ccs-patch/patches/ccs-patch-2.4.37.diff

This is TOMOYO Linux patch for kernel 2.4.37.4.

Source code for this patch is http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.37.4.tar.bz2
---
 Documentation/Configure.help |   86 +++++++++++++++++++++++++++++++++++++++++++
 arch/alpha/kernel/ptrace.c   |    3 +
 arch/arm/kernel/ptrace.c     |    3 +
 arch/cris/kernel/ptrace.c    |    3 +
 arch/i386/kernel/ptrace.c    |    3 +
 arch/ia64/ia32/sys_ia32.c    |    3 +
 arch/ia64/kernel/ptrace.c    |    3 +
 arch/m68k/kernel/ptrace.c    |    3 +
 arch/mips/kernel/ptrace.c    |    3 +
 arch/mips64/kernel/ptrace.c  |    5 ++
 arch/parisc/kernel/ptrace.c  |    3 +
 arch/ppc/kernel/ptrace.c     |    3 +
 arch/ppc64/kernel/ptrace.c   |    3 +
 arch/ppc64/kernel/ptrace32.c |    3 +
 arch/s390/kernel/ptrace.c    |    3 +
 arch/s390x/kernel/ptrace.c   |    3 +
 arch/sh/kernel/ptrace.c      |    3 +
 arch/sh64/kernel/ptrace.c    |    3 +
 arch/sparc/kernel/ptrace.c   |    5 ++
 arch/sparc64/kernel/ptrace.c |    5 ++
 arch/x86_64/ia32/ptrace32.c  |    3 +
 arch/x86_64/kernel/ptrace.c  |    3 +
 fs/Config.in                 |    3 +
 fs/Makefile                  |    2 -
 fs/attr.c                    |    4 ++
 fs/exec.c                    |   12 +++++-
 fs/fcntl.c                   |    4 ++
 fs/ioctl.c                   |   10 +++++
 fs/namei.c                   |   45 ++++++++++++++++++++++
 fs/namespace.c               |   34 ++++++++++++++++-
 fs/open.c                    |   16 ++++++++
 fs/proc/Makefile             |    4 ++
 fs/proc/proc_misc.c          |    1 
 include/linux/sched.h        |    6 +++
 kernel/kmod.c                |    3 +
 kernel/module.c              |    7 +++
 kernel/sched.c               |    3 +
 kernel/signal.c              |    9 ++++
 kernel/sys.c                 |    9 ++++
 kernel/sysctl.c              |   13 ++++++
 kernel/time.c                |    7 +++
 net/ipv4/raw.c               |    4 ++
 net/ipv4/tcp_ipv4.c          |    5 ++
 net/ipv4/udp.c               |    9 ++++
 net/ipv6/raw.c               |    4 ++
 net/ipv6/tcp_ipv6.c          |    3 +
 net/ipv6/udp.c               |    9 ++++
 net/socket.c                 |   26 ++++++++++++-
 net/unix/af_unix.c           |    4 ++
 49 files changed, 405 insertions(+), 6 deletions(-)

--- linux-2.4.37.4.orig/Documentation/Configure.help
+++ linux-2.4.37.4/Documentation/Configure.help
@@ -29158,6 +29158,92 @@ CONFIG_SOUND_WM97XX
   
   If unsure, say N.
 
+CONFIG_SAKURA
+  Say Y here to support the Domain-Free Mandatory Access Control.
+
+  SAKURA stands for
+  "Security Advancement Know-how Upon Read-only Approach".
+  As the name shows, SAKURA was originally a methodology to make
+  root fs read-only to avoid tampering the system files.
+  But now, SAKURA is not only a methodology but also a kernel patch
+  that improves the system security with less effort.
+
+  SAKURA can restrict operations that affect systemwide.
+
+CONFIG_TOMOYO
+  Say Y here to support the Domain-Based Mandatory Access Control.
+
+  TOMOYO stands for "Task Oriented Management Obviates Your Onus".
+  TOMOYO is intended to provide the Domain-Based MAC
+  utilizing task_struct.
+
+  The word "domain" in TOMOYO is a class that a process
+  (i.e. task_struct) belong to.
+  The domain of a process changes whenever the process
+  executes a program.
+  This allows you to classify at the finest level.
+  The access permission is granted to domains, not to processes.
+  Policy is defined as "Which domain can access to which resource.".
+
+  The biggest feature of TOMOYO is that TOMOYO has "learning mode".
+  The learning mode can automatically generate policy definition,
+  and dramatically reduces the policy definition labors.
+
+  TOMOYO is applicable to figuring out the system's behavior, for
+  TOMOYO uses the canonicalized absolute pathnames and
+  TreeView style domain transitions.
+
+  You can make custom root fs with minimum files
+  to run minimum applications with TOMOYO.
+
+CONFIG_TOMOYO_MAX_ACCEPT_ENTRY
+  This is the default value for maximal ACL entries
+  that are automatically appended into policy at "learning mode".
+  Some programs access thousands of objects, so running
+  such programs in "learning mode" dulls the system response
+  and consumes much memory.
+  This is the safeguard for such programs.
+
+CONFIG_TOMOYO_MAX_GRANT_LOG
+  This is the default value for maximal entries for
+  access grant logs that the kernel can hold on memory.
+  You can read the log via /proc/ccs/grant_log.
+  If you don't need access grant logs,
+  you may set this value to 0.
+
+CONFIG_TOMOYO_MAX_REJECT_LOG
+  This is the default value for maximal entries for
+  access reject logs that the kernel can hold on memory.
+  You can read the log via /proc/ccs/reject_log.
+  If you don't need access reject logs,
+  you may set this value to 0.
+
+CONFIG_SYAORAN
+  Say Y or M here to support the Tamper-Proof Device Filesystem.
+
+  SYAORAN stands for
+  "Simple Yet All-important Object Realizing Abiding Nexus".
+  SYAORAN is a filesystem for /dev with Mandatory Access Control.
+
+  SAKURA can make root fs read-only, but the system can't work
+  if /dev is read-only. Therefore you need to mount a writable
+  filesystem (such as tmpfs) for /dev if root fs is read-only.
+
+  But the writable /dev means that files on /dev might be tampered.
+  For example, if /dev/null is deleted and re-created as a symbolic
+  link to /dev/hda by an attacker, the contents of the IDE HDD
+  will be destroyed at a blow.
+
+  Also, TOMOYO controls file access by pathnames,
+  not by security labels.
+  Therefore /dev/null, for example, might be tampered
+  if a process have write permission to /dev/null .
+
+  SYAORAN can ensure /dev/null is a character device file
+  with major=1 minor=3.
+
+  You can use SAKURA to make /dev not unmountable.
+
 #
 # A couple of things I keep forgetting:
 #   capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet,
--- linux-2.4.37.4.orig/arch/alpha/kernel/ptrace.c
+++ linux-2.4.37.4/arch/alpha/kernel/ptrace.c
@@ -18,6 +18,7 @@
 #include <asm/pgtable.h>
 #include <asm/system.h>
 #include <asm/fpu.h>
+#include <linux/tomoyo.h>
 
 #include "proto.h"
 
