acl_info_list_lock);
        if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY))
                return true;
        if (!domain->quota_warned) {
@@ -871,25 +944,28 @@ bool tomoyo_domain_quota_is_ok(struct to
 static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned
                                                                int profile)
 {
-       static DEFINE_MUTEX(lock);
        struct tomoyo_profile *ptr = NULL;
        int i;
 
        if (profile >= TOMOYO_MAX_PROFILES)
                return NULL;
-       mutex_lock(&lock);
+       if (mutex_lock_interruptible(&tomoyo_policy_lock))
+               return NULL;
        ptr = tomoyo_profile_ptr[profile];
        if (ptr)
                goto ok;
-       ptr = tomoyo_alloc_element(sizeof(*ptr));
-       if (!ptr)
+       ptr = kmalloc(sizeof(*ptr), GFP_NOFS);
+       if (!tomoyo_memory_ok(ptr)) {
+               kfree(ptr);
+               ptr = NULL;
                goto ok;
+       }
        for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++)
                ptr->value[i] = tomoyo_control_array[i].current_value;
        mb(); /* Avoid out-of-order execution. */
        tomoyo_profile_ptr[profile] = ptr;
  ok:
-       mutex_unlock(&lock);
+       mutex_unlock(&tomoyo_policy_lock);
        return ptr;
 }
 
@@ -924,7 +1000,9 @@ static int tomoyo_write_profile(struct t
                return -EINVAL;
        *cp = '\0';
        if (!strcmp(data, "COMMENT")) {
-               profile->comment = tomoyo_save_name(cp + 1);
+               const struct tomoyo_path_info *old_comment = profile->comment;
+               profile->comment = tomoyo_get_name(cp + 1);
+               tomoyo_put_name(old_comment);
                return 0;
        }
        for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) {
@@ -1019,27 +1097,6 @@ static int tomoyo_read_profile(struct to
 }
 
 /*
- * tomoyo_policy_manager_entry is a structure which is used for holding list of
- * domainnames or programs which are permitted to modify configuration via
- * /sys/kernel/security/tomoyo/ interface.
- * It has following fields.
- *
- *  (1) "list" which is linked to tomoyo_policy_manager_list .
- *  (2) "manager" is a domainname or a program's pathname.
- *  (3) "is_domain" is a bool which is true if "manager" is a domainname, false
- *      otherwise.
- *  (4) "is_deleted" is a bool which is true if marked as deleted, false
- *      otherwise.
- */
-struct tomoyo_policy_manager_entry {
-       struct list_head list;
-       /* A path to program or a domainname. */
-       const struct tomoyo_path_info *manager;
-       bool is_domain;  /* True if manager is a domainname. */
-       bool is_deleted; /* True if this entry is deleted. */
-};
-
-/*
  * tomoyo_policy_manager_list is used for holding list of domainnames or
  * programs which are permitted to modify configuration via
  * /sys/kernel/security/tomoyo/ interface.
@@ -1069,8 +1126,7 @@ struct tomoyo_policy_manager_entry {
  *
  * # cat /sys/kernel/security/tomoyo/manager
  */
-static LIST_HEAD(tomoyo_policy_manager_list);
-static DECLARE_RWSEM(tomoyo_policy_manager_list_lock);
+LIST_HEAD(tomoyo_policy_manager_list);
 
 /**
  * tomoyo_update_manager_entry - Add a manager entry.
@@ -1079,48 +1135,48 @@ static DECLARE_RWSEM(tomoyo_policy_manag
  * @is_delete: True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_update_manager_entry(const char *manager,
                                       const bool is_delete)
 {
-       struct tomoyo_policy_manager_entry *new_entry;
        struct tomoyo_policy_manager_entry *ptr;
-       const struct tomoyo_path_info *saved_manager;
-       int error = -ENOMEM;
-       bool is_domain = false;
+       struct tomoyo_policy_manager_entry e = { };
+       int error = is_delete ? -ENOENT : -ENOMEM;
 
        if (tomoyo_is_domain_def(manager)) {
-               if (!tomoyo_is_correct_domain(manager, __func__))
+               if (!tomoyo_is_correct_domain(manager))
                        return -EINVAL;
-               is_domain = true;
+               e.is_domain = true;
        } else {
-               if (!tomoyo_is_correct_path(manager, 1, -1, -1, __func__))
+               if (!tomoyo_is_correct_path(manager, 1, -1, -1))
                        return -EINVAL;
        }
-       saved_manager = tomoyo_save_name(manager);
-       if (!saved_manager)
+       e.manager = tomoyo_get_name(manager);
+       if (!e.manager)
                return -ENOMEM;
-       down_write(&tomoyo_policy_manager_list_lock);
-       list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) {
-               if (ptr->manager != saved_manager)
+       if (mutex_lock_interruptible(&tomoyo_policy_lock))
+               goto out;
+       list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
+               if (ptr->manager != e.manager)
                        continue;
                ptr->is_deleted = is_delete;
                error = 0;
-               goto out;
+               break;
        }
-       if (is_delete) {
-               error = -ENOENT;
-               goto out;
+       if (!is_delete && error) {
+               struct tomoyo_policy_manager_entry *entry =
+                       tomoyo_commit_ok(&e, sizeof(e));
+               if (entry) {
+                       list_add_tail_rcu(&entry->list,
+                                         &tomoyo_policy_manager_list);
+                       error = 0;
+               }
        }
-       new_entry = tomoyo_alloc_element(sizeof(*new_entry));
-       if (!new_entry)
-               goto out;
-       new_entry->manager = saved_manager;
-       new_entry->is_domain = is_domain;
-       list_add_tail(&new_entry->list, &tomoyo_policy_manager_list);
-       error = 0;
+       mutex_unlock(&tomoyo_policy_lock);
  out:
-       up_write(&tomoyo_policy_manager_list_lock);
+       tomoyo_put_name(e.manager);
        return error;
 }
 
@@ -1130,6 +1186,8 @@ static int tomoyo_update_manager_entry(c
  * @head: Pointer to "struct tomoyo_io_buffer".
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head)
 {
@@ -1149,6 +1207,8 @@ static int tomoyo_write_manager_policy(s
  * @head: Pointer to "struct tomoyo_io_buffer".
  *
  * Returns 0.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
 {
@@ -1157,7 +1217,6 @@ static int tomoyo_read_manager_policy(st
 
        if (head->read_eof)
                return 0;
-       down_read(&tomoyo_policy_manager_list_lock);
        list_for_each_cookie(pos, head->read_var2,
                             &tomoyo_policy_manager_list) {
                struct tomoyo_policy_manager_entry *ptr;
@@ -1169,7 +1228,6 @@ static int tomoyo_read_manager_policy(st
                if (!done)
                        break;
        }
-       up_read(&tomoyo_policy_manager_list_lock);
        head->read_eof = done;
        return 0;
 }
@@ -1179,6 +1237,8 @@ static int tomoyo_read_manager_policy(st
  *
  * Returns true if the current process is permitted to modify policy
  * via /sys/kernel/security/tomoyo/ interface.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static bool tomoyo_is_policy_manager(void)
 {
@@ -1192,29 +1252,25 @@ static bool tomoyo_is_policy_manager(voi
                return true;
        if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
                return false;
-       down_read(&tomoyo_policy_manager_list_lock);
-       list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) {
+       list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
                if (!ptr->is_deleted && ptr->is_domain
                    && !tomoyo_pathcmp(domainname, ptr->manager)) {
                        found = true;
                        break;
                }
        }
-       up_read(&tomoyo_policy_manager_list_lock);
        if (found)
                return true;
        exe = tomoyo_get_exe();
        if (!exe)
                return false;
-       down_read(&tomoyo_policy_manager_list_lock);
-       list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) {
+       list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
                if (!ptr->is_deleted && !ptr->is_domain
                    && !strcmp(exe, ptr->manager->name)) {
                        found = true;
                        break;
                }
        }
-       up_read(&tomoyo_policy_manager_list_lock);
        if (!found) { /* Reduce error messages. */
                static pid_t last_pid;
                const pid_t pid = current->pid;
@@ -1224,7 +1280,7 @@ static bool tomoyo_is_policy_manager(voi
                        last_pid = pid;
                }
        }
-       tomoyo_free(exe);
+       kfree(exe);
        return found;
 }
 
@@ -1235,6 +1291,8 @@ static bool tomoyo_is_policy_manager(voi
  * @data: String to parse.
  *
  * Returns true on success, false otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
                                 const char *data)
@@ -1244,17 +1302,16 @@ static bool tomoyo_is_select_one(struct 
 
        if (sscanf(data, "pid=%u", &pid) == 1) {
                struct task_struct *p;
+               rcu_read_lock();
                read_lock(&tasklist_lock);
                p = find_task_by_vpid(pid);
                if (p)
                        domain = tomoyo_real_domain(p);
                read_unlock(&tasklist_lock);
+               rcu_read_unlock();
        } else if (!strncmp(data, "domain=", 7)) {
-               if (tomoyo_is_domain_def(data + 7)) {
-                       down_read(&tomoyo_domain_list_lock);
+               if (tomoyo_is_domain_def(data + 7))
                        domain = tomoyo_find_domain(data + 7);
-                       up_read(&tomoyo_domain_list_lock);
-               }
        } else
                return false;
        head->write_var1 = domain;
@@ -1268,13 +1325,11 @@ static bool tomoyo_is_select_one(struct 
        if (domain) {
                struct tomoyo_domain_info *d;
                head->read_var1 = NULL;
-               down_read(&tomoyo_domain_list_lock);
-               list_for_each_entry(d, &tomoyo_domain_list, list) {
+               list_for_each_entry_rcu(d, &tomoyo_domain_list, list) {
                        if (d == domain)
                                break;
                        head->read_var1 = &d->list;
                }
-               up_read(&tomoyo_domain_list_lock);
                head->read_var2 = NULL;
                head->read_bit = 0;
                head->read_step = 0;
@@ -1290,6 +1345,8 @@ static bool tomoyo_is_select_one(struct 
  * @domainname: The name of domain.
  *
  * Returns 0.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_delete_domain(char *domainname)
 {
@@ -1298,9 +1355,10 @@ static int tomoyo_delete_domain(char *do
 
        name.name = domainname;
        tomoyo_fill_path_info(&name);
-       down_write(&tomoyo_domain_list_lock);
+       if (mutex_lock_interruptible(&tomoyo_policy_lock))
+               return 0;
        /* Is there an active domain? */
-       list_for_each_entry(domain, &tomoyo_domain_list, list) {
+       list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
                /* Never delete tomoyo_kernel_domain */
                if (domain == &tomoyo_kernel_domain)
                        continue;
@@ -1310,7 +1368,7 @@ static int tomoyo_delete_domain(char *do
                domain->is_deleted = true;
                break;
        }
-       up_write(&tomoyo_domain_list_lock);
+       mutex_unlock(&tomoyo_policy_lock);
        return 0;
 }
 
@@ -1320,6 +1378,8 @@ static int tomoyo_delete_domain(char *do
  * @head: Pointer to "struct tomoyo_io_buffer".
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
 {
@@ -1342,11 +1402,9 @@ static int tomoyo_write_domain_policy(st
                domain = NULL;
                if (is_delete)
                        tomoyo_delete_domain(data);
-               else if (is_select) {
-                       down_read(&tomoyo_domain_list_lock);
+               else if (is_select)
                        domain = tomoyo_find_domain(data);
-                       up_read(&tomoyo_domain_list_lock);
-               } else
+               else
                        domain = tomoyo_find_or_assign_new_domain(data, 0);
                head->write_var1 = domain;
                return 0;
@@ -1361,46 +1419,39 @@ static int tomoyo_write_domain_policy(st
                return 0;
        }
        if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) {
-               tomoyo_set_domain_flag(domain, is_delete,
-                              TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ);
+               domain->ignore_global_allow_read = !is_delete;
                return 0;
        }
        return tomoyo_write_file_policy(data, domain, is_delete);
 }
 
 /**
- * tomoyo_print_single_path_acl - Print a single path ACL entry.
+ * tomoyo_print_path_acl - Print a single path ACL entry.
  *
  * @head: Pointer to "struct tomoyo_io_buffer".
- * @ptr:  Pointer to "struct tomoyo_single_path_acl_record".
+ * @ptr:  Pointer to "struct tomoyo_path_acl".
  *
  * Returns true on success, false otherwise.
  */
-static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head,
-                                        struct tomoyo_single_path_acl_record *
-                                        ptr)
+static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head,
+                                 struct tomoyo_path_acl *ptr)
 {
        int pos;
        u8 bit;
-       const char *atmark = "";
-       const char *filename;
-       const u16 perm = ptr->perm;
-
-       filename = ptr->filename->name;
-       for (bit = head->read_bit; bit < TOMOYO_MAX_SINGLE_PATH_OPERATION;
-            bit++) {
-               const char *msg;
+       const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16);
+
+       for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
                if (!(perm & (1 << bit)))
                        continue;
                /* Print "read/write" instead of "read" and "write". */
-               if ((bit == TOMOYO_TYPE_READ_ACL ||
-                    bit == TOMOYO_TYPE_WRITE_ACL)
-                   && (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)))
+               if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE)
+                   && (perm & (1 << TOMOYO_TYPE_READ_WRITE)))
                        continue;
-               msg = tomoyo_sp2keyword(bit);
                pos = head->read_avail;
-               if (!tomoyo_io_printf(head, "allow_%s %s%s\n", msg,
-                                     atmark, filename))
+               if (!tomoyo_io_printf(head, "allow_%s ",
+                                     tomoyo_path2keyword(bit)) ||
+                   !tomoyo_print_name_union(head, &ptr->name) ||
+                   !tomoyo_io_printf(head, "\n"))
                        goto out;
        }
        head->read_bit = 0;
@@ -1412,36 +1463,29 @@ static bool tomoyo_print_single_path_acl
 }
 
 /**
- * tomoyo_print_double_path_acl - Print a double path ACL entry.
+ * tomoyo_print_path2_acl - Print a double path ACL entry.
  *
  * @head: Pointer to "struct tomoyo_io_buffer".
- * @ptr:  Pointer to "struct tomoyo_double_path_acl_record".
+ * @ptr:  Pointer to "struct tomoyo_path2_acl".
  *
  * Returns true on success, false otherwise.
  */
-static bool tomoyo_print_double_path_acl(struct tomoyo_io_buffer *head,
-                                        struct tomoyo_double_path_acl_record *
-                                        ptr)
+static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer *head,
+                                  struct tomoyo_path2_acl *ptr)
 {
        int pos;
-       const char *atmark1 = "";
-       const char *atmark2 = "";
-       const char *filename1;
-       const char *filename2;
        const u8 perm = ptr->perm;
        u8 bit;
 
-       filename1 = ptr->filename1->name;
-       filename2 = ptr->filename2->name;
-       for (bit = head->read_bit; bit < TOMOYO_MAX_DOUBLE_PATH_OPERATION;
-            bit++) {
-               const char *msg;
+       for (bit = head->read_bit; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) {
                if (!(perm & (1 << bit)))
                        continue;
-               msg = tomoyo_dp2keyword(bit);
                pos = head->read_avail;
-               if (!tomoyo_io_printf(head, "allow_%s %s%s %s%s\n", msg,
-                                     atmark1, filename1, atmark2, filename2))
+               if (!tomoyo_io_printf(head, "allow_%s ",
+                                     tomoyo_path22keyword(bit)) ||
+                   !tomoyo_print_name_union(head, &ptr->name1) ||
+                   !tomoyo_print_name_union(head, &ptr->name2) ||
+                   !tomoyo_io_printf(head, "\n"))
                        goto out;
        }
        head->read_bit = 0;
@@ -1463,23 +1507,17 @@ static bool tomoyo_print_double_path_acl
 static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
                               struct tomoyo_acl_info *ptr)
 {
-       const u8 acl_type = tomoyo_acl_type2(ptr);
+       const u8 acl_type = ptr->type;
 
-       if (acl_type & TOMOYO_ACL_DELETED)
-               return true;
-       if (acl_type == TOMOYO_TYPE_SINGLE_PATH_ACL) {
-               struct tomoyo_single_path_acl_record *acl
-                       = container_of(ptr,
-                                      struct tomoyo_single_path_acl_record,
-                                      head);
-               return tomoyo_print_single_path_acl(head, acl);
-       }
-       if (acl_type == TOMOYO_TYPE_DOUBLE_PATH_ACL) {
-               struct tomoyo_double_path_acl_record *acl
-                       = container_of(ptr,
-                                      struct tomoyo_double_path_acl_record,
-                                      head);
-               return tomoyo_print_double_path_acl(head, acl);
+       if (acl_type == TOMOYO_TYPE_PATH_ACL) {
+               struct tomoyo_path_acl *acl
+                       = container_of(ptr, struct tomoyo_path_acl, head);
+               return tomoyo_print_path_acl(head, acl);
+       }
+       if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
+               struct tomoyo_path2_acl *acl
+                       = container_of(ptr, struct tomoyo_path2_acl, head);
+               return tomoyo_print_path2_acl(head, acl);
        }
        BUG(); /* This must not happen. */
        return false;
@@ -1491,6 +1529,8 @@ static bool tomoyo_print_entry(struct to
  * @head: Pointer to "struct tomoyo_io_buffer".
  *
  * Returns 0.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head)
 {
@@ -1502,7 +1542,6 @@ static int tomoyo_read_domain_policy(str
                return 0;
        if (head->read_step == 0)
                head->read_step = 1;
-       down_read(&tomoyo_domain_list_lock);
        list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) {
                struct tomoyo_domain_info *domain;
                const char *quota_exceeded = "";
@@ -1516,10 +1555,9 @@ static int tomoyo_read_domain_policy(str
                /* Print domainname and flags. */
                if (domain->quota_warned)
                        quota_exceeded = "quota_exceeded\n";
-               if (domain->flags & TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED)
+               if (domain->transition_failed)
                        transition_failed = "transition_failed\n";
-               if (domain->flags &
-                   TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ)
+               if (domain->ignore_global_allow_read)
                        ignore_global_allow_read
                                = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n";
                done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
@@ -1535,7 +1573,6 @@ acl_loop:
                if (head->read_step == 3)
                        goto tail_mark;
                /* Print ACL entries in the domain. */
-               down_read(&tomoyo_domain_acl_info_list_lock);
                list_for_each_cookie(apos, head->read_var2,
                                     &domain->acl_info_list) {
                        struct tomoyo_acl_info *ptr
@@ -1545,7 +1582,6 @@ acl_loop:
                        if (!done)
                                break;
                }
-               up_read(&tomoyo_domain_acl_info_list_lock);
                if (!done)
                        break;
                head->read_step = 3;
@@ -1557,7 +1593,6 @@ tail_mark:
                if (head->read_single_domain)
                        break;
        }
-       up_read(&tomoyo_domain_list_lock);
        head->read_eof = done;
        return 0;
 }
@@ -1573,6 +1608,8 @@ tail_mark:
  *
  *     ( echo "select " $domainname; echo "use_profile " $profile ) |
  *     /usr/lib/ccs/loadpolicy -d
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head)
 {
@@ -1584,9 +1621,7 @@ static int tomoyo_write_domain_profile(s
        if (!cp)
                return -EINVAL;
        *cp = '\0';
-       down_read(&tomoyo_domain_list_lock);
        domain = tomoyo_find_domain(cp + 1);
-       up_read(&tomoyo_domain_list_lock);
        if (strict_strtoul(data, 10, &profile))
                return -EINVAL;
        if (domain && profile < TOMOYO_MAX_PROFILES
@@ -1608,6 +1643,8 @@ static int tomoyo_write_domain_profile(s
  *     awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
  *     domainname = $0; } else if ( $1 == "use_profile" ) {
  *     print $2 " " domainname; domainname = ""; } } ; '
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head)
 {
@@ -1616,7 +1653,6 @@ static int tomoyo_read_domain_profile(st
 
        if (head->read_eof)
                return 0;
-       down_read(&tomoyo_domain_list_lock);
        list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) {
                struct tomoyo_domain_info *domain;
                domain = list_entry(pos, struct tomoyo_domain_info, list);
@@ -1627,7 +1663,6 @@ static int tomoyo_read_domain_profile(st
                if (!done)
                        break;
        }
-       up_read(&tomoyo_domain_list_lock);
        head->read_eof = done;
        return 0;
 }
@@ -1665,11 +1700,13 @@ static int tomoyo_read_pid(struct tomoyo
                const int pid = head->read_step;
                struct task_struct *p;
                struct tomoyo_domain_info *domain = NULL;
+               rcu_read_lock();
                read_lock(&tasklist_lock);
                p = find_task_by_vpid(pid);
                if (p)
                        domain = tomoyo_real_domain(p);
                read_unlock(&tasklist_lock);
+               rcu_read_unlock();
                if (domain)
                        tomoyo_io_printf(head, "%d %u %s", pid, domain->profile,
                                         domain->domainname->name);
@@ -1684,6 +1721,8 @@ static int tomoyo_read_pid(struct tomoyo
  * @head: Pointer to "struct tomoyo_io_buffer".
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head)
 {
@@ -1709,6 +1748,8 @@ static int tomoyo_write_exception_policy
                return tomoyo_write_pattern_policy(data, is_delete);
        if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE))
                return tomoyo_write_no_rewrite_policy(data, is_delete);
+       if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_PATH_GROUP))
+               return tomoyo_write_path_group_policy(data, is_delete);
        return -EINVAL;
 }
 