@@ -251,6 +252,8 @@ sys_ptrace(long request, long pid, long 
 {
        struct task_struct *child;
        long ret;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        DBG(DBG_MEM, ("request=%ld pid=%ld addr=0x%lx data=0x%lx\n",
--- linux-2.4.37.4.orig/arch/arm/kernel/ptrace.c
+++ linux-2.4.37.4/arch/arm/kernel/ptrace.c
@@ -22,6 +22,7 @@
 #include <asm/uaccess.h>
 #include <asm/pgtable.h>
 #include <asm/system.h>
+#include <linux/tomoyo.h>
 
 #include "ptrace.h"
 
@@ -695,6 +696,8 @@ asmlinkage int sys_ptrace(long request, 
 {
        struct task_struct *child;
        int ret;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        ret = -EPERM;
--- linux-2.4.37.4.orig/arch/cris/kernel/ptrace.c
+++ linux-2.4.37.4/arch/cris/kernel/ptrace.c
@@ -48,6 +48,7 @@
 #include <asm/pgtable.h>
 #include <asm/system.h>
 #include <asm/processor.h>
+#include <linux/tomoyo.h>
 
 /*
  * does not yet catch signals sent when the child dies.
@@ -104,6 +105,8 @@ asmlinkage int sys_ptrace(long request, 
 {
        struct task_struct *child;
        int ret;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        ret = -EPERM;
--- linux-2.4.37.4.orig/arch/i386/kernel/ptrace.c
+++ linux-2.4.37.4/arch/i386/kernel/ptrace.c
@@ -20,6 +20,7 @@
 #include <asm/processor.h>
 #include <asm/i387.h>
 #include <asm/debugreg.h>
+#include <linux/tomoyo.h>
 
 /*
  * does not yet catch signals sent when the child dies.
@@ -152,6 +153,8 @@ asmlinkage int sys_ptrace(long request, 
        struct task_struct *child;
        struct user * dummy = NULL;
        int i, ret;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        ret = -EPERM;
--- linux-2.4.37.4.orig/arch/ia64/ia32/sys_ia32.c
+++ linux-2.4.37.4/arch/ia64/ia32/sys_ia32.c
@@ -57,6 +57,7 @@
 #include <net/scm.h>
 #include <net/sock.h>
 #include <asm/ia32.h>
+#include <linux/tomoyo.h>
 
 #define DEBUG  0
 
@@ -3131,6 +3132,8 @@ sys32_ptrace (int request, pid_t pid, un
        struct task_struct *child;
        unsigned int value, tmp;
        long i, ret;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        if (request == PTRACE_TRACEME) {
--- linux-2.4.37.4.orig/arch/ia64/kernel/ptrace.c
+++ linux-2.4.37.4/arch/ia64/kernel/ptrace.c
@@ -27,6 +27,7 @@
 #ifdef CONFIG_PERFMON
 #include <asm/perfmon.h>
 #endif
+#include <linux/tomoyo.h>
 
 #define offsetof(type,field)    ((unsigned long) &((type *) 0)->field)
 
@@ -1273,6 +1274,8 @@ sys_ptrace (long request, pid_t pid, uns
        struct task_struct *child;
        struct switch_stack *sw;
        long ret;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        ret = -EPERM;
--- linux-2.4.37.4.orig/arch/m68k/kernel/ptrace.c
+++ linux-2.4.37.4/arch/m68k/kernel/ptrace.c
@@ -25,6 +25,7 @@
 #include <asm/pgtable.h>
 #include <asm/system.h>
 #include <asm/processor.h>
+#include <linux/tomoyo.h>
 
 /*
  * does not yet catch signals sent when the child dies.
@@ -104,6 +105,8 @@ asmlinkage int sys_ptrace(long request, 
 {
        struct task_struct *child;
        int ret;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        ret = -EPERM;
--- linux-2.4.37.4.orig/arch/mips/kernel/ptrace.c
+++ linux-2.4.37.4/arch/mips/kernel/ptrace.c
@@ -28,6 +28,7 @@
 #include <asm/bootinfo.h>
 #include <asm/cpu.h>
 #include <asm/fpu.h>
+#include <linux/tomoyo.h>
 
 /*
  * Called by kernel/ptrace.c when detaching..
@@ -43,6 +44,8 @@ asmlinkage int sys_ptrace(long request, 
 {
        struct task_struct *child;
        int ret;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
 #if 0
--- linux-2.4.37.4.orig/arch/mips64/kernel/ptrace.c
+++ linux-2.4.37.4/arch/mips64/kernel/ptrace.c
@@ -30,6 +30,7 @@
 #include <asm/system.h>
 #include <asm/uaccess.h>
 #include <asm/bootinfo.h>
+#include <linux/tomoyo.h>
 
 /*
  * Called by kernel/ptrace.c when detaching..
@@ -49,6 +50,8 @@ asmlinkage int sys32_ptrace(int request,
 {
        struct task_struct *child;
        int ret;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        ret = -EPERM;
@@ -288,6 +291,8 @@ asmlinkage int sys_ptrace(long request, 
 {
        struct task_struct *child;
        int ret;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
 #if 0
--- linux-2.4.37.4.orig/arch/parisc/kernel/ptrace.c
+++ linux-2.4.37.4/arch/parisc/kernel/ptrace.c
@@ -21,6 +21,7 @@
 #include <asm/system.h>
 #include <asm/processor.h>
 #include <asm/offset.h>
+#include <linux/tomoyo.h>
 
 /* These are used in entry.S, syscall_restore_rfi.  We need to record the
  * current stepping mode somewhere other than in PSW, because there is no
@@ -94,6 +95,8 @@ long sys_ptrace(long request, pid_t pid,
 #ifdef DEBUG_PTRACE
        long oaddr=addr, odata=data;
 #endif
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        ret = -EPERM;
--- linux-2.4.37.4.orig/arch/ppc/kernel/ptrace.c
+++ linux-2.4.37.4/arch/ppc/kernel/ptrace.c
@@ -29,6 +29,7 @@
 #include <asm/page.h>
 #include <asm/pgtable.h>
 #include <asm/system.h>
+#include <linux/tomoyo.h>
 
 /*
  * Set of msr bits that gdb can change on behalf of a process.
@@ -171,6 +172,8 @@ int sys_ptrace(long request, long pid, l
 {
        struct task_struct *child;
        int ret = -EPERM;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        if (request == PTRACE_TRACEME) {
--- linux-2.4.37.4.orig/arch/ppc64/kernel/ptrace.c
+++ linux-2.4.37.4/arch/ppc64/kernel/ptrace.c
@@ -30,6 +30,7 @@
 #include <asm/page.h>
 #include <asm/pgtable.h>
 #include <asm/system.h>
+#include <linux/tomoyo.h>
 
 /*
  * Set of msr bits that gdb can change on behalf of a process.
@@ -120,6 +121,8 @@ int sys_ptrace(long request, long pid, l
 {
        struct task_struct *child;
        int ret = -EPERM;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        if (request == PTRACE_TRACEME) {
--- linux-2.4.37.4.orig/arch/ppc64/kernel/ptrace32.c
+++ linux-2.4.37.4/arch/ppc64/kernel/ptrace32.c
@@ -30,6 +30,7 @@
 #include <asm/page.h>
 #include <asm/pgtable.h>
 #include <asm/system.h>
+#include <linux/tomoyo.h>
 
 #ifdef CONFIG_ALTIVEC
 /*
@@ -121,6 +122,8 @@ int sys32_ptrace(long request, long pid,
 {
        struct task_struct *child;
        int ret = -EPERM;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        if (request == PTRACE_TRACEME) {
--- linux-2.4.37.4.orig/arch/s390/kernel/ptrace.c
+++ linux-2.4.37.4/arch/s390/kernel/ptrace.c
@@ -37,6 +37,7 @@
 #include <asm/pgalloc.h>
 #include <asm/system.h>
 #include <asm/uaccess.h>
+#include <linux/tomoyo.h>
 
 
 void FixPerRegisters(struct task_struct *task)
@@ -221,6 +222,8 @@ asmlinkage int sys_ptrace(long request, 
        unsigned long tmp;
        int copied;
        ptrace_area   parea; 
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        if (request == PTRACE_TRACEME) 
--- linux-2.4.37.4.orig/arch/s390x/kernel/ptrace.c
+++ linux-2.4.37.4/arch/s390x/kernel/ptrace.c
@@ -43,6 +43,7 @@
 #else
 #define parent_31bit 0
 #endif
+#include <linux/tomoyo.h>
 
 
 void FixPerRegisters(struct task_struct *task)
@@ -431,6 +432,8 @@ asmlinkage int sys_ptrace(long request, 
 #define sizeof_parent_long 8
 #define dataptr (u8 *)&data
 #endif
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
        lock_kernel();
        if (request == PTRACE_TRACEME) 
        {
--- linux-2.4.37.4.orig/arch/sh/kernel/ptrace.c
+++ linux-2.4.37.4/arch/sh/kernel/ptrace.c
@@ -26,6 +26,7 @@
 #include <asm/system.h>
 #include <asm/processor.h>
 #include <asm/mmu_context.h>
+#include <linux/tomoyo.h>
 
 /*
  * does not yet catch signals sent when the child dies.
@@ -144,6 +145,8 @@ asmlinkage int sys_ptrace(long request, 
        struct task_struct *child, *tsk = current;
        struct user * dummy = NULL;
        int ret;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        ret = -EPERM;
--- linux-2.4.37.4.orig/arch/sh64/kernel/ptrace.c
+++ linux-2.4.37.4/arch/sh64/kernel/ptrace.c
@@ -32,6 +32,7 @@
 #include <asm/system.h>
 #include <asm/processor.h>
 #include <asm/mmu_context.h>
+#include <linux/tomoyo.h>
 
 /* This mask defines the bits of the SR which the user is not allowed to
    change, which are everything except S, Q, M, PR, SZ, FR. */
@@ -122,6 +123,8 @@ asmlinkage int sys_ptrace(long request, 
 {
        struct task_struct *child, *tsk = current;
        int ret;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        lock_kernel();
        ret = -EPERM;
--- linux-2.4.37.4.orig/arch/sparc/kernel/ptrace.c
+++ linux-2.4.37.4/arch/sparc/kernel/ptrace.c
@@ -21,6 +21,7 @@
 #include <asm/pgtable.h>
 #include <asm/system.h>
 #include <asm/uaccess.h>
+#include <linux/tomoyo.h>
 
 #define MAGIC_CONSTANT 0x80000000
 
@@ -262,6 +263,10 @@ asmlinkage void do_ptrace(struct pt_regs
        unsigned long data = regs->u_regs[UREG_I3];
        unsigned long addr2 = regs->u_regs[UREG_I4];
        struct task_struct *child;
+       if (!ccs_capable(CCS_SYS_PTRACE)) {
+               pt_error_return(regs, EPERM);
+               return;
+       }
 
        lock_kernel();
 #ifdef DEBUG_PTRACE
--- linux-2.4.37.4.orig/arch/sparc64/kernel/ptrace.c
+++ linux-2.4.37.4/arch/sparc64/kernel/ptrace.c
@@ -26,6 +26,7 @@
 #include <asm/psrcompat.h>
 #include <asm/visasm.h>
 #include <asm/spitfire.h>
+#include <linux/tomoyo.h>
 
 #define MAGIC_CONSTANT 0x80000000
 
@@ -108,6 +109,10 @@ asmlinkage void do_ptrace(struct pt_regs
        unsigned long data = regs->u_regs[UREG_I3];
        unsigned long addr2 = regs->u_regs[UREG_I4];
        struct task_struct *child;
+       if (!ccs_capable(CCS_SYS_PTRACE)) {
+               pt_error_return(regs, EPERM);
+               return;
+       }
 
        if (current->thread.flags & SPARC_FLAG_32BIT) {
                addr &= 0xffffffffUL;
--- linux-2.4.37.4.orig/arch/x86_64/ia32/ptrace32.c
+++ linux-2.4.37.4/arch/x86_64/ia32/ptrace32.c
@@ -24,6 +24,7 @@
 #include <asm/i387.h>
 #include <asm/fpu32.h>
 #include <linux/mm.h>
+#include <linux/tomoyo.h>
 
 /* determines which flags the user has access to. */
 /* 1 = access 0 = no access */
@@ -203,6 +204,8 @@ asmlinkage long sys32_ptrace(long reques
        struct pt_regs *childregs; 
        int ret;
        __u32 val;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        switch (request) { 
        case PTRACE_TRACEME:
--- linux-2.4.37.4.orig/arch/x86_64/kernel/ptrace.c
+++ linux-2.4.37.4/arch/x86_64/kernel/ptrace.c
@@ -22,6 +22,7 @@
 #include <asm/processor.h>
 #include <asm/i387.h>
 #include <asm/debugreg.h>
+#include <linux/tomoyo.h>
 
 /*
  * does not yet catch signals sent when the child dies.
@@ -180,6 +181,8 @@ asmlinkage long sys_ptrace(long request,
        struct task_struct *child;
        struct user * dummy = NULL;
        long i, ret;
+       if (!ccs_capable(CCS_SYS_PTRACE))
+               return -EPERM;
 
        /* This lock_kernel fixes a subtle race with suid exec */
        lock_kernel();
--- linux-2.4.37.4.orig/fs/Config.in
+++ linux-2.4.37.4/fs/Config.in
@@ -176,4 +176,7 @@ comment 'Partition Types'
 source fs/partitions/Config.in
 endmenu
 source fs/nls/Config.in
+
+source fs/Config.ccs.in
+
 endmenu
--- linux-2.4.37.4.orig/fs/Makefile
+++ linux-2.4.37.4/fs/Makefile
@@ -80,5 +80,5 @@ obj-$(CONFIG_BINFMT_ELF)      += binfmt_elf.o
 # persistent filesystems
 obj-y += $(join $(subdir-y),$(subdir-y:%=/%.o))
 
-
+include Makefile-2.4.ccs
 include $(TOPDIR)/Rules.make
--- linux-2.4.37.4.orig/fs/attr.c
+++ linux-2.4.37.4/fs/attr.c
@@ -12,6 +12,7 @@
 #include <linux/dnotify.h>
 #include <linux/fcntl.h>
 #include <linux/quotaops.h>
+#include <linux/tomoyo.h>
 
 /* Taken over from the old code... */
 
@@ -127,6 +128,9 @@ int notify_change(struct dentry * dentry
                attr->ia_atime = now;
        if (!(ia_valid & ATTR_MTIME_SET))
                attr->ia_mtime = now;
+       error = ccs_check_setattr_permission(dentry, attr);
+       if (error)
+               return error;
 
        lock_kernel();
        if (inode->i_op && inode->i_op->setattr) 
--- linux-2.4.37.4.orig/fs/exec.c
+++ linux-2.4.37.4/fs/exec.c
@@ -48,6 +48,8 @@
 #include <linux/kmod.h>
 #endif
 