@@ -1718,6 +1759,8 @@ static int tomoyo_write_exception_policy
  * @head: Pointer to "struct tomoyo_io_buffer".
  *
  * Returns 0 on success, -EINVAL otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head)
 {
@@ -1763,6 +1806,12 @@ static int tomoyo_read_exception_policy(
                        head->read_var2 = NULL;
                        head->read_step = 9;
                case 9:
+                       if (!tomoyo_read_path_group_policy(head))
+                               break;
+                       head->read_var1 = NULL;
+                       head->read_var2 = NULL;
+                       head->read_step = 10;
+               case 10:
                        head->read_eof = true;
                        break;
                default:
@@ -1847,15 +1896,13 @@ void tomoyo_load_policy(const char *file
        tomoyo_policy_loaded = true;
        { /* Check all profiles currently assigned to domains are defined. */
                struct tomoyo_domain_info *domain;
-               down_read(&tomoyo_domain_list_lock);
-               list_for_each_entry(domain, &tomoyo_domain_list, list) {
+               list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
                        const u8 profile = domain->profile;
                        if (tomoyo_profile_ptr[profile])
                                continue;
                        panic("Profile %u (used by '%s') not defined.\n",
                              profile, domain->domainname->name);
                }
-               up_read(&tomoyo_domain_list_lock);
        }
 }
 
@@ -1903,10 +1950,12 @@ static int tomoyo_read_self_domain(struc
  * @file: Pointer to "struct file".
  *
  * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
+ *
+ * Caller acquires tomoyo_read_lock().
  */
 static int tomoyo_open_control(const u8 type, struct file *file)
 {
-       struct tomoyo_io_buffer *head = tomoyo_alloc(sizeof(*head));
+       struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS);
 
        if (!head)
                return -ENOMEM;
@@ -1967,9 +2016,9 @@ static int tomoyo_open_control(const u8 
        } else {
                if (!head->readbuf_size)
                        head->readbuf_size = 4096 * 2;
-               head->read_buf = tomoyo_alloc(head->readbuf_size);
+               head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS);
                if (!head->read_buf) {
-                       tomoyo_free(head);
+                       kfree(head);
                        return -ENOMEM;
                }
        }
@@ -1981,13 +2030,14 @@ static int tomoyo_open_control(const u8 
                head->write = NULL;
        } else if (head->write) {
                head->writebuf_size = 4096 * 2;
-               head->write_buf = tomoyo_alloc(head->writebuf_size);
+               head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS);
                if (!head->write_buf) {
-                       tomoyo_free(head->read_buf);
-                       tomoyo_free(head);
+                       kfree(head->read_buf);
+                       kfree(head);
                        return -ENOMEM;
                }
        }
+       head->reader_idx = tomoyo_read_lock();
        file->private_data = head;
        /*
         * Call the handler now if the file is
@@ -2009,6 +2059,8 @@ static int tomoyo_open_control(const u8 
  * @buffer_len: Size of @buffer.
  *
  * Returns bytes read on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_read_control(struct file *file, char __user *buffer,
                               const int buffer_len)
@@ -2052,6 +2104,8 @@ static int tomoyo_read_control(struct fi
  * @buffer_len: Size of @buffer.
  *
  * Returns @buffer_len on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_write_control(struct file *file, const char __user *buffer,
                                const int buffer_len)
@@ -2102,52 +2156,29 @@ static int tomoyo_write_control(struct f
  * @file: Pointer to "struct file".
  *
  * Releases memory and returns 0.
+ *
+ * Caller looses tomoyo_read_lock().
  */
 static int tomoyo_close_control(struct file *file)
 {
        struct tomoyo_io_buffer *head = file->private_data;
+       const bool is_write = !!head->write_buf;
 
+       tomoyo_read_unlock(head->reader_idx);
        /* Release memory used for policy I/O. */
-       tomoyo_free(head->read_buf);
+       kfree(head->read_buf);
        head->read_buf = NULL;
-       tomoyo_free(head->write_buf);
+       kfree(head->write_buf);
        head->write_buf = NULL;
-       tomoyo_free(head);
+       kfree(head);
        head = NULL;
        file->private_data = NULL;
+       if (is_write)
+               tomoyo_run_gc();
        return 0;
 }
 
 /**
- * tomoyo_alloc_acl_element - Allocate permanent memory for ACL entry.
- *
- * @acl_type:  Type of ACL entry.
- *
- * Returns pointer to the ACL entry on success, NULL otherwise.
- */
-void *tomoyo_alloc_acl_element(const u8 acl_type)
-{
-       int len;
-       struct tomoyo_acl_info *ptr;
-
-       switch (acl_type) {
-       case TOMOYO_TYPE_SINGLE_PATH_ACL:
-               len = sizeof(struct tomoyo_single_path_acl_record);
-               break;
-       case TOMOYO_TYPE_DOUBLE_PATH_ACL:
-               len = sizeof(struct tomoyo_double_path_acl_record);
-               break;
-       default:
-               return NULL;
-       }
-       ptr = tomoyo_alloc_element(len);
-       if (!ptr)
-               return NULL;
-       ptr->type = acl_type;
-       return ptr;
-}
-
-/**
  * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
  *
  * @inode: Pointer to "struct inode".
--- linux-2.6.32.28.orig/security/tomoyo/common.h
+++ linux-2.6.32.28/security/tomoyo/common.h
@@ -1,12 +1,9 @@
 /*
  * security/tomoyo/common.h
  *
- * Common functions for TOMOYO.
- *
- * Copyright (C) 2005-2009  NTT DATA CORPORATION
- *
- * Version: 2.2.0   2009/04/01
+ * Header file for TOMOYO.
  *
+ * Copyright (C) 2005-2010  NTT DATA CORPORATION
  */
 
 #ifndef _SECURITY_TOMOYO_COMMON_H
@@ -22,9 +19,120 @@
 #include <linux/namei.h>
 #include <linux/mount.h>
 #include <linux/list.h>
+#include <linux/cred.h>
+struct linux_binprm;
+
+/********** Constants definitions. **********/
+
+/*
+ * TOMOYO uses this hash only when appending a string into the string
+ * table. Frequency of appending strings is very low. So we don't need
+ * large (e.g. 64k) hash size. 256 will be sufficient.
+ */
+#define TOMOYO_HASH_BITS  8
+#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
+
+/*
+ * This is the max length of a token.
+ *
+ * A token consists of only ASCII printable characters.
+ * Non printable characters in a token is represented in \ooo style
+ * octal string. Thus, \ itself is represented as \\.
+ */
+#define TOMOYO_MAX_PATHNAME_LEN 4000
+
+/* Profile number is an integer between 0 and 255. */
+#define TOMOYO_MAX_PROFILES 256
+
+/* Keywords for ACLs. */
+#define TOMOYO_KEYWORD_ALIAS                     "alias "
+#define TOMOYO_KEYWORD_ALLOW_READ                "allow_read "
+#define TOMOYO_KEYWORD_DELETE                    "delete "
+#define TOMOYO_KEYWORD_DENY_REWRITE              "deny_rewrite "
+#define TOMOYO_KEYWORD_FILE_PATTERN              "file_pattern "
+#define TOMOYO_KEYWORD_INITIALIZE_DOMAIN         "initialize_domain "
+#define TOMOYO_KEYWORD_KEEP_DOMAIN               "keep_domain "
+#define TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN      "no_initialize_domain "
+#define TOMOYO_KEYWORD_NO_KEEP_DOMAIN            "no_keep_domain "
+#define TOMOYO_KEYWORD_PATH_GROUP                "path_group "
+#define TOMOYO_KEYWORD_SELECT                    "select "
+#define TOMOYO_KEYWORD_USE_PROFILE               "use_profile "
+#define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ  "ignore_global_allow_read"
+/* A domain definition starts with <kernel>. */
+#define TOMOYO_ROOT_NAME                         "<kernel>"
+#define TOMOYO_ROOT_NAME_LEN                     (sizeof(TOMOYO_ROOT_NAME) - 1)
+
+/* Index numbers for Access Controls. */
+enum tomoyo_mac_index {
+       TOMOYO_MAC_FOR_FILE,  /* domain_policy.conf */
+       TOMOYO_MAX_ACCEPT_ENTRY,
+       TOMOYO_VERBOSE,
+       TOMOYO_MAX_CONTROL_INDEX
+};
+
+/* Index numbers for Access Controls. */
+enum tomoyo_acl_entry_type_index {
+       TOMOYO_TYPE_PATH_ACL,
+       TOMOYO_TYPE_PATH2_ACL,
+};
+
+/* Index numbers for File Controls. */
 
-struct dentry;
-struct vfsmount;
+/*
+ * TYPE_READ_WRITE_ACL is special. TYPE_READ_WRITE_ACL is automatically set
+ * if both TYPE_READ_ACL and TYPE_WRITE_ACL are set. Both TYPE_READ_ACL and
+ * TYPE_WRITE_ACL are automatically set if TYPE_READ_WRITE_ACL is set.
+ * TYPE_READ_WRITE_ACL is automatically cleared if either TYPE_READ_ACL or
+ * TYPE_WRITE_ACL is cleared. Both TYPE_READ_ACL and TYPE_WRITE_ACL are
+ * automatically cleared if TYPE_READ_WRITE_ACL is cleared.
+ */
+
+enum tomoyo_path_acl_index {
+       TOMOYO_TYPE_READ_WRITE,
+       TOMOYO_TYPE_EXECUTE,
+       TOMOYO_TYPE_READ,
+       TOMOYO_TYPE_WRITE,
+       TOMOYO_TYPE_CREATE,
+       TOMOYO_TYPE_UNLINK,
+       TOMOYO_TYPE_MKDIR,
+       TOMOYO_TYPE_RMDIR,
+       TOMOYO_TYPE_MKFIFO,
+       TOMOYO_TYPE_MKSOCK,
+       TOMOYO_TYPE_MKBLOCK,
+       TOMOYO_TYPE_MKCHAR,
+       TOMOYO_TYPE_TRUNCATE,
+       TOMOYO_TYPE_SYMLINK,
+       TOMOYO_TYPE_REWRITE,
+       TOMOYO_TYPE_IOCTL,
+       TOMOYO_TYPE_CHMOD,
+       TOMOYO_TYPE_CHOWN,
+       TOMOYO_TYPE_CHGRP,
+       TOMOYO_TYPE_CHROOT,
+       TOMOYO_TYPE_MOUNT,
+       TOMOYO_TYPE_UMOUNT,
+       TOMOYO_MAX_PATH_OPERATION
+};
+
+enum tomoyo_path2_acl_index {
+       TOMOYO_TYPE_LINK,
+       TOMOYO_TYPE_RENAME,
+       TOMOYO_TYPE_PIVOT_ROOT,
+       TOMOYO_MAX_PATH2_OPERATION
+};
+
+enum tomoyo_securityfs_interface_index {
+       TOMOYO_DOMAINPOLICY,
+       TOMOYO_EXCEPTIONPOLICY,
+       TOMOYO_DOMAIN_STATUS,
+       TOMOYO_PROCESS_STATUS,
+       TOMOYO_MEMINFO,
+       TOMOYO_SELFDOMAIN,
+       TOMOYO_VERSION,
+       TOMOYO_PROFILE,
+       TOMOYO_MANAGER
+};
+
+/********** Structure definitions. **********/
 
 /*
  * tomoyo_page_buffer is a structure which is used for holding a pathname
@@ -56,9 +164,6 @@ struct tomoyo_page_buffer {
  * (5) "is_patterned" is a bool which is true if "name" contains wildcard
  *     characters, false otherwise. This allows TOMOYO to use "hash" and
  *     strcmp() for string comparison if "is_patterned" is false.
- * (6) "depth" is calculated using the number of "/" characters in "name".
- *     This allows TOMOYO to avoid comparing two pathnames which never match
- *     (e.g. whether "/var/www/html/index.html" matches "/tmp/sh-thd-\$").
  */
 struct tomoyo_path_info {
        const char *name;
@@ -66,17 +171,17 @@ struct tomoyo_path_info {
        u16 const_len;     /* = tomoyo_const_part_length(name)     */
        bool is_dir;       /* = tomoyo_strendswith(name, "/")      */
        bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
-       u16 depth;         /* = tomoyo_path_depth(name)            */
 };
 
 /*
- * This is the max length of a token.
- *
- * A token consists of only ASCII printable characters.
- * Non printable characters in a token is represented in \ooo style
- * octal string. Thus, \ itself is represented as \\.
+ * tomoyo_name_entry is a structure which is used for linking
+ * "struct tomoyo_path_info" into tomoyo_name_list .
  */
-#define TOMOYO_MAX_PATHNAME_LEN 4000
+struct tomoyo_name_entry {
+       struct list_head list;
+       atomic_t users;
+       struct tomoyo_path_info entry;
+};
 
 /*
  * tomoyo_path_info_with_data is a structure which is used for holding a
@@ -93,42 +198,52 @@ struct tomoyo_path_info {
  * "struct tomoyo_path_info_with_data".
  */
 struct tomoyo_path_info_with_data {
-       /* Keep "head" first, for this pointer is passed to tomoyo_free(). */
+       /* Keep "head" first, for this pointer is passed to kfree(). */
        struct tomoyo_path_info head;
        char barrier1[16]; /* Safeguard for overrun. */
        char body[TOMOYO_MAX_PATHNAME_LEN];
        char barrier2[16]; /* Safeguard for overrun. */
 };
 
+struct tomoyo_name_union {
+       const struct tomoyo_path_info *filename;
+       struct tomoyo_path_group *group;
+       u8 is_group;
+};
+
+/* Structure for "path_group" directive. */
+struct tomoyo_path_group {
+       struct list_head list;
+       const struct tomoyo_path_info *group_name;
+       struct list_head member_list;
+       atomic_t users;
+};
+
+/* Structure for "path_group" directive. */
+struct tomoyo_path_group_member {
+       struct list_head list;
+       bool is_deleted;
+       const struct tomoyo_path_info *member_name;
+};
+
 /*
  * tomoyo_acl_info is a structure which is used for holding
  *
  *  (1) "list" which is linked to the ->acl_info_list of
  *      "struct tomoyo_domain_info"
- *  (2) "type" which tells
- *      (a) type & 0x7F : type of the entry (either
- *          "struct tomoyo_single_path_acl_record" or
- *          "struct tomoyo_double_path_acl_record")
- *      (b) type & 0x80 : whether the entry is marked as "deleted".
+ *  (2) "type" which tells type of the entry (either
+ *      "struct tomoyo_path_acl" or "struct tomoyo_path2_acl").
  *
  * Packing "struct tomoyo_acl_info" allows
- * "struct tomoyo_single_path_acl_record" to embed "u16" and
- * "struct tomoyo_double_path_acl_record" to embed "u8"
+ * "struct tomoyo_path_acl" to embed "u8" + "u16" and
+ * "struct tomoyo_path2_acl" to embed "u8"
  * without enlarging their structure size.
  */
 struct tomoyo_acl_info {
        struct list_head list;
-       /*
-        * Type of this ACL entry.
-        *
-        * MSB is is_deleted flag.
-        */
        u8 type;
 } __packed;
 
-/* This ACL entry is deleted.           */
-#define TOMOYO_ACL_DELETED        0x80
-
 /*
  * tomoyo_domain_info is a structure which is used for holding permissions
  * (e.g. "allow_read /lib/libc-2.5.so") given to each domain.
@@ -142,7 +257,17 @@ struct tomoyo_acl_info {
  *      "deleted", false otherwise.
  *  (6) "quota_warned" is a bool which is used for suppressing warning message
  *      when learning mode learned too much entries.
- *  (7) "flags" which remembers this domain's attributes.
+ *  (7) "ignore_global_allow_read" is a bool which is true if this domain
+ *      should ignore "allow_read" directive in exception policy.
+ *  (8) "transition_failed" is a bool which is set to true when this domain was
+ *      unable to create a new domain at tomoyo_find_next_domain() because the
+ *      name of the domain to be created was too long or it could not allocate
+ *      memory. If set to true, more than one process continued execve()
+ *      without domain transition.
+ *  (9) "users" is an atomic_t that holds how many "struct cred"->security
+ *      are referring this "struct tomoyo_domain_info". If is_deleted == true
+ *      and users == 0, this struct will be kfree()d upon next garbage
+ *      collection.
  *
  * A domain's lifecycle is an analogy of files on / directory.
  * Multiple domains with the same domainname cannot be created (as with
@@ -159,88 +284,54 @@ struct tomoyo_domain_info {
        u8 profile;        /* Profile number to use. */
        bool is_deleted;   /* Delete flag.           */
        bool quota_warned; /* Quota warnning flag.   */
-       /* DOMAIN_FLAGS_*. Use tomoyo_set_domain_flag() to modify. */
-       u8 flags;
+       bool ignore_global_allow_read; /* Ignore "allow_read" flag. */
+       bool transition_failed; /* Domain transition failed flag. */
+       atomic_t users; /* Number of referring credentials. */
 };
 