+#include <linux/tomoyo.h>
+
 int core_uses_pid;
 char core_pattern[65] = "core";
 int core_setuid_ok = 0;
@@ -125,6 +127,10 @@ asmlinkage long sys_uselib(const char * 
        if (error)
                goto exit;
 
+       error = ccs_check_uselib_permission(nd.dentry, nd.mnt);
+       if (error)
+               goto exit;
+
        file = dentry_open(nd.dentry, nd.mnt, O_RDONLY);
        error = PTR_ERR(file);
        if (IS_ERR(file))
@@ -389,6 +395,9 @@ struct file *open_exec(const char *name)
                        int err = permission(inode, MAY_EXEC);
                        if (!err && !(inode->i_mode & 0111))
                                err = -EACCES;
+                       if (!err)
+                               err = ccs_check_open_exec_permission(nd.dentry,
+                                                                    nd.mnt);
                        file = ERR_PTR(err);
                        if (!err) {
                                file = dentry_open(nd.dentry, nd.mnt, O_RDONLY);
@@ -989,7 +998,8 @@ int do_execve(char * filename, char ** a
        if (retval < 0) 
                goto out; 
 
-       retval = search_binary_handler(&bprm,regs);
+       retval = ccs_search_binary_handler(&bprm, regs);
+
        if (retval >= 0)
                /* execve success */
                return retval;
--- linux-2.4.37.4.orig/fs/fcntl.c
+++ linux-2.4.37.4/fs/fcntl.c
@@ -16,6 +16,7 @@
 #include <asm/poll.h>
 #include <asm/siginfo.h>
 #include <asm/uaccess.h>
+#include <linux/tomoyo.h>
 
 extern int sock_fcntl (struct file *, unsigned int cmd, unsigned long arg);
 extern int fcntl_setlease(unsigned int fd, struct file *filp, long arg);
@@ -214,6 +215,9 @@ static int setfl(int fd, struct file * f
        if (!(arg & O_APPEND) && IS_APPEND(inode))
                return -EPERM;
 
+       if (!(arg & O_APPEND) && ccs_check_rewrite_permission(filp))
+               return -EPERM;
+
        /* Did FASYNC state change? */
        if ((arg ^ filp->f_flags) & FASYNC) {
                if (filp->f_op && filp->f_op->fasync) {
--- linux-2.4.37.4.orig/fs/ioctl.c
+++ linux-2.4.37.4/fs/ioctl.c
@@ -10,6 +10,7 @@
 
 #include <asm/uaccess.h>
 #include <asm/ioctls.h>
+#include <linux/tomoyo.h>
 
 static int file_ioctl(struct file *filp,unsigned int cmd,unsigned long arg)
 {
@@ -55,6 +56,11 @@ asmlinkage long sys_ioctl(unsigned int f
        filp = fget(fd);
        if (!filp)
                goto out;
+       error = ccs_check_ioctl_permission(filp, cmd, arg);
+       if (error) {
+               fput(filp);
+               goto out;
+       }
        error = 0;
        lock_kernel();
        switch (cmd) {
@@ -112,6 +118,10 @@ asmlinkage long sys_ioctl(unsigned int f
                                error = -ENOTTY;
                        break;
                default:
+                       if (!ccs_capable(CCS_SYS_IOCTL)) {
+                               error = -EPERM;
+                               break;
+                       }
                        error = -ENOTTY;
                        if (S_ISREG(filp->f_dentry->d_inode->i_mode))
                                error = file_ioctl(filp, cmd, arg);
--- linux-2.4.37.4.orig/fs/namei.c
+++ linux-2.4.37.4/fs/namei.c
@@ -28,6 +28,9 @@
 
 #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
 
+#include <linux/tomoyo.h>
+#include <linux/module.h>
+
 /* [Feb-1997 T. Schoebel-Theuer]
  * Fundamental changes in the pathname lookup mechanisms (namei)
  * were necessary because of omirr.  The reason is that omirr needs
@@ -1003,6 +1006,7 @@ exit_lock:
        return error;
 }
 
+#include <linux/tomoyo_vfs.h>
 /*
  *     open_namei()
  *
@@ -1068,6 +1072,11 @@ do_last:
 
        /* Negative dentry, just create the file */
        if (!dentry->d_inode) {
+               error = ccs_check_mknod_permission(dir->d_inode, dentry,
+                                                  nd->mnt,
+                                                  mode & ~current->fs->umask,
+                                                  0);
+               if (!error)
                error = vfs_create(dir->d_inode, dentry,
                                   mode & ~current->fs->umask);
                up(&dir->d_inode->i_sem);
@@ -1154,6 +1163,11 @@ ok:
                        goto exit;
        }
 
+       /* includes O_APPEND and O_TRUNC checks */
+       error = ccs_check_open_permission(dentry, nd->mnt, flag);
+       if (error)
+               goto exit;
+
        /*
         * Ensure there are no outstanding leases on the file.
         */
@@ -1292,6 +1306,7 @@ asmlinkage long sys_mknod(const char * f
 
        if (S_ISDIR(mode))
                return -EPERM;
+
        tmp = getname(filename);
        if (IS_ERR(tmp))
                return PTR_ERR(tmp);
@@ -1304,6 +1319,10 @@ asmlinkage long sys_mknod(const char * f
 
        mode &= ~current->fs->umask;
        if (!IS_ERR(dentry)) {
+               error = ccs_check_mknod_permission(nd.dentry->d_inode, dentry,
+                                                  nd.mnt, mode, dev);
+               if (error)
+                       goto out_dput;
                switch (mode & S_IFMT) {
                case 0: case S_IFREG:
                        error = vfs_create(nd.dentry->d_inode,dentry,mode);
@@ -1317,6 +1336,7 @@ asmlinkage long sys_mknod(const char * f
                default:
                        error = -EINVAL;
                }
+out_dput:
                dput(dentry);
        }
        up(&nd.dentry->d_inode->i_sem);
@@ -1370,6 +1390,10 @@ asmlinkage long sys_mkdir(const char * p
                dentry = lookup_create(&nd, 1);
                error = PTR_ERR(dentry);
                if (!IS_ERR(dentry)) {
+                       error = ccs_check_mkdir_permission(nd.dentry->d_inode,
+                                                          dentry, nd.mnt,
+                                                          mode);
+                       if (!error)
                        error = vfs_mkdir(nd.dentry->d_inode, dentry,
                                          mode & ~current->fs->umask);
                        dput(dentry);
@@ -1479,6 +1503,9 @@ asmlinkage long sys_rmdir(const char * p
        dentry = lookup_hash(&nd.last, nd.dentry);
        error = PTR_ERR(dentry);
        if (!IS_ERR(dentry)) {
+               error = ccs_check_rmdir_permission(nd.dentry->d_inode, dentry,
+                                                  nd.mnt);
+               if (!error)
                error = vfs_rmdir(nd.dentry->d_inode, dentry);
                dput(dentry);
        }
@@ -1548,6 +1575,10 @@ asmlinkage long sys_unlink(const char * 
                /* Why not before? Because we want correct error value */
                if (nd.last.name[nd.last.len])
                        goto slashes;
+               error = ccs_check_unlink_permission(nd.dentry->d_inode, dentry,
+                                                   nd.mnt);
+               if (error)
+                       goto exit2;
                error = vfs_unlink(nd.dentry->d_inode, dentry);
        exit2:
                dput(dentry);
@@ -1612,6 +1643,10 @@ asmlinkage long sys_symlink(const char *
                dentry = lookup_create(&nd, 0);
                error = PTR_ERR(dentry);
                if (!IS_ERR(dentry)) {
+                       error = ccs_check_symlink_permission(nd.dentry->d_inode,
+                                                            dentry, nd.mnt,
+                                                            from);
+                       if (!error)
                        error = vfs_symlink(nd.dentry->d_inode, dentry, from);
                        dput(dentry);
                }
@@ -1698,6 +1733,10 @@ asmlinkage long sys_link(const char * ol
                new_dentry = lookup_create(&nd, 0);
                error = PTR_ERR(new_dentry);
                if (!IS_ERR(new_dentry)) {
+                       error = ccs_check_link_permission(old_nd.dentry,
+                                                         nd.dentry->d_inode,
+                                                         new_dentry, nd.mnt);
+                       if (!error)
                        error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
                        dput(new_dentry);
                }
@@ -1928,12 +1967,18 @@ static inline int do_rename(const char *
        error = PTR_ERR(new_dentry);
        if (IS_ERR(new_dentry))
                goto exit4;
+       error = ccs_check_rename_permission(old_dir->d_inode, old_dentry,
+                                           new_dir->d_inode, new_dentry,
+                                           newnd.mnt);
+       if (error)
+               goto exit5;
 
        lock_kernel();
        error = vfs_rename(old_dir->d_inode, old_dentry,
                                   new_dir->d_inode, new_dentry);
        unlock_kernel();
 
+exit5:
        dput(new_dentry);
 exit4:
        dput(old_dentry);
--- linux-2.4.37.4.orig/fs/namespace.c
+++ linux-2.4.37.4/fs/namespace.c
@@ -21,6 +21,9 @@
 #include <linux/seq_file.h>
 #include <linux/namespace.h>
 
+#include <linux/sakura.h>
+#include <linux/tomoyo.h>
+
 struct vfsmount *do_kern_mount(const char *type, int flags, char *name, void *data);
 int do_remount_sb(struct super_block *sb, int flags, void * data);
 void kill_super(struct super_block *sb);
@@ -290,6 +293,8 @@ static int do_umount(struct vfsmount *mn
 {
        struct super_block * sb = mnt->mnt_sb;
        int retval = 0;
+       if (ccs_may_umount(mnt))
+               return -EPERM;
 
        /*
         * If we may have to abort operations to get out of this
@@ -365,6 +370,8 @@ asmlinkage long sys_umount(char * name, 
 {
        struct nameidata nd;
        int retval;
+       if (!ccs_capable(CCS_SYS_UMOUNT))
+               return -EPERM;
 
        retval = __user_walk(name, LOOKUP_POSITIVE|LOOKUP_FOLLOW, &nd);
        if (retval)
@@ -500,6 +507,9 @@ static int do_loopback(struct nameidata 
        down_write(&current->namespace->sem);
        err = -EINVAL;
        if (check_mnt(nd->mnt) && (!recurse || check_mnt(old_nd.mnt))) {
+               err = -EPERM;
+               if (ccs_may_mount(nd))
+                       goto out;
                err = -ENOMEM;
                if (recurse)
                        mnt = copy_tree(old_nd.mnt, old_nd.dentry);
@@ -516,7 +526,7 @@ static int do_loopback(struct nameidata 
                } else
                        mntput(mnt);
        }
-
+ out:
        up_write(&current->namespace->sem);
        path_release(&old_nd);
        return err;
@@ -570,6 +580,10 @@ static int do_move_mount(struct nameidat
        if (!check_mnt(nd->mnt) || !check_mnt(old_nd.mnt))
                goto out;
 
+       err = -EPERM;
+       if (ccs_may_umount(old_nd.mnt) || ccs_may_mount(nd))
+               goto out;
+
        err = -ENOENT;
        down(&nd->dentry->d_inode->i_zombie);
        if (IS_DEADDIR(nd->dentry->d_inode))
@@ -641,6 +655,10 @@ static int do_add_mount(struct nameidata
        if (nd->mnt->mnt_sb == mnt->mnt_sb && nd->mnt->mnt_root == nd->dentry)
                goto unlock;
 
+       err = -EPERM;
+       if (ccs_may_mount(nd))
+               goto unlock;
+
        mnt->mnt_flags = mnt_flags;
        err = graft_tree(mnt, nd);
 unlock:
@@ -718,6 +736,13 @@ long do_mount(char * dev_name, char * di
        if (data_page)
                ((char *)data_page)[PAGE_SIZE - 1] = 0;
 
+       if (!ccs_capable(CCS_SYS_MOUNT))
+               return -EPERM;
+       retval = ccs_check_mount_permission(dev_name, dir_name, type_page,
+                                           &flags);
+       if (retval)
+               return retval;
+
        /* Separate the per-mountpoint flags */
        if (flags & MS_NOSUID)
                mnt_flags |= MNT_NOSUID;
@@ -911,6 +936,8 @@ asmlinkage long sys_pivot_root(const cha
 
        if (!capable(CAP_SYS_ADMIN))
                return -EPERM;
+       if (!ccs_capable(CCS_SYS_PIVOT_ROOT))
+               return -EPERM;
 
        lock_kernel();
 
@@ -925,6 +952,11 @@ asmlinkage long sys_pivot_root(const cha
        if (error)
                goto out1;
 
+       error = ccs_check_pivot_root_permission(&old_nd, &new_nd);
+       if (error) {
+               path_release(&old_nd);
+               goto out1;
+       }
        read_lock(&current->fs->lock);
        user_nd.mnt = mntget(current->fs->rootmnt);
        user_nd.dentry = dget(current->fs->root);
--- linux-2.4.37.4.orig/fs/open.c
+++ linux-2.4.37.4/fs/open.c
@@ -20,6 +20,9 @@
 
 #define special_file(m) (S_ISCHR(m)||S_ISBLK(m)||S_ISFIFO(m)||S_ISSOCK(m))
 
+#include <linux/sakura.h>
+#include <linux/tomoyo.h>
+
 int vfs_statfs(struct super_block *sb, struct statfs *buf)
 {
        int retval = -ENODEV;
@@ -164,6 +167,9 @@ static inline long do_sys_truncate(const
        if (error)
                goto dput_and_out;
 
+       error = ccs_check_truncate_permission(nd.dentry, nd.mnt, length, 0);
+       if (!error)
+
        error = locks_verify_truncate(inode, NULL, length);
        if (!error) {
                DQUOT_INIT(inode);
@@ -217,6 +223,10 @@ static inline long do_sys_ftruncate(unsi
        if (IS_APPEND(inode))
                goto out_putf;
 