-/* Profile number is an integer between 0 and 255. */
-#define TOMOYO_MAX_PROFILES 256
-
-/* Ignore "allow_read" directive in exception policy. */
-#define TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ 1
 /*
- * This domain was unable to create a new domain at tomoyo_find_next_domain()
- * because the name of the domain to be created was too long or
- * it could not allocate memory.
- * More than one process continued execve() without domain transition.
- */
-#define TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED        2
-
-/*
- * tomoyo_single_path_acl_record is a structure which is used for holding an
+ * tomoyo_path_acl is a structure which is used for holding an
  * entry with one pathname operation (e.g. open(), mkdir()).
  * It has following fields.
  *
  *  (1) "head" which is a "struct tomoyo_acl_info".
  *  (2) "perm" which is a bitmask of permitted operations.
- *  (3) "filename" is the pathname.
+ *  (3) "name" is the pathname.
  *
  * Directives held by this structure are "allow_read/write", "allow_execute",
  * "allow_read", "allow_write", "allow_create", "allow_unlink", "allow_mkdir",
  * "allow_rmdir", "allow_mkfifo", "allow_mksock", "allow_mkblock",
- * "allow_mkchar", "allow_truncate", "allow_symlink" and "allow_rewrite".
- */
-struct tomoyo_single_path_acl_record {
-       struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_SINGLE_PATH_ACL */
+ * "allow_mkchar", "allow_truncate", "allow_symlink", "allow_rewrite",
+ * "allow_chmod", "allow_chown", "allow_chgrp", "allow_chroot", "allow_mount"
+ * and "allow_unmount".
+ */
+struct tomoyo_path_acl {
+       struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */
+       u8 perm_high;
        u16 perm;
-       /* Pointer to single pathname. */
-       const struct tomoyo_path_info *filename;
+       struct tomoyo_name_union name;
 };
 
 /*
- * tomoyo_double_path_acl_record is a structure which is used for holding an
- * entry with two pathnames operation (i.e. link() and rename()).
+ * tomoyo_path2_acl is a structure which is used for holding an
+ * entry with two pathnames operation (i.e. link(), rename() and pivot_root()).
  * It has following fields.
  *
  *  (1) "head" which is a "struct tomoyo_acl_info".
  *  (2) "perm" which is a bitmask of permitted operations.
- *  (3) "filename1" is the source/old pathname.
- *  (4) "filename2" is the destination/new pathname.
+ *  (3) "name1" is the source/old pathname.
+ *  (4) "name2" is the destination/new pathname.
  *
- * Directives held by this structure are "allow_rename" and "allow_link".
+ * Directives held by this structure are "allow_rename", "allow_link" and
+ * "allow_pivot_root".
  */
-struct tomoyo_double_path_acl_record {
-       struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_DOUBLE_PATH_ACL */
+struct tomoyo_path2_acl {
+       struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */
        u8 perm;
-       /* Pointer to single pathname. */
-       const struct tomoyo_path_info *filename1;
-       /* Pointer to single pathname. */
-       const struct tomoyo_path_info *filename2;
+       struct tomoyo_name_union name1;
+       struct tomoyo_name_union name2;
 };
 
-/* Keywords for ACLs. */
-#define TOMOYO_KEYWORD_ALIAS                     "alias "
-#define TOMOYO_KEYWORD_ALLOW_READ                "allow_read "
-#define TOMOYO_KEYWORD_DELETE                    "delete "
-#define TOMOYO_KEYWORD_DENY_REWRITE              "deny_rewrite "
-#define TOMOYO_KEYWORD_FILE_PATTERN              "file_pattern "
-#define TOMOYO_KEYWORD_INITIALIZE_DOMAIN         "initialize_domain "
-#define TOMOYO_KEYWORD_KEEP_DOMAIN               "keep_domain "
-#define TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN      "no_initialize_domain "
-#define TOMOYO_KEYWORD_NO_KEEP_DOMAIN            "no_keep_domain "
-#define TOMOYO_KEYWORD_SELECT                    "select "
-#define TOMOYO_KEYWORD_USE_PROFILE               "use_profile "
-#define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ  "ignore_global_allow_read"
-/* A domain definition starts with <kernel>. */
-#define TOMOYO_ROOT_NAME                         "<kernel>"
-#define TOMOYO_ROOT_NAME_LEN                     (sizeof(TOMOYO_ROOT_NAME) - 1)
-
-/* Index numbers for Access Controls. */
-#define TOMOYO_MAC_FOR_FILE                  0  /* domain_policy.conf */
-#define TOMOYO_MAX_ACCEPT_ENTRY              1
-#define TOMOYO_VERBOSE                       2
-#define TOMOYO_MAX_CONTROL_INDEX             3
-
 /*
  * tomoyo_io_buffer is a structure which is used for reading and modifying
  * configuration via /sys/kernel/security/tomoyo/ interface.
@@ -269,6 +360,8 @@ struct tomoyo_io_buffer {
        int (*write) (struct tomoyo_io_buffer *);
        /* Exclusive lock for this structure.   */
        struct mutex io_sem;
+       /* Index returned by tomoyo_read_lock(). */
+       int reader_idx;
        /* The position currently reading from. */
        struct list_head *read_var1;
        /* Extra variables for reading.         */
@@ -297,20 +390,170 @@ struct tomoyo_io_buffer {
        int writebuf_size;
 };
 
+/*
+ * tomoyo_globally_readable_file_entry is a structure which is used for holding
+ * "allow_read" entries.
+ * It has following fields.
+ *
+ *  (1) "list" which is linked to tomoyo_globally_readable_list .
+ *  (2) "filename" is a pathname which is allowed to open(O_RDONLY).
+ *  (3) "is_deleted" is a bool which is true if marked as deleted, false
+ *      otherwise.
+ */
+struct tomoyo_globally_readable_file_entry {
+       struct list_head list;
+       const struct tomoyo_path_info *filename;
+       bool is_deleted;
+};
+
+/*
+ * tomoyo_pattern_entry is a structure which is used for holding
+ * "tomoyo_pattern_list" entries.
+ * It has following fields.
+ *
+ *  (1) "list" which is linked to tomoyo_pattern_list .
+ *  (2) "pattern" is a pathname pattern which is used for converting pathnames
+ *      to pathname patterns during learning mode.
+ *  (3) "is_deleted" is a bool which is true if marked as deleted, false
+ *      otherwise.
+ */
+struct tomoyo_pattern_entry {
+       struct list_head list;
+       const struct tomoyo_path_info *pattern;
+       bool is_deleted;
+};
+
+/*
+ * tomoyo_no_rewrite_entry is a structure which is used for holding
+ * "deny_rewrite" entries.
+ * It has following fields.
+ *
+ *  (1) "list" which is linked to tomoyo_no_rewrite_list .
+ *  (2) "pattern" is a pathname which is by default not permitted to modify
+ *      already existing content.
+ *  (3) "is_deleted" is a bool which is true if marked as deleted, false
+ *      otherwise.
+ */
+struct tomoyo_no_rewrite_entry {
+       struct list_head list;
+       const struct tomoyo_path_info *pattern;
+       bool is_deleted;
+};
+
+/*
+ * tomoyo_domain_initializer_entry is a structure which is used for holding
+ * "initialize_domain" and "no_initialize_domain" entries.
+ * It has following fields.
+ *
+ *  (1) "list" which is linked to tomoyo_domain_initializer_list .
+ *  (2) "domainname" which is "a domainname" or "the last component of a
+ *      domainname". This field is NULL if "from" clause is not specified.
+ *  (3) "program" which is a program's pathname.
+ *  (4) "is_deleted" is a bool which is true if marked as deleted, false
+ *      otherwise.
+ *  (5) "is_not" is a bool which is true if "no_initialize_domain", false
+ *      otherwise.
+ *  (6) "is_last_name" is a bool which is true if "domainname" is "the last
+ *      component of a domainname", false otherwise.
+ */
+struct tomoyo_domain_initializer_entry {
+       struct list_head list;
+       const struct tomoyo_path_info *domainname;    /* This may be NULL */
+       const struct tomoyo_path_info *program;
+       bool is_deleted;
+       bool is_not;       /* True if this entry is "no_initialize_domain".  */
+       /* True if the domainname is tomoyo_get_last_name(). */
+       bool is_last_name;
+};
+
+/*
+ * tomoyo_domain_keeper_entry is a structure which is used for holding
+ * "keep_domain" and "no_keep_domain" entries.
+ * It has following fields.
+ *
+ *  (1) "list" which is linked to tomoyo_domain_keeper_list .
+ *  (2) "domainname" which is "a domainname" or "the last component of a
+ *      domainname".
+ *  (3) "program" which is a program's pathname.
+ *      This field is NULL if "from" clause is not specified.
+ *  (4) "is_deleted" is a bool which is true if marked as deleted, false
+ *      otherwise.
+ *  (5) "is_not" is a bool which is true if "no_initialize_domain", false
+ *      otherwise.
+ *  (6) "is_last_name" is a bool which is true if "domainname" is "the last
+ *      component of a domainname", false otherwise.
+ */
+struct tomoyo_domain_keeper_entry {
+       struct list_head list;
+       const struct tomoyo_path_info *domainname;
+       const struct tomoyo_path_info *program;       /* This may be NULL */
+       bool is_deleted;
+       bool is_not;       /* True if this entry is "no_keep_domain".        */
+       /* True if the domainname is tomoyo_get_last_name(). */
+       bool is_last_name;
+};
+
+/*
+ * tomoyo_alias_entry is a structure which is used for holding "alias" entries.
+ * It has following fields.
+ *
+ *  (1) "list" which is linked to tomoyo_alias_list .
+ *  (2) "original_name" which is a dereferenced pathname.
+ *  (3) "aliased_name" which is a symlink's pathname.
+ *  (4) "is_deleted" is a bool which is true if marked as deleted, false
+ *      otherwise.
+ */
+struct tomoyo_alias_entry {
+       struct list_head list;
+       const struct tomoyo_path_info *original_name;
+       const struct tomoyo_path_info *aliased_name;
+       bool is_deleted;
+};
+
+/*
+ * tomoyo_policy_manager_entry is a structure which is used for holding list of
+ * domainnames or programs which are permitted to modify configuration via
+ * /sys/kernel/security/tomoyo/ interface.
+ * It has following fields.
+ *
+ *  (1) "list" which is linked to tomoyo_policy_manager_list .
+ *  (2) "manager" is a domainname or a program's pathname.
+ *  (3) "is_domain" is a bool which is true if "manager" is a domainname, false
+ *      otherwise.
+ *  (4) "is_deleted" is a bool which is true if marked as deleted, false
+ *      otherwise.
+ */
+struct tomoyo_policy_manager_entry {
+       struct list_head list;
+       /* A path to program or a domainname. */
+       const struct tomoyo_path_info *manager;
+       bool is_domain;  /* True if manager is a domainname. */
+       bool is_deleted; /* True if this entry is deleted. */
+};
+
+/********** Function prototypes. **********/
+
+/* Check whether the given name matches the given name_union. */
+bool tomoyo_compare_name_union(const struct tomoyo_path_info *name,
+                              const struct tomoyo_name_union *ptr);
 /* Check whether the domain has too many ACL entries to hold. */
 bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain);
 /* Transactional sprintf() for policy dump. */
 bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
        __attribute__ ((format(printf, 2, 3)));
 /* Check whether the domainname is correct. */
-bool tomoyo_is_correct_domain(const unsigned char *domainname,
-                             const char *function);
+bool tomoyo_is_correct_domain(const unsigned char *domainname);
 /* Check whether the token is correct. */
 bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
-                           const s8 pattern_type, const s8 end_type,
-                           const char *function);
+                           const s8 pattern_type, const s8 end_type);
 /* Check whether the token can be a domainname. */
 bool tomoyo_is_domain_def(const unsigned char *buffer);
+bool tomoyo_parse_name_union(const char *filename,
+                            struct tomoyo_name_union *ptr);
+/* Check whether the given filename matches the given path_group. */
+bool tomoyo_path_matches_group(const struct tomoyo_path_info *pathname,
+                              const struct tomoyo_path_group *group,
+                              const bool may_use_pattern);
 /* Check whether the given filename matches the given pattern. */
 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
                                 const struct tomoyo_path_info *pattern);
@@ -325,20 +568,24 @@ bool tomoyo_read_domain_initializer_poli
 bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head);
 /* Read "file_pattern" entry in exception policy. */
 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head);
+/* Read "path_group" entry in exception policy. */
+bool tomoyo_read_path_group_policy(struct tomoyo_io_buffer *head);
 /* Read "allow_read" entry in exception policy. */
 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head);
 /* Read "deny_rewrite" entry in exception policy. */
 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head);
+/* Tokenize a line. */
+bool tomoyo_tokenize(char *buffer, char *w[], size_t size);
 /* Write domain policy violation warning message to console? */
 bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain);
 /* Convert double path operation to operation name. */
-const char *tomoyo_dp2keyword(const u8 operation);
+const char *tomoyo_path22keyword(const u8 operation);
 /* Get the last component of the given domainname. */
 const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain);
 /* Get warning message. */
 const char *tomoyo_get_msg(const bool is_enforce);
 /* Convert single path operation to operation name. */
-const char *tomoyo_sp2keyword(const u8 operation);
+const char *tomoyo_path2keyword(const u8 operation);
 /* Create "alias" entry in exception policy. */
 int tomoyo_write_alias_policy(char *data, const bool is_delete);
 /*
@@ -365,42 +612,128 @@ int tomoyo_write_globally_readable_polic
 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete);
 /* Create "file_pattern" entry in exception policy. */
 int tomoyo_write_pattern_policy(char *data, const bool is_delete);
+/* Create "path_group" entry in exception policy. */
+int tomoyo_write_path_group_policy(char *data, const bool is_delete);
 /* Find a domain by the given name. */
 struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname);
 /* Find or create a domain by the given name. */
 struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char *
                                                            domainname,
                                                            const u8 profile);
+
+/* Allocate memory for "struct tomoyo_path_group". */
+struct tomoyo_path_group *tomoyo_get_path_group(const char *group_name);
+
 /* Check mode for specified functionality. */
 unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
                                const u8 index);
-/* Allocate memory for structures. */
-void *tomoyo_alloc_acl_element(const u8 acl_type);
 /* Fill in "struct tomoyo_path_info" members. */
 void tomoyo_fill_path_info(struct tomoyo_path_info *ptr);
 /* Run policy loader when /sbin/init starts. */
 void tomoyo_load_policy(const char *filename);
-/* Change "struct tomoyo_domain_info"->flags. */
-void tomoyo_set_domain_flag(struct tomoyo_domain_info *domain,
-                           const bool is_delete, const u8 flags);
 
-/* strcmp() for "struct tomoyo_path_info" structure. */
-static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a,
-                                 const struct tomoyo_path_info *b)
+/* Convert binary string to ascii string. */
+int tomoyo_encode(char *buffer, int buflen, const char *str);
+
+/* Returns realpath(3) of the given pathname but ignores chroot'ed root. */
+int tomoyo_realpath_from_path2(struct path *path, char *newname,
+                              int newname_len);
+
+/*
+ * Returns realpath(3) of the given pathname but ignores chroot'ed root.
+ * These functions use kzalloc(), so the caller must call kfree()
+ * if these functions didn't return NULL.
+ */
+char *tomoyo_realpath(const char *pathname);
+/*
+ * Same with tomoyo_realpath() except that it doesn't follow the final symlink.
+ */
+char *tomoyo_realpath_nofollow(const char *pathname);
+/* Same with tomoyo_realpath() except that the pathname is already solved. */
+char *tomoyo_realpath_from_path(struct path *path);
+
+/* Check memory quota. */
+bool tomoyo_memory_ok(void *ptr);
+void *tomoyo_commit_ok(void *data, const unsigned int size);
+
+/*
+ * Keep the given name on the RAM.
+ * The RAM is shared, so NEVER try to modify or kfree() the returned name.
+ */
+const struct tomoyo_path_info *tomoyo_get_name(const char *name);
+
+/* Check for memory usage. */
+int tomoyo_read_memory_counter(struct tomoyo_io_buffer *head);
+
+/* Set memory quota. */
+int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head);
+
+/* Initialize realpath related code. */
+void __init tomoyo_realpath_init(void);
+int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
+                          const struct tomoyo_path_info *filename);
+int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
+                                struct path *path, const int flag);
+int tomoyo_path_perm(const u8 operation, struct path *path);
+int tomoyo_path2_perm(const u8 operation, struct path *path1,
+                     struct path *path2);
+int tomoyo_check_rewrite_permission(struct file *filp);
+int tomoyo_find_next_domain(struct linux_binprm *bprm);
+
+/* Drop refcount on tomoyo_name_union. */
+void tomoyo_put_name_union(struct tomoyo_name_union *ptr);
+
+/* Run garbage collector. */
+void tomoyo_run_gc(void);
+
+void tomoyo_memory_free(void *ptr);
+
+int tomoyo_check_file_perm(const char *filename, const u8 perm);
+
+/********** External variable definitions. **********/
+
+/* Lock for GC. */
+extern struct srcu_struct tomoyo_ss;
+
+/* The list for "struct tomoyo_domain_info". */
+extern struct list_head tomoyo_domain_list;
+
+extern struct list_head tomoyo_path_group_list;
+extern struct list_head tomoyo_domain_initializer_list;
+extern struct list_head tomoyo_domain_keeper_list;
+extern struct list_head tomoyo_alias_list;
+extern struct list_head tomoyo_globally_readable_list;
+extern struct list_head tomoyo_pattern_list;
+extern struct list_head tomoyo_no_rewrite_list;
+extern struct list_head tomoyo_policy_manager_list;
+extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH];
+
+/* Lock for protecting policy. */
+extern struct mutex tomoyo_policy_lock;
+
+/* Has /sbin/init started? */
+extern bool tomoyo_policy_loaded;
+
+/* The kernel's domain. */
+extern struct tomoyo_domain_info tomoyo_kernel_domain;
+
+/********** Inlined functions. **********/
+
+static inline int tomoyo_read_lock(void)
 {
-       return a->hash != b->hash || strcmp(a->name, b->name);
+       return srcu_read_lock(&tomoyo_ss);
 }
 
-/* Get type of an ACL entry. */
-static inline u8 tomoyo_acl_type1(struct tomoyo_acl_info *ptr)
+static inline void tomoyo_read_unlock(int idx)
 {
-       return ptr->type & ~TOMOYO_ACL_DELETED;
+       srcu_read_unlock(&tomoyo_ss, idx);
 }
 