+       error = ccs_check_truncate_permission(dentry, file->f_vfsmnt, length,
+                                             0);
+       if (error)
+               goto out_putf;
        error = locks_verify_truncate(inode, file, length);
        if (!error)
                error = do_truncate(dentry, length);
@@ -466,6 +476,10 @@ asmlinkage long sys_chroot(const char * 
        error = -EPERM;
        if (!capable(CAP_SYS_CHROOT))
                goto dput_and_out;
+       if (!ccs_capable(CCS_SYS_CHROOT))
+               goto dput_and_out;
+       if (ccs_check_chroot_permission(&nd))
+               goto dput_and_out;
 
        set_fs_root(current->fs, nd.mnt, nd.dentry);
        set_fs_altroot();
@@ -897,6 +911,8 @@ out_unlock:
  */
 asmlinkage long sys_vhangup(void)
 {
+       if (!ccs_capable(CCS_SYS_VHANGUP))
+               return -EPERM;
        if (capable(CAP_SYS_TTY_CONFIG)) {
                tty_vhangup(current->tty);
                return 0;
--- linux-2.4.37.4.orig/fs/proc/Makefile
+++ linux-2.4.37.4/fs/proc/Makefile
@@ -18,4 +18,8 @@ ifeq ($(CONFIG_PROC_DEVICETREE),y)
 obj-y += proc_devtree.o
 endif
 
+export-objs += ccs_proc.o
+obj-$(CONFIG_SAKURA) += ccs_proc.o
+obj-$(CONFIG_TOMOYO) += ccs_proc.o
+
 include $(TOPDIR)/Rules.make
--- linux-2.4.37.4.orig/fs/proc/proc_misc.c
+++ linux-2.4.37.4/fs/proc/proc_misc.c
@@ -670,4 +670,5 @@ void __init proc_misc_init(void)
                        entry->proc_fops = &ppc_htab_operations;
        }
 #endif
+       printk(KERN_INFO "Hook version: 2.4.37.4 2009/07/28\n");
 }
--- linux-2.4.37.4.orig/include/linux/sched.h
+++ linux-2.4.37.4/include/linux/sched.h
@@ -29,6 +29,8 @@ extern unsigned long event;
 
 struct exec_domain;
 
+struct ccs_domain_info;
+
 /*
  * cloning flags:
  */
@@ -417,6 +419,8 @@ struct task_struct {
        void *journal_info;
 
        struct list_head *scm_work_list;
+       struct ccs_domain_info *ccs_domain_info;
+       u32 ccs_flags;
 };
 
 /*
@@ -512,6 +516,8 @@ extern struct exec_domain   default_exec_d
     blocked:           {{0}},                                          \
     alloc_lock:                SPIN_LOCK_UNLOCKED,                             \
     journal_info:      NULL,                                           \
+       ccs_domain_info: NULL,            \
+       ccs_flags: 0                      \
 }
 
 
--- linux-2.4.37.4.orig/kernel/kmod.c
+++ linux-2.4.37.4/kernel/kmod.c
@@ -134,6 +134,9 @@ int exec_usermodehelper(char *program_pa
        /* Allow execve args to be in kernel space. */
        set_fs(KERNEL_DS);
 
+       current->ccs_domain_info = NULL;
+       current->ccs_flags = 0;
+
        /* Go, go, go... */
        if (execve(program_path, argv, envp) < 0)
                return -errno;
--- linux-2.4.37.4.orig/kernel/module.c
+++ linux-2.4.37.4/kernel/module.c
@@ -10,6 +10,7 @@
 #include <linux/slab.h>
 #include <linux/kmod.h>
 #include <linux/seq_file.h>
+#include <linux/tomoyo.h>
 
 /*
  * Originally by Anonymous (as far as I know...)
@@ -298,6 +299,8 @@ sys_create_module(const char *name_user,
 
        if (!capable(CAP_SYS_MODULE))
                return -EPERM;
+       if (!ccs_capable(CCS_USE_KERNEL_MODULE))
+               return -EPERM;
        lock_kernel();
        if ((namelen = get_mod_name(name_user, &name)) < 0) {
                error = namelen;
@@ -353,6 +356,8 @@ sys_init_module(const char *name_user, s
 
        if (!capable(CAP_SYS_MODULE))
                return -EPERM;
+       if (!ccs_capable(CCS_USE_KERNEL_MODULE))
+               return -EPERM;
        lock_kernel();
        if ((namelen = get_mod_name(name_user, &name)) < 0) {
                error = namelen;
@@ -614,6 +619,8 @@ sys_delete_module(const char *name_user)
 
        if (!capable(CAP_SYS_MODULE))
                return -EPERM;
+       if (!ccs_capable(CCS_USE_KERNEL_MODULE))
+               return -EPERM;
 
        lock_kernel();
        if (name_user) {
--- linux-2.4.37.4.orig/kernel/sched.c
+++ linux-2.4.37.4/kernel/sched.c
@@ -32,6 +32,7 @@
 
 #include <asm/uaccess.h>
 #include <asm/mmu_context.h>
+#include <linux/tomoyo.h>
 
 extern void timer_bh(void);
 extern void tqueue_bh(void);
@@ -899,6 +900,8 @@ void set_cpus_allowed(struct task_struct
 asmlinkage long sys_nice(int increment)
 {
        long newprio;
+       if (!ccs_capable(CCS_SYS_NICE))
+               return -EPERM;
 
        /*
         *      Setpriority might change our priority at the same moment.
--- linux-2.4.37.4.orig/kernel/signal.c
+++ linux-2.4.37.4/kernel/signal.c
@@ -15,6 +15,7 @@
 #include <linux/sched.h>
 
 #include <asm/uaccess.h>
+#include <linux/tomoyo.h>
 
 /*
  * SLAB caches for signal bits.
@@ -1025,6 +1026,10 @@ asmlinkage long
 sys_kill(int pid, int sig)
 {
        struct siginfo info;
+       if (sig && !ccs_capable(CCS_SYS_KILL))
+               return -EPERM;
+       if (sig && ccs_check_signal_acl(sig, pid))
+               return -EPERM;
 
        info.si_signo = sig;
        info.si_errno = 0;
@@ -1049,6 +1054,10 @@ sys_tkill(int pid, int sig)
        if (pid <= 0)
            return -EINVAL;
 
+       if (sig && !ccs_capable(CCS_SYS_KILL))
+               return -EPERM;
+       if (sig && ccs_check_signal_acl(sig, pid))
+               return -EPERM;
        info.si_signo = sig;
        info.si_errno = 0;
        info.si_code = SI_TKILL;
--- linux-2.4.37.4.orig/kernel/sys.c
+++ linux-2.4.37.4/kernel/sys.c
@@ -17,6 +17,7 @@
 
 #include <asm/uaccess.h>
 #include <asm/io.h>
+#include <linux/tomoyo.h>
 
 #ifndef SET_UNALIGN_CTL
 # define SET_UNALIGN_CTL(a,b)  (-EINVAL)
@@ -220,6 +221,8 @@ asmlinkage long sys_setpriority(int whic
 
        if (which > 2 || which < 0)
                return -EINVAL;
+       if (!ccs_capable(CCS_SYS_NICE))
+               return -EPERM;
 
        /* normalize: avoid signed division (rounding problems) */
        error = -ESRCH;
@@ -299,6 +302,8 @@ asmlinkage long sys_reboot(int magic1, i
            (magic2 != LINUX_REBOOT_MAGIC2 && magic2 != LINUX_REBOOT_MAGIC2A &&
                        magic2 != LINUX_REBOOT_MAGIC2B))
                return -EINVAL;
+       if (!ccs_capable(CCS_SYS_REBOOT))
+               return -EPERM;
 
        lock_kernel();
        switch (cmd) {
@@ -1042,6 +1047,8 @@ asmlinkage long sys_sethostname(char *na
                return -EPERM;
        if (len < 0 || len > __NEW_UTS_LEN)
                return -EINVAL;
+       if (!ccs_capable(CCS_SYS_SETHOSTNAME))
+               return -EPERM;
        down_write(&uts_sem);
        errno = -EFAULT;
        if (!copy_from_user(tmp, name, len)) {
@@ -1083,6 +1090,8 @@ asmlinkage long sys_setdomainname(char *
                return -EPERM;
        if (len < 0 || len > __NEW_UTS_LEN)
                return -EINVAL;
+       if (!ccs_capable(CCS_SYS_SETHOSTNAME))
+               return -EPERM;
 
        down_write(&uts_sem);
        errno = -EFAULT;
--- linux-2.4.37.4.orig/kernel/sysctl.c
+++ linux-2.4.37.4/kernel/sysctl.c
@@ -33,6 +33,7 @@
 #include <linux/swap.h>
 
 #include <asm/uaccess.h>
+#include <linux/tomoyo.h>
 
 #ifdef CONFIG_ROOT_NFS
 #include <linux/nfs_fs.h>
@@ -439,6 +440,9 @@ int do_sysctl(int *name, int nlen, void 
 
                spin_unlock(&sysctl_lock);
 
+               error = ccs_parse_table(name, nlen, oldval, newval,
+                                       head->ctl_table);
+               if (!error)
                error = parse_table(name, nlen, oldval, oldlenp, 
                                        newval, newlen, head->ctl_table,
                                        &context);
@@ -508,6 +512,13 @@ repeat:
                                if (ctl_perm(table, 001))
                                        return -EPERM;
                                if (table->strategy) {
+                                       int op = 0;
+                                       if (oldval)
+                                               op |= 004;
+                                       if (newval)
+                                               op |= 002;
+                                       if (ctl_perm(table, op))
+                                               return -EPERM;
                                        error = table->strategy(
                                                table, name, nlen,
                                                oldval, oldlenp,
@@ -1456,7 +1467,7 @@ int sysctl_string(ctl_table *table, int 
                        len--;
                ((char *) table->data)[len] = 0;
        }
-       return 0;
+       return 1;
 }
 
 /*
--- linux-2.4.37.4.orig/kernel/time.c
+++ linux-2.4.37.4/kernel/time.c
@@ -29,6 +29,7 @@
 #include <linux/smp_lock.h>
 
 #include <asm/uaccess.h>
+#include <linux/tomoyo.h>
 
 /* 
  * The timezone where the local system is located.  Used as a default by some
@@ -77,6 +78,8 @@ asmlinkage long sys_stime(int * tptr)
 
        if (!capable(CAP_SYS_TIME))
                return -EPERM;
+       if (!ccs_capable(CCS_SYS_SETTIME))
+               return -EPERM;
        if (get_user(value, tptr))
                return -EFAULT;
        write_lock_irq(&xtime_lock);
@@ -151,6 +154,8 @@ int do_sys_settimeofday(struct timeval *
 
        if (!capable(CAP_SYS_TIME))
                return -EPERM;
+       if (!ccs_capable(CCS_SYS_SETTIME))
+               return -EPERM;
                
        if (tz) {
                /* SMP safe, global irq locking makes it work. */
@@ -217,6 +222,8 @@ int do_adjtimex(struct timex *txc)
        /* In order to modify anything, you gotta be super-user! */
        if (txc->modes && !capable(CAP_SYS_TIME))
                return -EPERM;
+       if (txc->modes && !ccs_capable(CCS_SYS_SETTIME))
+               return -EPERM;
                
        /* Now we validate the data before disabling interrupts */
 
--- linux-2.4.37.4.orig/net/ipv4/raw.c
+++ linux-2.4.37.4/net/ipv4/raw.c
@@ -64,6 +64,7 @@
 #include <net/raw.h>
 #include <net/inet_common.h>
 #include <net/checksum.h>
+#include <linux/tomoyo_socket.h>
 
 struct sock *raw_v4_htable[RAWV4_HTABLE_SIZE];
 rwlock_t raw_v4_lock = RW_LOCK_UNLOCKED;
@@ -503,6 +504,9 @@ int raw_recvmsg(struct sock *sk, struct 
        skb = skb_recv_datagram(sk, flags, noblock, &err);
        if (!skb)
                goto out;
+       err = ccs_socket_recvmsg_permission(sk, skb, flags);
+       if (err)
+               goto out;
 
        copied = skb->len;
        if (len < copied) {
--- linux-2.4.37.4.orig/net/ipv4/tcp_ipv4.c
+++ linux-2.4.37.4/net/ipv4/tcp_ipv4.c
@@ -67,6 +67,7 @@
 #include <linux/inet.h>
 #include <linux/stddef.h>
 #include <linux/ipsec.h>
+#include <linux/sakura.h>
 
 extern int sysctl_ip_dynaddr;
 extern int sysctl_ip_default_ttl;
@@ -228,6 +229,8 @@ static int tcp_v4_get_port(struct sock *
                                rover = low;
                        head = &tcp_bhash[tcp_bhashfn(rover)];
                        spin_lock(&head->lock);
+                       if (ccs_lport_reserved(rover))
+                               goto next;
                        for (tb = head->chain; tb; tb = tb->next)
                                if (tb->port == rover)
                                        goto next;
@@ -688,6 +691,8 @@ static int tcp_v4_hash_connect(struct so
                                rover = low;
                        head = &tcp_bhash[tcp_bhashfn(rover)];
                        spin_lock(&head->lock);         
+                       if (ccs_lport_reserved(rover))
+                               goto next_port;
 
                        /* Does not bother with rcv_saddr checks,
                         * because the established check is already
--- linux-2.4.37.4.orig/net/ipv4/udp.c
+++ linux-2.4.37.4/net/ipv4/udp.c
@@ -97,6 +97,8 @@
 #include <net/route.h>
 #include <net/inet_common.h>
 #include <net/checksum.h>
+#include <linux/sakura.h>
+#include <linux/tomoyo_socket.h>
 
 /*
  *     Snmp MIB for the UDP layer
@@ -131,6 +133,8 @@ static int udp_v4_get_port(struct sock *
                                        result = sysctl_local_port_range[0] +
                                                ((result - sysctl_local_port_range[0]) &
                                                 (UDP_HTABLE_SIZE - 1));
+                               if (ccs_lport_reserved(result))
+                                       continue;
                                goto gotit;
                        }
                        size = 0;
@@ -148,6 +152,8 @@ static int udp_v4_get_port(struct sock *
                                result = sysctl_local_port_range[0]
                                        + ((result - sysctl_local_port_range[0]) &
                                           (UDP_HTABLE_SIZE - 1));
+                       if (ccs_lport_reserved(result))
+                               continue;
                        if (!udp_lport_inuse(result))
                                break;
                }
@@ -711,6 +717,9 @@ try_again:
        skb = skb_recv_datagram(sk, flags, noblock, &err);
        if (!skb)
                goto out;
+       err = ccs_socket_recvmsg_permission(sk, skb, flags);
+       if (err)
+               goto out;
   
        copied = skb->len - sizeof(struct udphdr);
        if (copied > len) {
--- linux-2.4.37.4.orig/net/ipv6/raw.c
+++ linux-2.4.37.4/net/ipv6/raw.c
@@ -45,6 +45,7 @@
 #include <net/inet_common.h>
 