-/* Get type of an ACL entry. */
-static inline u8 tomoyo_acl_type2(struct tomoyo_acl_info *ptr)
+/* strcmp() for "struct tomoyo_path_info" structure. */
+static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a,
+                                 const struct tomoyo_path_info *b)
 {
-       return ptr->type;
+       return a->hash != b->hash || strcmp(a->name, b->name);
 }
 
 /**
@@ -427,18 +760,84 @@ static inline bool tomoyo_is_invalid(con
        return c && (c <= ' ' || c >= 127);
 }
 
-/* The list for "struct tomoyo_domain_info". */
-extern struct list_head tomoyo_domain_list;
-extern struct rw_semaphore tomoyo_domain_list_lock;
+static inline void tomoyo_put_name(const struct tomoyo_path_info *name)
+{
+       if (name) {
+               struct tomoyo_name_entry *ptr =
+                       container_of(name, struct tomoyo_name_entry, entry);
+               atomic_dec(&ptr->users);
+       }
+}
 
-/* Lock for domain->acl_info_list. */
-extern struct rw_semaphore tomoyo_domain_acl_info_list_lock;
+static inline void tomoyo_put_path_group(struct tomoyo_path_group *group)
+{
+       if (group)
+               atomic_dec(&group->users);
+}
 
-/* Has /sbin/init started? */
-extern bool tomoyo_policy_loaded;
+static inline struct tomoyo_domain_info *tomoyo_domain(void)
+{
+       return current_cred()->security;
+}
 
-/* The kernel's domain. */
-extern struct tomoyo_domain_info tomoyo_kernel_domain;
+static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
+                                                           *task)
+{
+       return task_cred_xxx(task, security);
+}
+
+static inline bool tomoyo_is_same_acl_head(const struct tomoyo_acl_info *p1,
+                                          const struct tomoyo_acl_info *p2)
+{
+       return p1->type == p2->type;
+}
+
+static inline bool tomoyo_is_same_name_union
+(const struct tomoyo_name_union *p1, const struct tomoyo_name_union *p2)
+{
+       return p1->filename == p2->filename && p1->group == p2->group &&
+               p1->is_group == p2->is_group;
+}
+
+static inline bool tomoyo_is_same_path_acl(const struct tomoyo_path_acl *p1,
+                                          const struct tomoyo_path_acl *p2)
+{
+       return tomoyo_is_same_acl_head(&p1->head, &p2->head) &&
+               tomoyo_is_same_name_union(&p1->name, &p2->name);
+}
+
+static inline bool tomoyo_is_same_path2_acl(const struct tomoyo_path2_acl *p1,
+                                           const struct tomoyo_path2_acl *p2)
+{
+       return tomoyo_is_same_acl_head(&p1->head, &p2->head) &&
+               tomoyo_is_same_name_union(&p1->name1, &p2->name1) &&
+               tomoyo_is_same_name_union(&p1->name2, &p2->name2);
+}
+
+static inline bool tomoyo_is_same_domain_initializer_entry
+(const struct tomoyo_domain_initializer_entry *p1,
+ const struct tomoyo_domain_initializer_entry *p2)
+{
+       return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name
+               && p1->domainname == p2->domainname
+               && p1->program == p2->program;
+}
+
+static inline bool tomoyo_is_same_domain_keeper_entry
+(const struct tomoyo_domain_keeper_entry *p1,
+ const struct tomoyo_domain_keeper_entry *p2)
+{
+       return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name
+               && p1->domainname == p2->domainname
+               && p1->program == p2->program;
+}
+
+static inline bool tomoyo_is_same_alias_entry
+(const struct tomoyo_alias_entry *p1, const struct tomoyo_alias_entry *p2)
+{
+       return p1->original_name == p2->original_name &&
+               p1->aliased_name == p2->aliased_name;
+}
 
 /**
  * list_for_each_cookie - iterate over a list with cookie.
@@ -446,16 +845,16 @@ extern struct tomoyo_domain_info tomoyo_
  * @cookie:     the &struct list_head to use as a cookie.
  * @head:       the head for your list.
  *
- * Same with list_for_each() except that this primitive uses @cookie
+ * Same with list_for_each_rcu() except that this primitive uses @cookie
  * so that we can continue iteration.
  * @cookie must be NULL when iteration starts, and @cookie will become
  * NULL when iteration finishes.
  */
-#define list_for_each_cookie(pos, cookie, head)                       \
-       for (({ if (!cookie)                                          \
-                                    cookie = head; }),               \
-            pos = (cookie)->next;                                    \
-            prefetch(pos->next), pos != (head) || ((cookie) = NULL); \
-            (cookie) = pos, pos = pos->next)
+#define list_for_each_cookie(pos, cookie, head)                                \
+       for (({ if (!cookie)                                            \
+                                    cookie = head; }),                 \
+                    pos = rcu_dereference((cookie)->next);             \
+            prefetch(pos->next), pos != (head) || ((cookie) = NULL);   \
+            (cookie) = pos, pos = rcu_dereference(pos->next))
 
 #endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */
--- linux-2.6.32.28.orig/security/tomoyo/domain.c
+++ linux-2.6.32.28/security/tomoyo/domain.c
@@ -10,9 +10,8 @@
  */
 
 #include "common.h"
-#include "tomoyo.h"
-#include "realpath.h"
 #include <linux/binfmts.h>
+#include <linux/slab.h>
 
 /* Variables definitions.*/
 
@@ -58,99 +57,6 @@ struct tomoyo_domain_info tomoyo_kernel_
  * exceptions.
  */
 LIST_HEAD(tomoyo_domain_list);
-DECLARE_RWSEM(tomoyo_domain_list_lock);
-
-/*
- * tomoyo_domain_initializer_entry is a structure which is used for holding
- * "initialize_domain" and "no_initialize_domain" entries.
- * It has following fields.
- *
- *  (1) "list" which is linked to tomoyo_domain_initializer_list .
- *  (2) "domainname" which is "a domainname" or "the last component of a
- *      domainname". This field is NULL if "from" clause is not specified.
- *  (3) "program" which is a program's pathname.
- *  (4) "is_deleted" is a bool which is true if marked as deleted, false
- *      otherwise.
- *  (5) "is_not" is a bool which is true if "no_initialize_domain", false
- *      otherwise.
- *  (6) "is_last_name" is a bool which is true if "domainname" is "the last
- *      component of a domainname", false otherwise.
- */
-struct tomoyo_domain_initializer_entry {
-       struct list_head list;
-       const struct tomoyo_path_info *domainname;    /* This may be NULL */
-       const struct tomoyo_path_info *program;
-       bool is_deleted;
-       bool is_not;       /* True if this entry is "no_initialize_domain".  */
-       /* True if the domainname is tomoyo_get_last_name(). */
-       bool is_last_name;
-};
-
-/*
- * tomoyo_domain_keeper_entry is a structure which is used for holding
- * "keep_domain" and "no_keep_domain" entries.
- * It has following fields.
- *
- *  (1) "list" which is linked to tomoyo_domain_keeper_list .
- *  (2) "domainname" which is "a domainname" or "the last component of a
- *      domainname".
- *  (3) "program" which is a program's pathname.
- *      This field is NULL if "from" clause is not specified.
- *  (4) "is_deleted" is a bool which is true if marked as deleted, false
- *      otherwise.
- *  (5) "is_not" is a bool which is true if "no_initialize_domain", false
- *      otherwise.
- *  (6) "is_last_name" is a bool which is true if "domainname" is "the last
- *      component of a domainname", false otherwise.
- */
-struct tomoyo_domain_keeper_entry {
-       struct list_head list;
-       const struct tomoyo_path_info *domainname;
-       const struct tomoyo_path_info *program;       /* This may be NULL */
-       bool is_deleted;
-       bool is_not;       /* True if this entry is "no_keep_domain".        */
-       /* True if the domainname is tomoyo_get_last_name(). */
-       bool is_last_name;
-};
-
-/*
- * tomoyo_alias_entry is a structure which is used for holding "alias" entries.
- * It has following fields.
- *
- *  (1) "list" which is linked to tomoyo_alias_list .
- *  (2) "original_name" which is a dereferenced pathname.
- *  (3) "aliased_name" which is a symlink's pathname.
- *  (4) "is_deleted" is a bool which is true if marked as deleted, false
- *      otherwise.
- */
-struct tomoyo_alias_entry {
-       struct list_head list;
-       const struct tomoyo_path_info *original_name;
-       const struct tomoyo_path_info *aliased_name;
-       bool is_deleted;
-};
-
-/**
- * tomoyo_set_domain_flag - Set or clear domain's attribute flags.
- *
- * @domain:    Pointer to "struct tomoyo_domain_info".
- * @is_delete: True if it is a delete request.
- * @flags:     Flags to set or clear.
- *
- * Returns nothing.
- */
-void tomoyo_set_domain_flag(struct tomoyo_domain_info *domain,
-                           const bool is_delete, const u8 flags)
-{
-       /* We need to serialize because this is bitfield operation. */
-       static DEFINE_SPINLOCK(lock);
-       spin_lock(&lock);
-       if (!is_delete)
-               domain->flags |= flags;
-       else
-               domain->flags &= ~flags;
-       spin_unlock(&lock);
-}
 
 /**
  * tomoyo_get_last_name - Get last component of a domainname.
@@ -205,8 +111,7 @@ const char *tomoyo_get_last_name(const s
  * will cause "/usr/sbin/httpd" to belong to "<kernel> /usr/sbin/httpd" domain
  * unless executed from "<kernel> /etc/rc.d/init.d/httpd" domain.
  */
-static LIST_HEAD(tomoyo_domain_initializer_list);
-static DECLARE_RWSEM(tomoyo_domain_initializer_list_lock);
+LIST_HEAD(tomoyo_domain_initializer_list);
 
 /**
  * tomoyo_update_domain_initializer_entry - Update "struct tomoyo_domain_initializer_entry" list.
@@ -217,59 +122,55 @@ static DECLARE_RWSEM(tomoyo_domain_initi
  * @is_delete:  True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_update_domain_initializer_entry(const char *domainname,
                                                  const char *program,
                                                  const bool is_not,
                                                  const bool is_delete)
 {
-       struct tomoyo_domain_initializer_entry *new_entry;
        struct tomoyo_domain_initializer_entry *ptr;
-       const struct tomoyo_path_info *saved_program;
-       const struct tomoyo_path_info *saved_domainname = NULL;
-       int error = -ENOMEM;
-       bool is_last_name = false;
+       struct tomoyo_domain_initializer_entry e = { .is_not = is_not };
+       int error = is_delete ? -ENOENT : -ENOMEM;
 
-       if (!tomoyo_is_correct_path(program, 1, -1, -1, __func__))
+       if (!tomoyo_is_correct_path(program, 1, -1, -1))
                return -EINVAL; /* No patterns allowed. */
        if (domainname) {
                if (!tomoyo_is_domain_def(domainname) &&
-                   tomoyo_is_correct_path(domainname, 1, -1, -1, __func__))
-                       is_last_name = true;
-               else if (!tomoyo_is_correct_domain(domainname, __func__))
+                   tomoyo_is_correct_path(domainname, 1, -1, -1))
+                       e.is_last_name = true;
+               else if (!tomoyo_is_correct_domain(domainname))
                        return -EINVAL;
-               saved_domainname = tomoyo_save_name(domainname);
-               if (!saved_domainname)
-                       return -ENOMEM;
-       }
-       saved_program = tomoyo_save_name(program);
-       if (!saved_program)
-               return -ENOMEM;
-       down_write(&tomoyo_domain_initializer_list_lock);
-       list_for_each_entry(ptr, &tomoyo_domain_initializer_list, list) {
-               if (ptr->is_not != is_not ||
-                   ptr->domainname != saved_domainname ||
-                   ptr->program != saved_program)
+               e.domainname = tomoyo_get_name(domainname);
+               if (!e.domainname)
+                       goto out;
+       }
+       e.program = tomoyo_get_name(program);
+       if (!e.program)
+               goto out;
+       if (mutex_lock_interruptible(&tomoyo_policy_lock))
+               goto out;
+       list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, list) {
+               if (!tomoyo_is_same_domain_initializer_entry(ptr, &e))
                        continue;
                ptr->is_deleted = is_delete;
                error = 0;
-               goto out;
+               break;
        }
-       if (is_delete) {
-               error = -ENOENT;
-               goto out;
+       if (!is_delete && error) {
+               struct tomoyo_domain_initializer_entry *entry =
+                       tomoyo_commit_ok(&e, sizeof(e));
+               if (entry) {
+                       list_add_tail_rcu(&entry->list,
+                                         &tomoyo_domain_initializer_list);
+                       error = 0;
+               }
        }
-       new_entry = tomoyo_alloc_element(sizeof(*new_entry));
-       if (!new_entry)
-               goto out;
-       new_entry->domainname = saved_domainname;
-       new_entry->program = saved_program;
-       new_entry->is_not = is_not;
-       new_entry->is_last_name = is_last_name;
-       list_add_tail(&new_entry->list, &tomoyo_domain_initializer_list);
-       error = 0;
+       mutex_unlock(&tomoyo_policy_lock);
  out:
-       up_write(&tomoyo_domain_initializer_list_lock);
+       tomoyo_put_name(e.domainname);
+       tomoyo_put_name(e.program);
        return error;
 }
 
@@ -279,13 +180,14 @@ static int tomoyo_update_domain_initiali
  * @head: Pointer to "struct tomoyo_io_buffer".
  *
  * Returns true on success, false otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head)
 {
        struct list_head *pos;
        bool done = true;
 
-       down_read(&tomoyo_domain_initializer_list_lock);
        list_for_each_cookie(pos, head->read_var2,
                             &tomoyo_domain_initializer_list) {
                const char *no;
@@ -308,7 +210,6 @@ bool tomoyo_read_domain_initializer_poli
                if (!done)
                        break;
        }
-       up_read(&tomoyo_domain_initializer_list_lock);
        return done;
 }
 
@@ -320,6 +221,8 @@ bool tomoyo_read_domain_initializer_poli
  * @is_delete: True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 int tomoyo_write_domain_initializer_policy(char *data, const bool is_not,
                                           const bool is_delete)
@@ -345,6 +248,8 @@ int tomoyo_write_domain_initializer_poli
  *
  * Returns true if executing @program reinitializes domain transition,
  * false otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static bool tomoyo_is_domain_initializer(const struct tomoyo_path_info *
                                         domainname,
@@ -355,8 +260,7 @@ static bool tomoyo_is_domain_initializer
        struct tomoyo_domain_initializer_entry *ptr;
        bool flag = false;
 
-       down_read(&tomoyo_domain_initializer_list_lock);
-       list_for_each_entry(ptr,  &tomoyo_domain_initializer_list, list) {
+       list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, list) {
                if (ptr->is_deleted)
                        continue;
                if (ptr->domainname) {
@@ -376,7 +280,6 @@ static bool tomoyo_is_domain_initializer
                }
                flag = true;
        }
-       up_read(&tomoyo_domain_initializer_list_lock);
        return flag;
 }
 
@@ -418,8 +321,7 @@ static bool tomoyo_is_domain_initializer
  * "<kernel> /usr/sbin/sshd /bin/bash /usr/bin/passwd" domain, unless
  * explicitly specified by "initialize_domain".
  */
-static LIST_HEAD(tomoyo_domain_keeper_list);
-static DECLARE_RWSEM(tomoyo_domain_keeper_list_lock);
+LIST_HEAD(tomoyo_domain_keeper_list);
 
 /**
  * tomoyo_update_domain_keeper_entry - Update "struct tomoyo_domain_keeper_entry" list.
@@ -430,59 +332,55 @@ static DECLARE_RWSEM(tomoyo_domain_keepe
  * @is_delete:  True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_update_domain_keeper_entry(const char *domainname,
                                             const char *program,
                                             const bool is_not,
                                             const bool is_delete)
 {
-       struct tomoyo_domain_keeper_entry *new_entry;
        struct tomoyo_domain_keeper_entry *ptr;
-       const struct tomoyo_path_info *saved_domainname;
-       const struct tomoyo_path_info *saved_program = NULL;
-       int error = -ENOMEM;
-       bool is_last_name = false;
+       struct tomoyo_domain_keeper_entry e = { .is_not = is_not };
+       int error = is_delete ? -ENOENT : -ENOMEM;
 
        if (!tomoyo_is_domain_def(domainname) &&
-           tomoyo_is_correct_path(domainname, 1, -1, -1, __func__))
-               is_last_name = true;
-       else if (!tomoyo_is_correct_domain(domainname, __func__))
+           tomoyo_is_correct_path(domainname, 1, -1, -1))
+               e.is_last_name = true;
+       else if (!tomoyo_is_correct_domain(domainname))
                return -EINVAL;
        if (program) {
-               if (!tomoyo_is_correct_path(program, 1, -1, -1, __func__))
+               if (!tomoyo_is_correct_path(program, 1, -1, -1))
                        return -EINVAL;
-               saved_program = tomoyo_save_name(program);
-               if (!saved_program)
-                       return -ENOMEM;
+               e.program = tomoyo_get_name(program);
+               if (!e.program)
+                       goto out;
        }
-       saved_domainname = tomoyo_save_name(domainname);
-       if (!saved_domainname)
-               return -ENOMEM;
-       down_write(&tomoyo_domain_keeper_list_lock);
-       list_for_each_entry(ptr, &tomoyo_domain_keeper_list, list) {
-               if (ptr->is_not != is_not ||
-                   ptr->domainname != saved_domainname ||
-                   ptr->program != saved_program)
+       e.domainname = tomoyo_get_name(domainname);
+       if (!e.domainname)
+               goto out;
+       if (mutex_lock_interruptible(&tomoyo_policy_lock))
+               goto out;
+       list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) {
+               if (!tomoyo_is_same_domain_keeper_entry(ptr, &e))
                        continue;
                ptr->is_deleted = is_delete;
                error = 0;
-               goto out;
+               break;
        }
-       if (is_delete) {
-               error = -ENOENT;
-               goto out;
+       if (!is_delete && error) {
+               struct tomoyo_domain_keeper_entry *entry =
+                       tomoyo_commit_ok(&e, sizeof(e));
+               if (entry) {
+                       list_add_tail_rcu(&entry->list,
+                                         &tomoyo_domain_keeper_list);
+                       error = 0;
+               }
        }
-       new_entry = tomoyo_alloc_element(sizeof(*new_entry));
-       if (!new_entry)
-               goto out;
-       new_entry->domainname = saved_domainname;
-       new_entry->program = saved_program;
-       new_entry->is_not = is_not;
-       new_entry->is_last_name = is_last_name;
-       list_add_tail(&new_entry->list, &tomoyo_domain_keeper_list);
-       error = 0;
+       mutex_unlock(&tomoyo_policy_lock);
  out:
-       up_write(&tomoyo_domain_keeper_list_lock);
+       tomoyo_put_name(e.domainname);
+       tomoyo_put_name(e.program);
        return error;
 }
 