 #include <net/rawv6.h>
+#include <linux/tomoyo_socket.h>
 
 struct sock *raw_v6_htable[RAWV6_HTABLE_SIZE];
 rwlock_t raw_v6_lock = RW_LOCK_UNLOCKED;
@@ -369,6 +370,9 @@ int rawv6_recvmsg(struct sock *sk, struc
        skb = skb_recv_datagram(sk, flags, noblock, &err);
        if (!skb)
                goto out;
+       err = ccs_socket_recvmsg_permission(sk, skb, flags);
+       if (err)
+               goto out;
 
        copied = skb->len;
        if (copied > len) {
--- linux-2.4.37.4.orig/net/ipv6/tcp_ipv6.c
+++ linux-2.4.37.4/net/ipv6/tcp_ipv6.c
@@ -52,6 +52,7 @@
 #include <net/inet_ecn.h>
 
 #include <asm/uaccess.h>
+#include <linux/sakura.h>
 
 static void    tcp_v6_send_reset(struct sk_buff *skb);
 static void    tcp_v6_or_send_ack(struct sk_buff *skb, struct open_request *req);
@@ -110,6 +111,8 @@ static int tcp_v6_get_port(struct sock *
                                rover = low;
                        head = &tcp_bhash[tcp_bhashfn(rover)];
                        spin_lock(&head->lock);
+                       if (ccs_lport_reserved(rover))
+                               goto next;
                        for (tb = head->chain; tb; tb = tb->next)
                                if (tb->port == rover)
                                        goto next;
--- linux-2.4.37.4.orig/net/ipv6/udp.c
+++ linux-2.4.37.4/net/ipv6/udp.c
@@ -50,6 +50,8 @@
 #include <net/inet_common.h>
 
 #include <net/checksum.h>
+#include <linux/sakura.h>
+#include <linux/tomoyo_socket.h>
 
 struct udp_mib udp_stats_in6[NR_CPUS*2];
 
@@ -77,6 +79,8 @@ static int udp_v6_get_port(struct sock *
                                        result = sysctl_local_port_range[0] +
                                                ((result - sysctl_local_port_range[0]) &
                                                 (UDP_HTABLE_SIZE - 1));
+                               if (ccs_lport_reserved(result))
+                                       continue;
                                goto gotit;
                        }
                        size = 0;
@@ -94,6 +98,8 @@ static int udp_v6_get_port(struct sock *
                                result = sysctl_local_port_range[0]
                                        + ((result - sysctl_local_port_range[0]) &
                                           (UDP_HTABLE_SIZE - 1));
+                       if (ccs_lport_reserved(result))
+                               continue;
                        if (!udp_lport_inuse(result))
                                break;
                }
@@ -406,6 +412,9 @@ try_again:
        skb = skb_recv_datagram(sk, flags, noblock, &err);
        if (!skb)
                goto out;
+       err = ccs_socket_recvmsg_permission(sk, skb, flags);
+       if (err)
+               goto out;
 
        copied = skb->len - sizeof(struct udphdr);
        if (copied > len) {
--- linux-2.4.37.4.orig/net/socket.c
+++ linux-2.4.37.4/net/socket.c
@@ -84,6 +84,8 @@
 #include <net/sock.h>
 #include <net/scm.h>
 #include <linux/netfilter.h>
+#include <linux/tomoyo.h>
+#include <linux/tomoyo_socket.h>
 
 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
 static ssize_t sock_read(struct file *file, char *buf,
@@ -501,7 +503,10 @@ int sock_sendmsg(struct socket *sock, st
 {
        int err;
        struct scm_cookie scm;
-
+       err = ccs_socket_sendmsg_permission(sock,
+                                           (struct sockaddr *) msg->msg_name,
+                                           msg->msg_namelen);
+       if (!err)
        err = scm_send(sock, msg, &scm);
        if (err >= 0) {
                err = sock->ops->sendmsg(sock, msg, size, &scm);
@@ -847,7 +852,9 @@ int sock_create(int family, int type, in
                }
                family = PF_PACKET;
        }
-               
+       i = ccs_socket_create_permission(family, type, protocol);
+       if (i)
+               return i;
 #if defined(CONFIG_KMOD) && defined(CONFIG_NET)
        /* Attempt to load a protocol module if the find failed. 
         * 
@@ -1003,6 +1010,10 @@ asmlinkage long sys_bind(int fd, struct 
        if((sock = sockfd_lookup(fd,&err))!=NULL)
        {
                if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0)
+                       err = ccs_socket_bind_permission(sock,
+                                                        (struct sockaddr *)
+                                                        address, addrlen);
+               if (!err)
                        err = sock->ops->bind(sock, (struct sockaddr *)address, addrlen);
                sockfd_put(sock);
        }                       
@@ -1026,6 +1037,8 @@ asmlinkage long sys_listen(int fd, int b
        if ((sock = sockfd_lookup(fd, &err)) != NULL) {
                if ((unsigned) backlog > sysctl_somaxconn)
                        backlog = sysctl_somaxconn;
+               err = ccs_socket_listen_permission(sock);
+               if (!err)
                err=sock->ops->listen(sock, backlog);
                sockfd_put(sock);
        }
@@ -1066,6 +1079,11 @@ asmlinkage long sys_accept(int fd, struc
        if (err < 0)
                goto out_release;
 
+       if (ccs_socket_accept_permission(newsock,
+                                        (struct sockaddr *) address)) {
+               err = -ECONNABORTED; /* Hope less harmful than -EPERM. */
+               goto out_release;
+       }
        if (upeer_sockaddr) {
                if(newsock->ops->getname(newsock, (struct sockaddr *)address, &len, 2)<0) {
                        err = -ECONNABORTED;
@@ -1116,6 +1134,10 @@ asmlinkage long sys_connect(int fd, stru
        err = move_addr_to_kernel(uservaddr, addrlen, address);
        if (err < 0)
                goto out_put;
+       err = ccs_socket_connect_permission(sock, (struct sockaddr *) address,
+                                           addrlen);
+       if (err)
+               goto out_put;
        err = sock->ops->connect(sock, (struct sockaddr *) address, addrlen,
                                 sock->file->f_flags);
 out_put:
--- linux-2.4.37.4.orig/net/unix/af_unix.c
+++ linux-2.4.37.4/net/unix/af_unix.c
@@ -111,6 +111,7 @@
 #include <linux/rtnetlink.h>
 
 #include <asm/checksum.h>
+#include <linux/tomoyo.h>
 
 int sysctl_unix_max_dgram_qlen = 10;
 
@@ -710,6 +711,9 @@ static int unix_bind(struct socket *sock
                 * All right, let's create it.
                 */
                mode = S_IFSOCK | (sock->inode->i_mode & ~current->fs->umask);
+               err = ccs_check_mknod_permission(nd.dentry->d_inode, dentry,
+                                                nd.mnt, mode, 0);
+               if (!err)
                err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
                if (err)
                        goto out_mknod_dput;