@@ -493,6 +391,7 @@ static int tomoyo_update_domain_keeper_e
  * @is_not:    True if it is "no_keep_domain" entry.
  * @is_delete: True if it is a delete request.
  *
+ * Caller holds tomoyo_read_lock().
  */
 int tomoyo_write_domain_keeper_policy(char *data, const bool is_not,
                                      const bool is_delete)
@@ -513,13 +412,14 @@ int tomoyo_write_domain_keeper_policy(ch
  * @head: Pointer to "struct tomoyo_io_buffer".
  *
  * Returns true on success, false otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head)
 {
        struct list_head *pos;
        bool done = true;
 
-       down_read(&tomoyo_domain_keeper_list_lock);
        list_for_each_cookie(pos, head->read_var2,
                             &tomoyo_domain_keeper_list) {
                struct tomoyo_domain_keeper_entry *ptr;
@@ -542,7 +442,6 @@ bool tomoyo_read_domain_keeper_policy(st
                if (!done)
                        break;
        }
-       up_read(&tomoyo_domain_keeper_list_lock);
        return done;
 }
 
@@ -555,6 +454,8 @@ bool tomoyo_read_domain_keeper_policy(st
  *
  * Returns true if executing @program supresses domain transition,
  * false otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static bool tomoyo_is_domain_keeper(const struct tomoyo_path_info *domainname,
                                    const struct tomoyo_path_info *program,
@@ -563,8 +464,7 @@ static bool tomoyo_is_domain_keeper(cons
        struct tomoyo_domain_keeper_entry *ptr;
        bool flag = false;
 
-       down_read(&tomoyo_domain_keeper_list_lock);
-       list_for_each_entry(ptr, &tomoyo_domain_keeper_list, list) {
+       list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) {
                if (ptr->is_deleted)
                        continue;
                if (!ptr->is_last_name) {
@@ -582,7 +482,6 @@ static bool tomoyo_is_domain_keeper(cons
                }
                flag = true;
        }
-       up_read(&tomoyo_domain_keeper_list_lock);
        return flag;
 }
 
@@ -616,8 +515,7 @@ static bool tomoyo_is_domain_keeper(cons
  * /bin/busybox and domainname which the current process will belong to after
  * execve() succeeds is calculated using /bin/cat rather than /bin/busybox .
  */
-static LIST_HEAD(tomoyo_alias_list);
-static DECLARE_RWSEM(tomoyo_alias_list_lock);
+LIST_HEAD(tomoyo_alias_list);
 
 /**
  * tomoyo_update_alias_entry - Update "struct tomoyo_alias_entry" list.
@@ -627,46 +525,45 @@ static DECLARE_RWSEM(tomoyo_alias_list_l
  * @is_delete:     True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_update_alias_entry(const char *original_name,
                                     const char *aliased_name,
                                     const bool is_delete)
 {
-       struct tomoyo_alias_entry *new_entry;
        struct tomoyo_alias_entry *ptr;
-       const struct tomoyo_path_info *saved_original_name;
-       const struct tomoyo_path_info *saved_aliased_name;
-       int error = -ENOMEM;
+       struct tomoyo_alias_entry e = { };
+       int error = is_delete ? -ENOENT : -ENOMEM;
 
-       if (!tomoyo_is_correct_path(original_name, 1, -1, -1, __func__) ||
-           !tomoyo_is_correct_path(aliased_name, 1, -1, -1, __func__))
+       if (!tomoyo_is_correct_path(original_name, 1, -1, -1) ||
+           !tomoyo_is_correct_path(aliased_name, 1, -1, -1))
                return -EINVAL; /* No patterns allowed. */
-       saved_original_name = tomoyo_save_name(original_name);
-       saved_aliased_name = tomoyo_save_name(aliased_name);
-       if (!saved_original_name || !saved_aliased_name)
-               return -ENOMEM;
-       down_write(&tomoyo_alias_list_lock);
-       list_for_each_entry(ptr, &tomoyo_alias_list, list) {
-               if (ptr->original_name != saved_original_name ||
-                   ptr->aliased_name != saved_aliased_name)
+       e.original_name = tomoyo_get_name(original_name);
+       e.aliased_name = tomoyo_get_name(aliased_name);
+       if (!e.original_name || !e.aliased_name)
+               goto out;
+       if (mutex_lock_interruptible(&tomoyo_policy_lock))
+               goto out;
+       list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) {
+               if (!tomoyo_is_same_alias_entry(ptr, &e))
                        continue;
                ptr->is_deleted = is_delete;
                error = 0;
-               goto out;
+               break;
        }
-       if (is_delete) {
-               error = -ENOENT;
-               goto out;
+       if (!is_delete && error) {
+               struct tomoyo_alias_entry *entry =
+                       tomoyo_commit_ok(&e, sizeof(e));
+               if (entry) {
+                       list_add_tail_rcu(&entry->list, &tomoyo_alias_list);
+                       error = 0;
+               }
        }
-       new_entry = tomoyo_alloc_element(sizeof(*new_entry));
-       if (!new_entry)
-               goto out;
-       new_entry->original_name = saved_original_name;
-       new_entry->aliased_name = saved_aliased_name;
-       list_add_tail(&new_entry->list, &tomoyo_alias_list);
-       error = 0;
+       mutex_unlock(&tomoyo_policy_lock);
  out:
-       up_write(&tomoyo_alias_list_lock);
+       tomoyo_put_name(e.original_name);
+       tomoyo_put_name(e.aliased_name);
        return error;
 }
 
@@ -676,13 +573,14 @@ static int tomoyo_update_alias_entry(con
  * @head: Pointer to "struct tomoyo_io_buffer".
  *
  * Returns true on success, false otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head)
 {
        struct list_head *pos;
        bool done = true;
 
-       down_read(&tomoyo_alias_list_lock);
        list_for_each_cookie(pos, head->read_var2, &tomoyo_alias_list) {
                struct tomoyo_alias_entry *ptr;
 
@@ -695,7 +593,6 @@ bool tomoyo_read_alias_policy(struct tom
                if (!done)
                        break;
        }
-       up_read(&tomoyo_alias_list_lock);
        return done;
 }
 
@@ -706,6 +603,8 @@ bool tomoyo_read_alias_policy(struct tom
  * @is_delete: True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 int tomoyo_write_alias_policy(char *data, const bool is_delete)
 {
@@ -724,63 +623,48 @@ int tomoyo_write_alias_policy(char *data
  * @profile:    Profile number to assign if the domain was newly created.
  *
  * Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char *
                                                            domainname,
                                                            const u8 profile)
 {
+       struct tomoyo_domain_info *entry;
        struct tomoyo_domain_info *domain = NULL;
        const struct tomoyo_path_info *saved_domainname;
+       bool found = false;
 
-       down_write(&tomoyo_domain_list_lock);
-       domain = tomoyo_find_domain(domainname);
-       if (domain)
-               goto out;
-       if (!tomoyo_is_correct_domain(domainname, __func__))
-               goto out;
-       saved_domainname = tomoyo_save_name(domainname);
+       if (!tomoyo_is_correct_domain(domainname))
+               return NULL;
+       saved_domainname = tomoyo_get_name(domainname);
        if (!saved_domainname)
-               goto out;
-       /* Can I reuse memory of deleted domain? */
-       list_for_each_entry(domain, &tomoyo_domain_list, list) {
-               struct task_struct *p;
-               struct tomoyo_acl_info *ptr;
-               bool flag;
-               if (!domain->is_deleted ||
-                   domain->domainname != saved_domainname)
-                       continue;
-               flag = false;
-               read_lock(&tasklist_lock);
-               for_each_process(p) {
-                       if (tomoyo_real_domain(p) != domain)
-                               continue;
-                       flag = true;
-                       break;
-               }
-               read_unlock(&tasklist_lock);
-               if (flag)
-                       continue;
-               list_for_each_entry(ptr, &domain->acl_info_list, list) {
-                       ptr->type |= TOMOYO_ACL_DELETED;
-               }
-               tomoyo_set_domain_flag(domain, true, domain->flags);
-               domain->profile = profile;
-               domain->quota_warned = false;
-               mb(); /* Avoid out-of-order execution. */
-               domain->is_deleted = false;
-               goto out;
-       }
-       /* No memory reusable. Create using new memory. */
-       domain = tomoyo_alloc_element(sizeof(*domain));
-       if (domain) {
-               INIT_LIST_HEAD(&domain->acl_info_list);
-               domain->domainname = saved_domainname;
-               domain->profile = profile;
-               list_add_tail(&domain->list, &tomoyo_domain_list);
+               return NULL;
+       entry = kzalloc(sizeof(*entry), GFP_NOFS);
+       if (mutex_lock_interruptible(&tomoyo_policy_lock))
+               goto out;
+       list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
+               if (domain->is_deleted ||
+                   tomoyo_pathcmp(saved_domainname, domain->domainname))
+                       continue;
+               found = true;
+               break;
+       }
+       if (!found && tomoyo_memory_ok(entry)) {
+               INIT_LIST_HEAD(&entry->acl_info_list);
+               entry->domainname = saved_domainname;
+               saved_domainname = NULL;
+               entry->profile = profile;
+               list_add_tail_rcu(&entry->list, &tomoyo_domain_list);
+               domain = entry;
+               entry = NULL;
+               found = true;
        }
+       mutex_unlock(&tomoyo_policy_lock);
  out:
-       up_write(&tomoyo_domain_list_lock);
-       return domain;
+       tomoyo_put_name(saved_domainname);
+       kfree(entry);
+       return found ? domain : NULL;
 }
 
 /**
@@ -789,6 +673,8 @@ struct tomoyo_domain_info *tomoyo_find_o
  * @bprm: Pointer to "struct linux_binprm".
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 int tomoyo_find_next_domain(struct linux_binprm *bprm)
 {
@@ -796,7 +682,7 @@ int tomoyo_find_next_domain(struct linux
         * This function assumes that the size of buffer returned by
         * tomoyo_realpath() = TOMOYO_MAX_PATHNAME_LEN.
         */
-       struct tomoyo_page_buffer *tmp = tomoyo_alloc(sizeof(*tmp));
+       struct tomoyo_page_buffer *tmp = kzalloc(sizeof(*tmp), GFP_NOFS);
        struct tomoyo_domain_info *old_domain = tomoyo_domain();
        struct tomoyo_domain_info *domain = NULL;
        const char *old_domain_name = old_domain->domainname->name;
@@ -849,8 +735,7 @@ int tomoyo_find_next_domain(struct linux
        if (tomoyo_pathcmp(&r, &s)) {
                struct tomoyo_alias_entry *ptr;
                /* Is this program allowed to be called via symbolic links? */
-               down_read(&tomoyo_alias_list_lock);
-               list_for_each_entry(ptr, &tomoyo_alias_list, list) {
+               list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) {
                        if (ptr->is_deleted ||
                            tomoyo_pathcmp(&r, ptr->original_name) ||
                            tomoyo_pathcmp(&s, ptr->aliased_name))
@@ -861,7 +746,6 @@ int tomoyo_find_next_domain(struct linux
                        tomoyo_fill_path_info(&r);
                        break;
                }
-               up_read(&tomoyo_alias_list_lock);
        }
 
        /* Check execute permission. */
@@ -892,9 +776,7 @@ int tomoyo_find_next_domain(struct linux
        }
        if (domain || strlen(new_domain_name) >= TOMOYO_MAX_PATHNAME_LEN)
                goto done;
-       down_read(&tomoyo_domain_list_lock);
        domain = tomoyo_find_domain(new_domain_name);
-       up_read(&tomoyo_domain_list_lock);
        if (domain)
                goto done;
        if (is_enforce)
@@ -909,14 +791,15 @@ int tomoyo_find_next_domain(struct linux
        if (is_enforce)
                retval = -EPERM;
        else
-               tomoyo_set_domain_flag(old_domain, false,
-                                      TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED);
+               old_domain->transition_failed = true;
  out:
        if (!domain)
                domain = old_domain;
+       /* Update reference count on "struct tomoyo_domain_info". */
+       atomic_inc(&domain->users);
        bprm->cred->security = domain;
-       tomoyo_free(real_program_name);
-       tomoyo_free(symlink_program_name);
-       tomoyo_free(tmp);
+       kfree(real_program_name);
+       kfree(symlink_program_name);
+       kfree(tmp);
        return retval;
 }
--- linux-2.6.32.28.orig/security/tomoyo/file.c
+++ linux-2.6.32.28/security/tomoyo/file.c
@@ -10,109 +10,97 @@
  */
 
 #include "common.h"
-#include "tomoyo.h"
-#include "realpath.h"
+#include <linux/slab.h>
 #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
 
-/*
- * tomoyo_globally_readable_file_entry is a structure which is used for holding
- * "allow_read" entries.
- * It has following fields.
- *
- *  (1) "list" which is linked to tomoyo_globally_readable_list .
- *  (2) "filename" is a pathname which is allowed to open(O_RDONLY).
- *  (3) "is_deleted" is a bool which is true if marked as deleted, false
- *      otherwise.
- */
-struct tomoyo_globally_readable_file_entry {
-       struct list_head list;
-       const struct tomoyo_path_info *filename;
-       bool is_deleted;
+/* Keyword array for single path operations. */
+static const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
+       [TOMOYO_TYPE_READ_WRITE] = "read/write",
+       [TOMOYO_TYPE_EXECUTE]    = "execute",
+       [TOMOYO_TYPE_READ]       = "read",
+       [TOMOYO_TYPE_WRITE]      = "write",
+       [TOMOYO_TYPE_CREATE]     = "create",
+       [TOMOYO_TYPE_UNLINK]     = "unlink",
+       [TOMOYO_TYPE_MKDIR]      = "mkdir",
+       [TOMOYO_TYPE_RMDIR]      = "rmdir",
+       [TOMOYO_TYPE_MKFIFO]     = "mkfifo",
+       [TOMOYO_TYPE_MKSOCK]     = "mksock",
+       [TOMOYO_TYPE_MKBLOCK]    = "mkblock",
+       [TOMOYO_TYPE_MKCHAR]     = "mkchar",
+       [TOMOYO_TYPE_TRUNCATE]   = "truncate",
+       [TOMOYO_TYPE_SYMLINK]    = "symlink",
+       [TOMOYO_TYPE_REWRITE]    = "rewrite",
+       [TOMOYO_TYPE_IOCTL]      = "ioctl",
+       [TOMOYO_TYPE_CHMOD]      = "chmod",
+       [TOMOYO_TYPE_CHOWN]      = "chown",
+       [TOMOYO_TYPE_CHGRP]      = "chgrp",
+       [TOMOYO_TYPE_CHROOT]     = "chroot",
+       [TOMOYO_TYPE_MOUNT]      = "mount",
+       [TOMOYO_TYPE_UMOUNT]     = "unmount",
 };
 
-/*
- * tomoyo_pattern_entry is a structure which is used for holding
- * "tomoyo_pattern_list" entries.
- * It has following fields.
- *
- *  (1) "list" which is linked to tomoyo_pattern_list .
- *  (2) "pattern" is a pathname pattern which is used for converting pathnames
- *      to pathname patterns during learning mode.
- *  (3) "is_deleted" is a bool which is true if marked as deleted, false
- *      otherwise.
- */
-struct tomoyo_pattern_entry {
-       struct list_head list;
-       const struct tomoyo_path_info *pattern;
-       bool is_deleted;
+/* Keyword array for double path operations. */
+static const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = {
+       [TOMOYO_TYPE_LINK]    = "link",
+       [TOMOYO_TYPE_RENAME]  = "rename",
+       [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root",
 };
 
-/*
- * tomoyo_no_rewrite_entry is a structure which is used for holding
- * "deny_rewrite" entries.
- * It has following fields.
- *
- *  (1) "list" which is linked to tomoyo_no_rewrite_list .
- *  (2) "pattern" is a pathname which is by default not permitted to modify
- *      already existing content.
- *  (3) "is_deleted" is a bool which is true if marked as deleted, false
- *      otherwise.
- */
-struct tomoyo_no_rewrite_entry {
-       struct list_head list;
-       const struct tomoyo_path_info *pattern;
-       bool is_deleted;
-};
+void tomoyo_put_name_union(struct tomoyo_name_union *ptr)
+{
+       if (!ptr)
+               return;
+       if (ptr->is_group)
+               tomoyo_put_path_group(ptr->group);
+       else
+               tomoyo_put_name(ptr->filename);
+}
 
-/* Keyword array for single path operations. */
-static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = {
-       [TOMOYO_TYPE_READ_WRITE_ACL] = "read/write",
-       [TOMOYO_TYPE_EXECUTE_ACL]    = "execute",
-       [TOMOYO_TYPE_READ_ACL]       = "read",
-       [TOMOYO_TYPE_WRITE_ACL]      = "write",
-       [TOMOYO_TYPE_CREATE_ACL]     = "create",
-       [TOMOYO_TYPE_UNLINK_ACL]     = "unlink",
-       [TOMOYO_TYPE_MKDIR_ACL]      = "mkdir",
-       [TOMOYO_TYPE_RMDIR_ACL]      = "rmdir",
-       [TOMOYO_TYPE_MKFIFO_ACL]     = "mkfifo",
-       [TOMOYO_TYPE_MKSOCK_ACL]     = "mksock",
-       [TOMOYO_TYPE_MKBLOCK_ACL]    = "mkblock",
-       [TOMOYO_TYPE_MKCHAR_ACL]     = "mkchar",
-       [TOMOYO_TYPE_TRUNCATE_ACL]   = "truncate",
-       [TOMOYO_TYPE_SYMLINK_ACL]    = "symlink",
-       [TOMOYO_TYPE_REWRITE_ACL]    = "rewrite",
-};
+bool tomoyo_compare_name_union(const struct tomoyo_path_info *name,
+                              const struct tomoyo_name_union *ptr)
+{
+       if (ptr->is_group)
+               return tomoyo_path_matches_group(name, ptr->group, 1);
+       return tomoyo_path_matches_pattern(name, ptr->filename);
+}
 
-/* Keyword array for double path operations. */
-static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = {
-       [TOMOYO_TYPE_LINK_ACL]    = "link",
-       [TOMOYO_TYPE_RENAME_ACL]  = "rename",
-};
+static bool tomoyo_compare_name_union_pattern(const struct tomoyo_path_info
+                                             *name,
+                                             const struct tomoyo_name_union
+                                             *ptr, const bool may_use_pattern)
+{
+       if (ptr->is_group)
+               return tomoyo_path_matches_group(name, ptr->group,
+                                                may_use_pattern);
+       if (may_use_pattern || !ptr->filename->is_patterned)
+               return tomoyo_path_matches_pattern(name, ptr->filename);
+       return false;
+}
 
 /**
- * tomoyo_sp2keyword - Get the name of single path operation.
+ * tomoyo_path2keyword - Get the name of single path operation.
  *
  * @operation: Type of operation.
  *
  * Returns the name of single path operation.
  */
-const char *tomoyo_sp2keyword(const u8 operation)
+const char *tomoyo_path2keyword(const u8 operation)
 {
-       return (operation < TOMOYO_MAX_SINGLE_PATH_OPERATION)
-               ? tomoyo_sp_keyword[operation] : NULL;
+       return (operation < TOMOYO_MAX_PATH_OPERATION)
+               ? tomoyo_path_keyword[operation] : NULL;
 }
 
 /**
- * tomoyo_dp2keyword - Get the name of double path operation.
+ * tomoyo_path22keyword - Get the name of double path operation.
  *
  * @operation: Type of operation.
  *
  * Returns the name of double path operation.
  */
-const char *tomoyo_dp2keyword(const u8 operation)
+const char *tomoyo_path22keyword(const u8 operation)
 {
-       return (operation < TOMOYO_MAX_DOUBLE_PATH_OPERATION)
-               ? tomoyo_dp_keyword[operation] : NULL;
+       return (operation < TOMOYO_MAX_PATH2_OPERATION)
+               ? tomoyo_path2_keyword[operation] : NULL;
 }
 
 /**
@@ -143,7 +131,8 @@ static bool tomoyo_strendswith(const cha
 static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
 {
        int error;
-       struct tomoyo_path_info_with_data *buf = tomoyo_alloc(sizeof(*buf));
+       struct tomoyo_path_info_with_data *buf = kzalloc(sizeof(*buf),
+                                                        GFP_NOFS);
 
        if (!buf)
                return NULL;
@@ -155,20 +144,17 @@ static struct tomoyo_path_info *tomoyo_g
                tomoyo_fill_path_info(&buf->head);
                return &buf->head;
        }
-       tomoyo_free(buf);
+       kfree(buf);
        return NULL;
 }
 
-/* Lock for domain->acl_info_list. */
-DECLARE_RWSEM(tomoyo_domain_acl_info_list_lock);
-
-static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
-                                        const char *filename2,
-                                        struct tomoyo_domain_info *
-                                        const domain, const bool is_delete);
-static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
-                                        struct tomoyo_domain_info *
-                                        const domain, const bool is_delete);
+static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
+                                  const char *filename2,
+                                  struct tomoyo_domain_info *const domain,
+                                  const bool is_delete);
+static int tomoyo_update_path_acl(const u8 type, const char *filename,
+                                 struct tomoyo_domain_info *const domain,
+                                 const bool is_delete);
 
 /*
  * tomoyo_globally_readable_list is used for holding list of pathnames which
@@ -195,8 +181,7 @@ static int tomoyo_update_single_path_acl
  * given "allow_read /lib/libc-2.5.so" to the domain which current process
  * belongs to.
  */
-static LIST_HEAD(tomoyo_globally_readable_list);
-static DECLARE_RWSEM(tomoyo_globally_readable_list_lock);
+LIST_HEAD(tomoyo_globally_readable_list);
 
 /**
  * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
@@ -205,40 +190,42 @@ static DECLARE_RWSEM(tomoyo_globally_rea
  * @is_delete: True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_update_globally_readable_entry(const char *filename,
                                                 const bool is_delete)
 {
-       struct tomoyo_globally_readable_file_entry *new_entry;
        struct tomoyo_globally_readable_file_entry *ptr;
-       const struct tomoyo_path_info *saved_filename;
-       int error = -ENOMEM;
+       struct tomoyo_globally_readable_file_entry e = { };
+       int error = is_delete ? -ENOENT : -ENOMEM;
 
-       if (!tomoyo_is_correct_path(filename, 1, 0, -1, __func__))
+       if (!tomoyo_is_correct_path(filename, 1, 0, -1))
                return -EINVAL;
-       saved_filename = tomoyo_save_name(filename);
-       if (!saved_filename)
+       e.filename = tomoyo_get_name(filename);
+       if (!e.filename)
                return -ENOMEM;
-       down_write(&tomoyo_globally_readable_list_lock);
-       list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) {
-               if (ptr->filename != saved_filename)
+       if (mutex_lock_interruptible(&tomoyo_policy_lock))
+               goto out;
+       list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
+               if (ptr->filename != e.filename)
                        continue;
                ptr->is_deleted = is_delete;
                error = 0;
-               goto out;
+               break;
        }
-       if (is_delete) {
-               error = -ENOENT;
-               goto out;
+       if (!is_delete && error) {
+               struct tomoyo_globally_readable_file_entry *entry =
+                       tomoyo_commit_ok(&e, sizeof(e));
+               if (entry) {
+                       list_add_tail_rcu(&entry->list,
+                                         &tomoyo_globally_readable_list);
+                       error = 0;
+               }
        }
-       new_entry = tomoyo_alloc_element(sizeof(*new_entry));
-       if (!new_entry)
-               goto out;
-       new_entry->filename = saved_filename;
-       list_add_tail(&new_entry->list, &tomoyo_globally_readable_list);
-       error = 0;
+       mutex_unlock(&tomoyo_policy_lock);
  out:
-       up_write(&tomoyo_globally_readable_list_lock);
+       tomoyo_put_name(e.filename);
        return error;
 }
 
@@ -248,21 +235,22 @@ static int tomoyo_update_globally_readab
  * @filename: The filename to check.
  *
  * Returns true if any domain can open @filename for reading, false otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
                                             filename)
 {
        struct tomoyo_globally_readable_file_entry *ptr;
        bool found = false;
-       down_read(&tomoyo_globally_readable_list_lock);
-       list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) {
+
+       list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
                if (!ptr->is_deleted &&
                    tomoyo_path_matches_pattern(filename, ptr->filename)) {
                        found = true;
                        break;
                }
        }
-       up_read(&tomoyo_globally_readable_list_lock);
        return found;
 }
 
@@ -273,6 +261,8 @@ static bool tomoyo_is_globally_readable_
  * @is_delete: True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
 {
@@ -285,13 +275,14 @@ int tomoyo_write_globally_readable_polic
  * @head: Pointer to "struct tomoyo_io_buffer".
  *
  * Returns true on success, false otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
 {
        struct list_head *pos;
        bool done = true;
 
-       down_read(&tomoyo_globally_readable_list_lock);
        list_for_each_cookie(pos, head->read_var2,
                             &tomoyo_globally_readable_list) {
                struct tomoyo_globally_readable_file_entry *ptr;
@@ -305,7 +296,6 @@ bool tomoyo_read_globally_readable_polic
                if (!done)
                        break;
        }
-       up_read(&tomoyo_globally_readable_list_lock);
        return done;
 }
 
@@ -338,8 +328,7 @@ bool tomoyo_read_globally_readable_polic
  * which pretends as if /proc/self/ is not a symlink; so that we can forbid
  * current process from accessing other process's information.
  */
-static LIST_HEAD(tomoyo_pattern_list);
-static DECLARE_RWSEM(tomoyo_pattern_list_lock);
+LIST_HEAD(tomoyo_pattern_list);
 
 /**
  * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
@@ -348,40 +337,40 @@ static DECLARE_RWSEM(tomoyo_pattern_list
  * @is_delete: True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_update_file_pattern_entry(const char *pattern,
                                            const bool is_delete)
 {
-       struct tomoyo_pattern_entry *new_entry;
        struct tomoyo_pattern_entry *ptr;
-       const struct tomoyo_path_info *saved_pattern;
-       int error = -ENOMEM;
+       struct tomoyo_pattern_entry e = { .pattern = tomoyo_get_name(pattern) };
+       int error = is_delete ? -ENOENT : -ENOMEM;
 
-       if (!tomoyo_is_correct_path(pattern, 0, 1, 0, __func__))
-               return -EINVAL;
-       saved_pattern = tomoyo_save_name(pattern);
-       if (!saved_pattern)
-               return -ENOMEM;
-       down_write(&tomoyo_pattern_list_lock);
-       list_for_each_entry(ptr, &tomoyo_pattern_list, list) {
-               if (saved_pattern != ptr->pattern)
+       if (!e.pattern)
+               return error;
+       if (!e.pattern->is_patterned)
+               goto out;
+       if (mutex_lock_interruptible(&tomoyo_policy_lock))
+               goto out;
+       list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
+               if (e.pattern != ptr->pattern)
                        continue;
                ptr->is_deleted = is_delete;
                error = 0;
-               goto out;
+               break;
        }
-       if (is_delete) {
-               error = -ENOENT;
-               goto out;
+       if (!is_delete && error) {
+               struct tomoyo_pattern_entry *entry =
+                       tomoyo_commit_ok(&e, sizeof(e));
+               if (entry) {
+                       list_add_tail_rcu(&entry->list, &tomoyo_pattern_list);
+                       error = 0;
+               }
        }
-       new_entry = tomoyo_alloc_element(sizeof(*new_entry));
-       if (!new_entry)
-               goto out;
-       new_entry->pattern = saved_pattern;
-       list_add_tail(&new_entry->list, &tomoyo_pattern_list);
-       error = 0;
+       mutex_unlock(&tomoyo_policy_lock);
  out:
-       up_write(&tomoyo_pattern_list_lock);
+       tomoyo_put_name(e.pattern);
        return error;
 }
 
@@ -391,6 +380,8 @@ static int tomoyo_update_file_pattern_en
  * @filename: The filename to find patterned pathname.
  *
  * Returns pointer to pathname pattern if matched, @filename otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static const struct tomoyo_path_info *
 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
@@ -398,8 +389,7 @@ tomoyo_get_file_pattern(const struct tom
        struct tomoyo_pattern_entry *ptr;
        const struct tomoyo_path_info *pattern = NULL;
 
-       down_read(&tomoyo_pattern_list_lock);
-       list_for_each_entry(ptr, &tomoyo_pattern_list, list) {
+       list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
                if (ptr->is_deleted)
                        continue;
                if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
@@ -412,7 +402,6 @@ tomoyo_get_file_pattern(const struct tom
                        break;
                }
        }
-       up_read(&tomoyo_pattern_list_lock);
        if (pattern)
                filename = pattern;
        return filename;
@@ -425,6 +414,8 @@ tomoyo_get_file_pattern(const struct tom
  * @is_delete: True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 int tomoyo_write_pattern_policy(char *data, const bool is_delete)
 {
@@ -437,13 +428,14 @@ int tomoyo_write_pattern_policy(char *da
  * @head: Pointer to "struct tomoyo_io_buffer".
  *
  * Returns true on success, false otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
 {
        struct list_head *pos;
        bool done = true;
 
-       down_read(&tomoyo_pattern_list_lock);
        list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) {
                struct tomoyo_pattern_entry *ptr;
                ptr = list_entry(pos, struct tomoyo_pattern_entry, list);
@@ -454,7 +446,6 @@ bool tomoyo_read_file_pattern(struct tom
                if (!done)
                        break;
        }
-       up_read(&tomoyo_pattern_list_lock);
        return done;
 }
 
@@ -487,8 +478,7 @@ bool tomoyo_read_file_pattern(struct tom
  * " (deleted)" suffix if the file is already unlink()ed; so that we don't
  * need to worry whether the file is already unlink()ed or not.
  */
-static LIST_HEAD(tomoyo_no_rewrite_list);
-static DECLARE_RWSEM(tomoyo_no_rewrite_list_lock);
+LIST_HEAD(tomoyo_no_rewrite_list);
 
 /**
  * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
@@ -497,39 +487,42 @@ static DECLARE_RWSEM(tomoyo_no_rewrite_l
  * @is_delete: True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_update_no_rewrite_entry(const char *pattern,
                                          const bool is_delete)
 {
-       struct tomoyo_no_rewrite_entry *new_entry, *ptr;
-       const struct tomoyo_path_info *saved_pattern;
-       int error = -ENOMEM;
+       struct tomoyo_no_rewrite_entry *ptr;
+       struct tomoyo_no_rewrite_entry e = { };
+       int error = is_delete ? -ENOENT : -ENOMEM;
 
-       if (!tomoyo_is_correct_path(pattern, 0, 0, 0, __func__))
+       if (!tomoyo_is_correct_path(pattern, 0, 0, 0))
                return -EINVAL;
-       saved_pattern = tomoyo_save_name(pattern);
-       if (!saved_pattern)
-               return -ENOMEM;
-       down_write(&tomoyo_no_rewrite_list_lock);
-       list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) {
-               if (ptr->pattern != saved_pattern)
+       e.pattern = tomoyo_get_name(pattern);
+       if (!e.pattern)
+               return error;
+       if (mutex_lock_interruptible(&tomoyo_policy_lock))
+               goto out;
+       list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
+               if (ptr->pattern != e.pattern)
                        continue;
                ptr->is_deleted = is_delete;
                error = 0;
-               goto out;
+               break;
        }
-       if (is_delete) {
-               error = -ENOENT;
-               goto out;
+       if (!is_delete && error) {
+               struct tomoyo_no_rewrite_entry *entry =
+                       tomoyo_commit_ok(&e, sizeof(e));
+               if (entry) {
+                       list_add_tail_rcu(&entry->list,
+                                         &tomoyo_no_rewrite_list);
+                       error = 0;
+               }
        }
-       new_entry = tomoyo_alloc_element(sizeof(*new_entry));
-       if (!new_entry)
-               goto out;
-       new_entry->pattern = saved_pattern;
-       list_add_tail(&new_entry->list, &tomoyo_no_rewrite_list);
-       error = 0;
+       mutex_unlock(&tomoyo_policy_lock);
  out:
-       up_write(&tomoyo_no_rewrite_list_lock);
+       tomoyo_put_name(e.pattern);
        return error;
 }
 
@@ -540,14 +533,15 @@ static int tomoyo_update_no_rewrite_entr
  *
  * Returns true if @filename is specified by "deny_rewrite" directive,
  * false otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
 {
        struct tomoyo_no_rewrite_entry *ptr;
        bool found = false;
 
-       down_read(&tomoyo_no_rewrite_list_lock);
-       list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) {
+       list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
                if (ptr->is_deleted)
                        continue;
                if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
@@ -555,7 +549,6 @@ static bool tomoyo_is_no_rewrite_file(co
                found = true;
                break;
        }
-       up_read(&tomoyo_no_rewrite_list_lock);
        return found;
 }
 
@@ -566,6 +559,8 @@ static bool tomoyo_is_no_rewrite_file(co
  * @is_delete: True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
 {
@@ -578,13 +573,14 @@ int tomoyo_write_no_rewrite_policy(char 
  * @head: Pointer to "struct tomoyo_io_buffer".
  *
  * Returns true on success, false otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
 {
        struct list_head *pos;
        bool done = true;
 
-       down_read(&tomoyo_no_rewrite_list_lock);
        list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) {
                struct tomoyo_no_rewrite_entry *ptr;
                ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list);
@@ -595,7 +591,6 @@ bool tomoyo_read_no_rewrite_policy(struc
                if (!done)
                        break;
        }
-       up_read(&tomoyo_no_rewrite_list_lock);
        return done;
 }
 
@@ -613,6 +608,8 @@ bool tomoyo_read_no_rewrite_policy(struc
  * Current policy syntax uses "allow_read/write" instead of "6",
  * "allow_read" instead of "4", "allow_write" instead of "2",
  * "allow_execute" instead of "1".
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_update_file_acl(const char *filename, u8 perm,
                                  struct tomoyo_domain_info * const domain,
@@ -630,19 +627,19 @@ static int tomoyo_update_file_acl(const 
                 */
                return 0;
        if (perm & 4)
-               tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL, filename,
-                                             domain, is_delete);
+               tomoyo_update_path_acl(TOMOYO_TYPE_READ, filename, domain,
+                                      is_delete);
        if (perm & 2)
-               tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL, filename,
-                                             domain, is_delete);
+               tomoyo_update_path_acl(TOMOYO_TYPE_WRITE, filename, domain,
+                                      is_delete);
        if (perm & 1)
-               tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL,
-                                             filename, domain, is_delete);
+               tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE, filename, domain,
+                                      is_delete);
        return 0;
 }
 
 /**
- * tomoyo_check_single_path_acl2 - Check permission for single path operation.
+ * tomoyo_path_acl2 - Check permission for single path operation.
  *
  * @domain:          Pointer to "struct tomoyo_domain_info".
  * @filename:        Filename to check.
@@ -650,37 +647,34 @@ static int tomoyo_update_file_acl(const 
  * @may_use_pattern: True if patterned ACL is permitted.
  *
  * Returns 0 on success, -EPERM otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
-static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info *
-                                        domain,
-                                        const struct tomoyo_path_info *
-                                        filename,
-                                        const u16 perm,
-                                        const bool may_use_pattern)
+static int tomoyo_path_acl2(const struct tomoyo_domain_info *domain,
+                           const struct tomoyo_path_info *filename,
+                           const u32 perm, const bool may_use_pattern)
 {
        struct tomoyo_acl_info *ptr;
        int error = -EPERM;
 
-       down_read(&tomoyo_domain_acl_info_list_lock);
-       list_for_each_entry(ptr, &domain->acl_info_list, list) {
-               struct tomoyo_single_path_acl_record *acl;
-               if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
-                       continue;
-               acl = container_of(ptr, struct tomoyo_single_path_acl_record,
-                                  head);
-               if (!(acl->perm & perm))
-                       continue;
-               if (may_use_pattern || !acl->filename->is_patterned) {
-                       if (!tomoyo_path_matches_pattern(filename,
-                                                        acl->filename))
+       list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
+               struct tomoyo_path_acl *acl;
+               if (ptr->type != TOMOYO_TYPE_PATH_ACL)
+                       continue;
+               acl = container_of(ptr, struct tomoyo_path_acl, head);
+               if (perm <= 0xFFFF) {
+                       if (!(acl->perm & perm))
                                continue;
                } else {
-                       continue;
+                       if (!(acl->perm_high & (perm >> 16)))
+                               continue;
                }
+               if (!tomoyo_compare_name_union_pattern(filename, &acl->name,
+                                                       may_use_pattern))
+                       continue;
                error = 0;
                break;
        }
-       up_read(&tomoyo_domain_acl_info_list_lock);
        return error;
 }
 
@@ -692,27 +686,28 @@ static int tomoyo_check_single_path_acl2
  * @operation: Mode ("read" or "write" or "read/write" or "execute").
  *
  * Returns 0 on success, -EPERM otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
                                 const struct tomoyo_path_info *filename,
                                 const u8 operation)
 {
-       u16 perm = 0;
+       u32 perm = 0;
 
        if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
                return 0;
        if (operation == 6)
-               perm = 1 << TOMOYO_TYPE_READ_WRITE_ACL;
+               perm = 1 << TOMOYO_TYPE_READ_WRITE;
        else if (operation == 4)
-               perm = 1 << TOMOYO_TYPE_READ_ACL;
+               perm = 1 << TOMOYO_TYPE_READ;
        else if (operation == 2)
-               perm = 1 << TOMOYO_TYPE_WRITE_ACL;
+               perm = 1 << TOMOYO_TYPE_WRITE;
        else if (operation == 1)
-               perm = 1 << TOMOYO_TYPE_EXECUTE_ACL;
+               perm = 1 << TOMOYO_TYPE_EXECUTE;
        else
                BUG();
-       return tomoyo_check_single_path_acl2(domain, filename, perm,
-                                            operation != 1);
+       return tomoyo_path_acl2(domain, filename, perm, operation != 1);
 }
 
 /**
@@ -725,6 +720,8 @@ static int tomoyo_check_file_acl(const s
  * @mode:      Access control mode.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
                                   const struct tomoyo_path_info *filename,
@@ -738,18 +735,17 @@ static int tomoyo_check_file_perm2(struc
        if (!filename)
                return 0;
        error = tomoyo_check_file_acl(domain, filename, perm);
-       if (error && perm == 4 &&
-           (domain->flags & TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ) == 0
+       if (error && perm == 4 && !domain->ignore_global_allow_read
            && tomoyo_is_globally_readable_file(filename))
                error = 0;
        if (perm == 6)
-               msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL);
+               msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
        else if (perm == 4)
-               msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL);
+               msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
        else if (perm == 2)
-               msg = tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL);
+               msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
        else if (perm == 1)
-               msg = tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL);
+               msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
        else
                BUG();
        if (!error)
@@ -778,6 +774,8 @@ static int tomoyo_check_file_perm2(struc
  * @is_delete: True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
                             const bool is_delete)
@@ -796,28 +794,28 @@ int tomoyo_write_file_policy(char *data,
        if (strncmp(data, "allow_", 6))
                goto out;
        data += 6;
-       for (type = 0; type < TOMOYO_MAX_SINGLE_PATH_OPERATION; type++) {
-               if (strcmp(data, tomoyo_sp_keyword[type]))
+       for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) {
+               if (strcmp(data, tomoyo_path_keyword[type]))
                        continue;
-               return tomoyo_update_single_path_acl(type, filename,
-                                                    domain, is_delete);
+               return tomoyo_update_path_acl(type, filename, domain,
+                                             is_delete);
        }
        filename2 = strchr(filename, ' ');
        if (!filename2)
                goto out;
        *filename2++ = '\0';
-       for (type = 0; type < TOMOYO_MAX_DOUBLE_PATH_OPERATION; type++) {
-               if (strcmp(data, tomoyo_dp_keyword[type]))
+       for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) {
+               if (strcmp(data, tomoyo_path2_keyword[type]))
                        continue;
-               return tomoyo_update_double_path_acl(type, filename, filename2,
-                                                    domain, is_delete);
+               return tomoyo_update_path2_acl(type, filename, filename2,
+                                              domain, is_delete);
        }
  out:
        return -EINVAL;
 }
 
 /**
- * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list.
+ * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list.
  *
  * @type:      Type of operation.
  * @filename:  Filename.
@@ -825,85 +823,76 @@ int tomoyo_write_file_policy(char *data,
  * @is_delete: True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
-static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
-                                        struct tomoyo_domain_info *
-                                        const domain, const bool is_delete)
-{
-       static const u16 rw_mask =
-               (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL);
-       const struct tomoyo_path_info *saved_filename;
+static int tomoyo_update_path_acl(const u8 type, const char *filename,
+                                 struct tomoyo_domain_info *const domain,
+                                 const bool is_delete)
+{
+       static const u32 tomoyo_rw_mask =
+               (1 << TOMOYO_TYPE_READ) | (1 << TOMOYO_TYPE_WRITE);
+       const u32 perm = 1 << type;
        struct tomoyo_acl_info *ptr;
-       struct tomoyo_single_path_acl_record *acl;
-       int error = -ENOMEM;
-       const u16 perm = 1 << type;
+       struct tomoyo_path_acl e = {
+               .head.type = TOMOYO_TYPE_PATH_ACL,
+               .perm_high = perm >> 16,
+               .perm = perm
+       };
+       int error = is_delete ? -ENOENT : -ENOMEM;
 
+       if (type == TOMOYO_TYPE_READ_WRITE)
+               e.perm |= tomoyo_rw_mask;
        if (!domain)
                return -EINVAL;
-       if (!tomoyo_is_correct_path(filename, 0, 0, 0, __func__))
+       if (!tomoyo_parse_name_union(filename, &e.name))
                return -EINVAL;
-       saved_filename = tomoyo_save_name(filename);
-       if (!saved_filename)
-               return -ENOMEM;
-       down_write(&tomoyo_domain_acl_info_list_lock);
-       if (is_delete)
-               goto delete;
-       list_for_each_entry(ptr, &domain->acl_info_list, list) {
-               if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
-                       continue;
-               acl = container_of(ptr, struct tomoyo_single_path_acl_record,
-                                  head);
-               if (acl->filename != saved_filename)
-                       continue;
-               /* Special case. Clear all bits if marked as deleted. */
-               if (ptr->type & TOMOYO_ACL_DELETED)
-                       acl->perm = 0;
-               acl->perm |= perm;
-               if ((acl->perm & rw_mask) == rw_mask)
-                       acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL;
-               else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))
-                       acl->perm |= rw_mask;
-               ptr->type &= ~TOMOYO_ACL_DELETED;
-               error = 0;
-               goto out;
-       }
-       /* Not found. Append it to the tail. */
-       acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_SINGLE_PATH_ACL);
-       if (!acl)
+       if (mutex_lock_interruptible(&tomoyo_policy_lock))
                goto out;
-       acl->perm = perm;
-       if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL))
-               acl->perm |= rw_mask;
-       acl->filename = saved_filename;
-       list_add_tail(&acl->head.list, &domain->acl_info_list);
-       error = 0;
-       goto out;
- delete:
-       error = -ENOENT;
-       list_for_each_entry(ptr, &domain->acl_info_list, list) {
-               if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
-                       continue;
-               acl = container_of(ptr, struct tomoyo_single_path_acl_record,
-                                  head);
-               if (acl->filename != saved_filename)
-                       continue;
-               acl->perm &= ~perm;
-               if ((acl->perm & rw_mask) != rw_mask)
-                       acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL);
-               else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)))
-                       acl->perm &= ~rw_mask;
-               if (!acl->perm)
-                       ptr->type |= TOMOYO_ACL_DELETED;
+       list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
+               struct tomoyo_path_acl *acl =
+                       container_of(ptr, struct tomoyo_path_acl, head);
+               if (!tomoyo_is_same_path_acl(acl, &e))
+                       continue;
+               if (is_delete) {
+                       if (perm <= 0xFFFF)
+                               acl->perm &= ~perm;
+                       else
+                               acl->perm_high &= ~(perm >> 16);
+                       if ((acl->perm & tomoyo_rw_mask) != tomoyo_rw_mask)
+                               acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE);
+                       else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE)))
+                               acl->perm &= ~tomoyo_rw_mask;
+               } else {
+                       if (perm <= 0xFFFF)
+                               acl->perm |= perm;
+                       else
+                               acl->perm_high |= (perm >> 16);
+                       if ((acl->perm & tomoyo_rw_mask) == tomoyo_rw_mask)
+                               acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE;
+                       else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE))
+                               acl->perm |= tomoyo_rw_mask;
+               }
                error = 0;
                break;
        }
+       if (!is_delete && error) {
+               struct tomoyo_path_acl *entry =
+                       tomoyo_commit_ok(&e, sizeof(e));
+               if (entry) {
+                       list_add_tail_rcu(&entry->head.list,
+                                         &domain->acl_info_list);
+                       error = 0;
+               }
+       }
+       mutex_unlock(&tomoyo_policy_lock);
  out:
-       up_write(&tomoyo_domain_acl_info_list_lock);
+       tomoyo_put_name_union(&e.name);
        return error;
 }
 
 /**
- * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list.
+ * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list.
  *
  * @type:      Type of operation.
  * @filename1: First filename.
@@ -912,98 +901,78 @@ static int tomoyo_update_single_path_acl
  * @is_delete: True if it is a delete request.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
-static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
-                                        const char *filename2,
-                                        struct tomoyo_domain_info *
-                                        const domain, const bool is_delete)
+static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
+                                  const char *filename2,
+                                  struct tomoyo_domain_info *const domain,
+                                  const bool is_delete)
 {
-       const struct tomoyo_path_info *saved_filename1;
-       const struct tomoyo_path_info *saved_filename2;
-       struct tomoyo_acl_info *ptr;
-       struct tomoyo_double_path_acl_record *acl;
-       int error = -ENOMEM;
        const u8 perm = 1 << type;
+       struct tomoyo_path2_acl e = {
+               .head.type = TOMOYO_TYPE_PATH2_ACL,
+               .perm = perm
+       };
+       struct tomoyo_acl_info *ptr;
+       int error = is_delete ? -ENOENT : -ENOMEM;
 
        if (!domain)
                return -EINVAL;
-       if (!tomoyo_is_correct_path(filename1, 0, 0, 0, __func__) ||
-           !tomoyo_is_correct_path(filename2, 0, 0, 0, __func__))
-               return -EINVAL;
-       saved_filename1 = tomoyo_save_name(filename1);
-       saved_filename2 = tomoyo_save_name(filename2);
-       if (!saved_filename1 || !saved_filename2)
-               return -ENOMEM;
-       down_write(&tomoyo_domain_acl_info_list_lock);
-       if (is_delete)
-               goto delete;
-       list_for_each_entry(ptr, &domain->acl_info_list, list) {
-               if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
-                       continue;
-               acl = container_of(ptr, struct tomoyo_double_path_acl_record,
-                                  head);
-               if (acl->filename1 != saved_filename1 ||
-                   acl->filename2 != saved_filename2)
-                       continue;
-               /* Special case. Clear all bits if marked as deleted. */
-               if (ptr->type & TOMOYO_ACL_DELETED)
-                       acl->perm = 0;
-               acl->perm |= perm;
-               ptr->type &= ~TOMOYO_ACL_DELETED;
-               error = 0;
+       if (!tomoyo_parse_name_union(filename1, &e.name1) ||
+           !tomoyo_parse_name_union(filename2, &e.name2))
                goto out;
-       }
-       /* Not found. Append it to the tail. */
-       acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_DOUBLE_PATH_ACL);
-       if (!acl)
+       if (mutex_lock_interruptible(&tomoyo_policy_lock))
                goto out;
-       acl->perm = perm;
-       acl->filename1 = saved_filename1;
-       acl->filename2 = saved_filename2;
-       list_add_tail(&acl->head.list, &domain->acl_info_list);
-       error = 0;
-       goto out;
- delete:
-       error = -ENOENT;
-       list_for_each_entry(ptr, &domain->acl_info_list, list) {
-               if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
-                       continue;
-               acl = container_of(ptr, struct tomoyo_double_path_acl_record,
-                                  head);
-               if (acl->filename1 != saved_filename1 ||
-                   acl->filename2 != saved_filename2)
-                       continue;
-               acl->perm &= ~perm;
-               if (!acl->perm)
-                       ptr->type |= TOMOYO_ACL_DELETED;
+       list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
+               struct tomoyo_path2_acl *acl =
+                       container_of(ptr, struct tomoyo_path2_acl, head);
+               if (!tomoyo_is_same_path2_acl(acl, &e))
+                       continue;
+               if (is_delete)
+                       acl->perm &= ~perm;
+               else
+                       acl->perm |= perm;
                error = 0;
                break;
        }
+       if (!is_delete && error) {
+               struct tomoyo_path2_acl *entry =
+                       tomoyo_commit_ok(&e, sizeof(e));
+               if (entry) {
+                       list_add_tail_rcu(&entry->head.list,
+                                         &domain->acl_info_list);
+                       error = 0;
+               }
+       }
+       mutex_unlock(&tomoyo_policy_lock);
  out:
-       up_write(&tomoyo_domain_acl_info_list_lock);
+       tomoyo_put_name_union(&e.name1);
+       tomoyo_put_name_union(&e.name2);
        return error;
 }
 
 /**
- * tomoyo_check_single_path_acl - Check permission for single path operation.
+ * tomoyo_path_acl - Check permission for single path operation.
  *
  * @domain:   Pointer to "struct tomoyo_domain_info".
  * @type:     Type of operation.
  * @filename: Filename to check.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
-static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain,
-                                       const u8 type,
-                                       const struct tomoyo_path_info *filename)
+static int tomoyo_path_acl(struct tomoyo_domain_info *domain, const u8 type,
+                          const struct tomoyo_path_info *filename)
 {
        if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
                return 0;
-       return tomoyo_check_single_path_acl2(domain, filename, 1 << type, 1);
+       return tomoyo_path_acl2(domain, filename, 1 << type, 1);
 }
 
 /**
- * tomoyo_check_double_path_acl - Check permission for double path operation.
+ * tomoyo_path2_acl - Check permission for double path operation.
  *
  * @domain:    Pointer to "struct tomoyo_domain_info".
  * @type:      Type of operation.
@@ -1011,13 +980,13 @@ static int tomoyo_check_single_path_acl(
  * @filename2: Second filename to check.
  *
  * Returns 0 on success, -EPERM otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
-static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
-                                       const u8 type,
-                                       const struct tomoyo_path_info *
-                                       filename1,
-                                       const struct tomoyo_path_info *
-                                       filename2)
+static int tomoyo_path2_acl(const struct tomoyo_domain_info *domain,
+                           const u8 type,
+                           const struct tomoyo_path_info *filename1,
+                           const struct tomoyo_path_info *filename2)
 {
        struct tomoyo_acl_info *ptr;
        const u8 perm = 1 << type;
@@ -1025,28 +994,25 @@ static int tomoyo_check_double_path_acl(
 
        if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
                return 0;
-       down_read(&tomoyo_domain_acl_info_list_lock);
-       list_for_each_entry(ptr, &domain->acl_info_list, list) {
-               struct tomoyo_double_path_acl_record *acl;
-               if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
+       list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
+               struct tomoyo_path2_acl *acl;
+               if (ptr->type != TOMOYO_TYPE_PATH2_ACL)
                        continue;
-               acl = container_of(ptr, struct tomoyo_double_path_acl_record,
-                                  head);
+               acl = container_of(ptr, struct tomoyo_path2_acl, head);
                if (!(acl->perm & perm))
                        continue;
-               if (!tomoyo_path_matches_pattern(filename1, acl->filename1))
+               if (!tomoyo_compare_name_union(filename1, &acl->name1))
                        continue;
-               if (!tomoyo_path_matches_pattern(filename2, acl->filename2))
+               if (!tomoyo_compare_name_union(filename2, &acl->name2))
                        continue;
                error = 0;
                break;
        }
-       up_read(&tomoyo_domain_acl_info_list_lock);
        return error;
 }
 
 /**
- * tomoyo_check_single_path_permission2 - Check permission for single path operation.
+ * tomoyo_path_permission2 - Check permission for single path operation.
  *
  * @domain:    Pointer to "struct tomoyo_domain_info".
  * @operation: Type of operation.
@@ -1054,11 +1020,13 @@ static int tomoyo_check_double_path_acl(
  * @mode:      Access control mode.
  *
  * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
-static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
-                                               const domain, u8 operation,
-                                               const struct tomoyo_path_info *
-                                               filename, const u8 mode)
+static int tomoyo_path_permission2(struct tomoyo_domain_info *const domain,
+                                  u8 operation,
+                                  const struct tomoyo_path_info *filename,
+                                  const u8 mode)
 {
        const char *msg;
        int error;
@@ -1067,8 +1035,8 @@ static int tomoyo_check_single_path_perm
        if (!mode)
                return 0;
  next:
-       error = tomoyo_check_single_path_acl(domain, operation, filename);
-       msg = tomoyo_sp2keyword(operation);
+       error = tomoyo_path_acl(domain, operation, filename);
+       msg = tomoyo_path2keyword(operation);
        if (!error)
                goto ok;
        if (tomoyo_verbose_mode(domain))
@@ -1077,7 +1045,7 @@ static int tomoyo_check_single_path_perm
                       tomoyo_get_last_name(domain));
        if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
                const char *name = tomoyo_get_file_pattern(filename)->name;
-               tomoyo_update_single_path_acl(operation, name, domain, false);
+               tomoyo_update_path_acl(operation, name, domain, false);
        }
        if (!is_enforce)
                error = 0;
@@ -1087,9 +1055,9 @@ static int tomoyo_check_single_path_perm
         * we need to check "allow_rewrite" permission if the filename is
         * specified by "deny_rewrite" keyword.
         */
-       if (!error && operation == TOMOYO_TYPE_TRUNCATE_ACL &&
+       if (!error && operation == TOMOYO_TYPE_TRUNCATE &&
            tomoyo_is_no_rewrite_file(filename)) {
-               operation = TOMOYO_TYPE_REWRITE_ACL;
+               operation = TOMOYO_TYPE_REWRITE;
                goto next;
        }
        return error;
@@ -1098,22 +1066,27 @@ static int tomoyo_check_single_path_perm
 /**
  * tomoyo_check_file_perm - Check permission for sysctl()'s "read" and "write".
  *
- * @domain:    Pointer to "struct tomoyo_domain_info".
  * @filename:  Filename to check.
  * @perm:      Mode ("read" or "write" or "read/write").
  * Returns 0 on success, negative value otherwise.
  */
-int tomoyo_check_file_perm(struct tomoyo_domain_info *domain,
-                          const char *filename, const u8 perm)
+int tomoyo_check_file_perm(const char *filename, const u8 perm)
 {
+       int error;
+       int idx;
        struct tomoyo_path_info name;
+       struct tomoyo_domain_info *domain = tomoyo_domain();
        const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
 
        if (!mode)
                return 0;
        name.name = filename;
        tomoyo_fill_path_info(&name);
-       return tomoyo_check_file_perm2(domain, &name, perm, "sysctl", mode);
+
+       idx = tomoyo_read_lock();
+       error = tomoyo_check_file_perm2(domain, &name, perm, "sysctl", mode);
+       tomoyo_read_unlock(idx);
+       return error;
 }
 
 /**
@@ -1123,6 +1096,8 @@ int tomoyo_check_file_perm(struct tomoyo
  * @filename: Check permission for "execute".
  *
  * Returns 0 on success, negativevalue otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
  */
 int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
                           const struct tomoyo_path_info *filename)
@@ -1151,6 +1126,7 @@ int tomoyo_check_open_permission(struct 
        struct tomoyo_path_info *buf;
        const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
        const bool is_enforce = (mode == 3);
+       int idx;
 
        if (!mode || !path->mnt)
                return 0;
@@ -1162,6 +1138,7 @@ int tomoyo_check_open_permission(struct 
                 * don't call me.
                 */
                return 0;
+       idx = tomoyo_read_lock();
        buf = tomoyo_get_path(path);
        if (!buf)
                goto out;
@@ -1174,49 +1151,50 @@ int tomoyo_check_open_permission(struct 
        if ((acc_mode & MAY_WRITE) &&
            ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
            (tomoyo_is_no_rewrite_file(buf))) {
-               error = tomoyo_check_single_path_permission2(domain,
-                                                    TOMOYO_TYPE_REWRITE_ACL,
-                                                            buf, mode);
+               error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE,
+                                               buf, mode);
        }
        if (!error)
                error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open",
                                                mode);
        if (!error && (flag & O_TRUNC))
-               error = tomoyo_check_single_path_permission2(domain,
-                                                    TOMOYO_TYPE_TRUNCATE_ACL,
-                                                            buf, mode);
+               error = tomoyo_path_permission2(domain, TOMOYO_TYPE_TRUNCATE,
+                                               buf, mode);
  out:
-       tomoyo_free(buf);
+       kfree(buf);
+       tomoyo_read_unlock(idx);
        if (!is_enforce)
                error = 0;
        return error;
 }
 
 /**
- * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate" and "symlink".
+ * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
  *
- * @domain:    Pointer to "struct tomoyo_domain_info".
  * @operation: Type of operation.
  * @path:      Pointer to "struct path".
  *
  * Returns 0 on success, negative value otherwise.
  */
-int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
-                           const u8 operation, struct path *path)
+int tomoyo_path_perm(const u8 operation, struct path *path)
 {
        int error = -ENOMEM;
        struct tomoyo_path_info *buf;
+       struct tomoyo_domain_info *domain = tomoyo_domain();
        const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
        const bool is_enforce = (mode == 3);
+       int idx;
 
        if (!mode || !path->mnt)
                return 0;
+       idx = tomoyo_read_lock();
        buf = tomoyo_get_path(path);
        if (!buf)
                goto out;
        switch (operation) {
-       case TOMOYO_TYPE_MKDIR_ACL:
-       case TOMOYO_TYPE_RMDIR_ACL:
+       case TOMOYO_TYPE_MKDIR:
+       case TOMOYO_TYPE_RMDIR:
+       case TOMOYO_TYPE_CHROOT:
                if (!buf->is_dir) {
                        /*
                         * tomoyo_get_path() reserves space for appending "/."
@@ -1225,10 +1203,10 @@ int tomoyo_check_1path_perm(struct tomoy
                        tomoyo_fill_path_info(buf);
                }
        }
-       error = tomoyo_check_single_path_permission2(domain, operation, buf,
-                                                    mode);
+       error = tomoyo_path_permission2(domain, operation, buf, mode);
  out:
-       tomoyo_free(buf);
+       kfree(buf);
+       tomoyo_read_unlock(idx);
        if (!is_enforce)
                error = 0;
        return error;
@@ -1237,21 +1215,23 @@ int tomoyo_check_1path_perm(struct tomoy
 /**
  * tomoyo_check_rewrite_permission - Check permission for "rewrite".
  *
- * @domain: Pointer to "struct tomoyo_domain_info".
  * @filp: Pointer to "struct file".
  *
  * Returns 0 on success, negative value otherwise.
  */
-int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
-                                   struct file *filp)
+int tomoyo_check_rewrite_permission(struct file *filp)
 {
        int error = -ENOMEM;
+       struct tomoyo_domain_info *domain = tomoyo_domain();
        const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
        const bool is_enforce = (mode == 3);
        struct tomoyo_path_info *buf;
+       int idx;
 
        if (!mode || !filp->f_path.mnt)
                return 0;
+
+       idx = tomoyo_read_lock();
        buf = tomoyo_get_path(&filp->f_path);
        if (!buf)
                goto out;
@@ -1259,38 +1239,38 @@ int tomoyo_check_rewrite_permission(stru
                error = 0;
                goto out;
        }
-       error = tomoyo_check_single_path_permission2(domain,
-                                                    TOMOYO_TYPE_REWRITE_ACL,
-                                                    buf, mode);
+       error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE, buf, mode);
  out:
-       tomoyo_free(buf);
+       kfree(buf);
+       tomoyo_read_unlock(idx);
        if (!is_enforce)
                error = 0;
        return error;
 }
 
 /**
- * tomoyo_check_2path_perm - Check permission for "rename" and "link".
+ * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root".
  *
- * @domain:    Pointer to "struct tomoyo_domain_info".
  * @operation: Type of operation.
  * @path1:      Pointer to "struct path".
  * @path2:      Pointer to "struct path".
  *
  * Returns 0 on success, negative value otherwise.
  */
-int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain,
-                           const u8 operation, struct path *path1,
-                           struct path *path2)
+int tomoyo_path2_perm(const u8 operation, struct path *path1,
+                     struct path *path2)
 {
        int error = -ENOMEM;
        struct tomoyo_path_info *buf1, *buf2;
+       struct tomoyo_domain_info *domain = tomoyo_domain();
        const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
        const bool is_enforce = (mode == 3);
        const char *msg;
+       int idx;
 
        if (!mode || !path1->mnt || !path2->mnt)
                return 0;
+       idx = tomoyo_read_lock();
        buf1 = tomoyo_get_path(path1);
        buf2 = tomoyo_get_path(path2);
        if (!buf1 || !buf2)
@@ -1311,8 +1291,8 @@ int tomoyo_check_2path_perm(struct tomoy
                        }
                }
        }
-       error = tomoyo_check_double_path_acl(domain, operation, buf1, buf2);
-       msg = tomoyo_dp2keyword(operation);
+       error = tomoyo_path2_acl(domain, operation, buf1, buf2);
+       msg = tomoyo_path22keyword(operation);
        if (!error)
                goto out;
        if (tomoyo_verbose_mode(domain))
@@ -1323,12 +1303,13 @@ int tomoyo_check_2path_perm(struct tomoy
        if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
                const char *name1 = tomoyo_get_file_pattern(buf1)->name;
                const char *name2 = tomoyo_get_file_pattern(buf2)->name;
-               tomoyo_update_double_path_acl(operation, name1, name2, domain,
-                                             false);
+               tomoyo_update_path2_acl(operation, name1, name2, domain,
+                                       false);
        }
  out:
-       tomoyo_free(buf1);
-       tomoyo_free(buf2);
+       kfree(buf1);
+       kfree(buf2);
+       tomoyo_read_unlock(idx);
        if (!is_enforce)
                error = 0;
        return error;
--- /dev/null
+++ linux-2.6.32.28/security/tomoyo/gc.c
@@ -0,0 +1,412 @@
+/*
+ * security/tomoyo/gc.c
+ *
+ * Implementation of the Domain-Based Mandatory Access Control.
+ *
+ * Copyright (C) 2005-2010  NTT DATA CORPORATION
+ *
+ */
+
+#include "common.h"
+#include <linux/kthread.h>
+#include <linux/slab.h>
+
+enum tomoyo_gc_id {
+       TOMOYO_ID_PATH_GROUP,
+       TOMOYO_ID_PATH_GROUP_MEMBER,
+       TOMOYO_ID_DOMAIN_INITIALIZER,
+       TOMOYO_ID_DOMAIN_KEEPER,
+       TOMOYO_ID_ALIAS,
+       TOMOYO_ID_GLOBALLY_READABLE,
+       TOMOYO_ID_PATTERN,
+       TOMOYO_ID_NO_REWRITE,
+       TOMOYO_ID_MANAGER,
+       TOMOYO_ID_NAME,
+       TOMOYO_ID_ACL,
+       TOMOYO_ID_DOMAIN
+};
+
+struct tomoyo_gc_entry {
+       struct list_head list;
+       int type;
+       void *element;
+};
+static LIST_HEAD(tomoyo_gc_queue);
+static DEFINE_MUTEX(tomoyo_gc_mutex);
+
+/* Caller holds tomoyo_policy_lock mutex. */
+static bool tomoyo_add_to_gc(const int type, void *element)
+{
+       struct tomoyo_gc_entry *entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
+       if (!entry)
+               return false;
+       entry->type = type;
+       entry->element = element;
+       list_add(&entry->list, &tomoyo_gc_queue);
+       return true;
+}
+
+static void tomoyo_del_allow_read
+(struct tomoyo_globally_readable_file_entry *ptr)
+{
+       tomoyo_put_name(ptr->filename);
+}
+
+static void tomoyo_del_file_pattern(struct tomoyo_pattern_entry *ptr)
+{
+       tomoyo_put_name(ptr->pattern);
+}
+
+static void tomoyo_del_no_rewrite(struct tomoyo_no_rewrite_entry *ptr)
+{
+       tomoyo_put_name(ptr->pattern);
+}
+
+static void tomoyo_del_domain_initializer
+(struct tomoyo_domain_initializer_entry *ptr)
+{
+       tomoyo_put_name(ptr->domainname);
+       tomoyo_put_name(ptr->program);
+}
+
+static void tomoyo_del_domain_keeper(struct tomoyo_domain_keeper_entry *ptr)
+{
+       tomoyo_put_name(ptr->domainname);
+       tomoyo_put_name(ptr->program);
+}
+
+static void tomoyo_del_alias(struct tomoyo_alias_entry *ptr)
+{
+       tomoyo_put_name(ptr->original_name);
+       tomoyo_put_name(ptr->aliased_name);
+}
+
+static void tomoyo_del_manager(struct tomoyo_policy_manager_entry *ptr)
+{
+       tomoyo_put_name(ptr->manager);
+}
+
+static void tomoyo_del_acl(struct tomoyo_acl_info *acl)
+{
+       switch (acl->type) {
+       case TOMOYO_TYPE_PATH_ACL:
+               {
+                       struct tomoyo_path_acl *entry
+                               = container_of(acl, typeof(*entry), head);
+                       tomoyo_put_name_union(&entry->name);
+               }
+               break;
+       case TOMOYO_TYPE_PATH2_ACL:
+               {
+                       struct tomoyo_path2_acl *entry
+                               = container_of(acl, typeof(*entry), head);
+                       tomoyo_put_name_union(&entry->name1);
+                       tomoyo_put_name_union(&entry->name2);
+               }
+               break;
+       default:
+               printk(KERN_WARNING "Unknown type\n");
+               break;
+       }
+}
+
+static bool tomoyo_del_domain(struct tomoyo_domain_info *domain)
+{
+       struct tomoyo_acl_info *acl;
+       struct tomoyo_acl_info *tmp;
+       /*
+        * Since we don't protect whole execve() operation using SRCU,
+        * we need to recheck domain->users at this point.
+        *
+        * (1) Reader starts SRCU section upon execve().
+        * (2) Reader traverses tomoyo_domain_list and finds this domain.
+        * (3) Writer marks this domain as deleted.
+        * (4) Garbage collector removes this domain from tomoyo_domain_list
+        *     because this domain is marked as deleted and used by nobody.
+        * (5) Reader saves reference to this domain into
+        *     "struct linux_binprm"->cred->security .
+        * (6) Reader finishes SRCU section, although execve() operation has
+        *     not finished yet.
+        * (7) Garbage collector waits for SRCU synchronization.
+        * (8) Garbage collector kfree() this domain because this domain is
+        *     used by nobody.
+        * (9) Reader finishes execve() operation and restores this domain from
+        *     "struct linux_binprm"->cred->security.
+        *
+        * By updating domain->users at (5), we can solve this race problem
+        * by rechecking domain->users at (8).
+        */
+       if (atomic_read(&domain->users))
+               return false;
+       list_for_each_entry_safe(acl, tmp, &domain->acl_info_list, list) {
+               tomoyo_del_acl(acl);
+               tomoyo_memory_free(acl);
+       }
+       tomoyo_put_name(domain->domainname);
+       return true;
+}
+
+
+static void tomoyo_del_name(const struct tomoyo_name_entry *ptr)
+{
+}
+
+static void tomoyo_del_path_group_member(struct tomoyo_path_group_member
+                                        *member)
+{
+       tomoyo_put_name(member->member_name);
+}
+
+static void tomoyo_del_path_group(struct tomoyo_path_group *group)
+{
+       tomoyo_put_name(group->group_name);
+}
+
+static void tomoyo_collect_entry(void)
+{
+       if (mutex_lock_interruptible(&tomoyo_policy_lock))
+               return;
+       {
+               struct tomoyo_globally_readable_file_entry *ptr;
+               list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list,
+                                       list) {
+                       if (!ptr->is_deleted)
+                               continue;
+                       if (tomoyo_add_to_gc(TOMOYO_ID_GLOBALLY_READABLE, ptr))
+                               list_del_rcu(&ptr->list);
+                       else
+                               break;
+               }
+       }
+       {
+               struct tomoyo_pattern_entry *ptr;
+               list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
+                       if (!ptr->is_deleted)
+                               continue;
+                       if (tomoyo_add_to_gc(TOMOYO_ID_PATTERN, ptr))
+                               list_del_rcu(&ptr->list);
+                       else
+                               break;
+               }
+       }
+       {
+               struct tomoyo_no_rewrite_entry *ptr;
+               list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
+                       if (!ptr->is_deleted)
+                               continue;
+                       if (tomoyo_add_to_gc(TOMOYO_ID_NO_REWRITE, ptr))
+                               list_del_rcu(&ptr->list);
+                       else
+                               break;
+               }
+       }
+       {
+               struct tomoyo_domain_initializer_entry *ptr;
+               list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list,
+                                       list) {
+                       if (!ptr->is_deleted)
+                               continue;
+                       if (tomoyo_add_to_gc(TOMOYO_ID_DOMAIN_INITIALIZER, ptr))
+                               list_del_rcu(&ptr->list);
+                       else
+                               break;
+               }
+       }
+       {
+               struct tomoyo_domain_keeper_entry *ptr;
+               list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) {
+                       if (!ptr->is_deleted)
+                               continue;
+                       if (tomoyo_add_to_gc(TOMOYO_ID_DOMAIN_KEEPER, ptr))
+                               list_del_rcu(&ptr->list);
+                       else
+                               break;
+               }
+       }
+       {
+               struct tomoyo_alias_entry *ptr;
+               list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) {
+                       if (!ptr->is_deleted)
+                               continue;
+                       if (tomoyo_add_to_gc(TOMOYO_ID_ALIAS, ptr))
+                               list_del_rcu(&ptr->list);
+                       else
+                               break;
+               }
+       }
+       {
+               struct tomoyo_policy_manager_entry *ptr;
+               list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list,
+                                       list) {
+                       if (!ptr->is_deleted)
+                               continue;
+                       if (tomoyo_add_to_gc(TOMOYO_ID_MANAGER, ptr))
+                               list_del_rcu(&ptr->list);
+                       else
+                               break;
+               }
+       }
+       {
+               struct tomoyo_domain_info *domain;
+               list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
+                       struct tomoyo_acl_info *acl;
+                       list_for_each_entry_rcu(acl, &domain->acl_info_list,
+                                               list) {
+                               switch (acl->type) {
+                               case TOMOYO_TYPE_PATH_ACL:
+                                       if (container_of(acl,
+                                        struct tomoyo_path_acl,
+                                                        head)->perm ||
+                                           container_of(acl,
+                                        struct tomoyo_path_acl,
+                                                        head)->perm_high)
+                                               continue;
+                                       break;
+                               case TOMOYO_TYPE_PATH2_ACL:
+                                       if (container_of(acl,
+                                        struct tomoyo_path2_acl,
+                                                        head)->perm)
+                                               continue;
+                                       break;
+                               default:
+                                       continue;
+                               }
+                               if (tomoyo_add_to_gc(TOMOYO_ID_ACL, acl))
+                                       list_del_rcu(&acl->list);
+                               else
+                                       break;
+                       }
+                       if (!domain->is_deleted || atomic_read(&domain->users))
+                               continue;
+                       /*
+                        * Nobody is referring this domain. But somebody may
+                        * refer this domain after successful execve().
+                        * We recheck domain->users after SRCU synchronization.
+                        */
+                       if (tomoyo_add_to_gc(TOMOYO_ID_DOMAIN, domain))
+                               list_del_rcu(&domain->list);
+                       else
+                               break;
+               }
+       }
+       {
+               int i;
+               for (i = 0; i < TOMOYO_MAX_HASH; i++) {
+                       struct tomoyo_name_entry *ptr;
+                       list_for_each_entry_rcu(ptr, &tomoyo_name_list[i],
+                                               list) {
+                               if (atomic_read(&ptr->users))
+                                       continue;
+                               if (tomoyo_add_to_gc(TOMOYO_ID_NAME, ptr))
+                                       list_del_rcu(&ptr->list);
+                               else {
+                                       i = TOMOYO_MAX_HASH;
+                                       break;
+                               }
+                       }
+               }
+       }
+       {
+               struct tomoyo_path_group *group;
+               list_for_each_entry_rcu(group, &tomoyo_path_group_list, list) {
+                       struct tomoyo_path_group_member *member;
+                       list_for_each_entry_rcu(member, &group->member_list,
+                                               list) {
+                               if (!member->is_deleted)
+                                       continue;
+                               if (tomoyo_add_to_gc(TOMOYO_ID_PATH_GROUP_MEMBER,
+                                                    member))
+                                       list_del_rcu(&member->list);
+                               else
+                                       break;
+                       }
+                       if (!list_empty(&group->member_list) ||
+                           atomic_read(&group->users))
+                               continue;
+                       if (tomoyo_add_to_gc(TOMOYO_ID_PATH_GROUP, group))
+                               list_del_rcu(&group->list);
+                       else
+                               break;
+               }
+       }
+       mutex_unlock(&tomoyo_policy_lock);
+}
+
+static void tomoyo_kfree_entry(void)
+{
+       struct tomoyo_gc_entry *p;
+       struct tomoyo_gc_entry *tmp;
+
+       list_for_each_entry_safe(p, tmp, &tomoyo_gc_queue, list) {
+               switch (p->type) {
+               case TOMOYO_ID_DOMAIN_INITIALIZER:
+                       tomoyo_del_domain_initializer(p->element);
+                       break;
+               case TOMOYO_ID_DOMAIN_KEEPER:
+                       tomoyo_del_domain_keeper(p->element);
+                       break;
+               case TOMOYO_ID_ALIAS:
+                       tomoyo_del_alias(p->element);
+                       break;
+               case TOMOYO_ID_GLOBALLY_READABLE:
+                       tomoyo_del_allow_read(p->element);
+                       break;
+               case TOMOYO_ID_PATTERN:
+                       tomoyo_del_file_pattern(p->element);
+                       break;
+               case TOMOYO_ID_NO_REWRITE:
+                       tomoyo_del_no_rewrite(p->element);
+                       break;
+               case TOMOYO_ID_MANAGER:
+                       tomoyo_del_manager(p->element);
+                       break;
+               case TOMOYO_ID_NAME:
+                       tomoyo_del_name(p->element);
+                       break;
+               case TOMOYO_ID_ACL:
+                       tomoyo_del_acl(p->element);
+                       break;
+               case TOMOYO_ID_DOMAIN:
+                       if (!tomoyo_del_domain(p->element))
+                               continue;
+                       break;
+               case TOMOYO_ID_PATH_GROUP_MEMBER:
+                       tomoyo_del_path_group_member(p->element);
+                       break;
+               case TOMOYO_ID_PATH_GROUP:
+                       tomoyo_del_path_group(p->element);
+                       break;
+               default:
+                       printk(KERN_WARNING "Unknown type\n");
+                       break;
+               }
+               tomoyo_m