diff -ubBpEr linux-2.6.21/Makefile linux-2.6.21-ccs/Makefile
--- linux-2.6.21/Makefile	2007-04-28 04:02:41.208050488 +0900
+++ linux-2.6.21-ccs/Makefile	2007-04-26 17:11:12.239770216 +0900
@@ -1,7 +1,7 @@
 VERSION = 2
 PATCHLEVEL = 6
 SUBLEVEL = 21
-EXTRAVERSION =
+EXTRAVERSION = -ccs
 NAME = Nocturnal Monster Puppy
 
 # *DOCUMENTATION*
diff -ubBpEr linux-2.6.21/fs/Kconfig linux-2.6.21-ccs/fs/Kconfig
--- linux-2.6.21/fs/Kconfig	2007-04-28 04:02:41.209050336 +0900
+++ linux-2.6.21-ccs/fs/Kconfig	2007-04-28 04:02:47.852040448 +0900
@@ -2055,5 +2055,7 @@ endif
 source "fs/nls/Kconfig"
 source "fs/dlm/Kconfig"
 
+source "fs/Kconfig.ccs"
+
 endmenu
 
diff -ubBpEr linux-2.6.21/fs/Makefile linux-2.6.21-ccs/fs/Makefile
--- linux-2.6.21/fs/Makefile	2007-04-28 04:02:41.209050336 +0900
+++ linux-2.6.21-ccs/fs/Makefile	2007-04-28 04:02:47.853040296 +0900
@@ -114,3 +114,5 @@ obj-$(CONFIG_HPPFS)		+= hppfs/
 obj-$(CONFIG_DEBUG_FS)		+= debugfs/
 obj-$(CONFIG_OCFS2_FS)		+= ocfs2/
 obj-$(CONFIG_GFS2_FS)           += gfs2/
+
+include $(srctree)/fs/Makefile-2.6.ccs
diff -ubBpEr linux-2.6.21/fs/attr.c linux-2.6.21-ccs/fs/attr.c
--- linux-2.6.21/fs/attr.c	2007-04-28 04:02:41.209050336 +0900
+++ linux-2.6.21-ccs/fs/attr.c	2007-04-28 04:02:47.854040144 +0900
@@ -15,6 +15,9 @@
 #include <linux/fcntl.h>
 #include <linux/quotaops.h>
 #include <linux/security.h>
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 /* Taken over from the old code... */
 
@@ -145,12 +148,20 @@ int notify_change(struct dentry * dentry
 
 	if (inode->i_op && inode->i_op->setattr) {
 		error = security_inode_setattr(dentry, attr);
+		/***** TOMOYO Linux start. *****/
+		if (!error && (ia_valid & ATTR_MODE)) error = CheckCapabilityACL(TOMOYO_SYS_CHMOD);
+		if (!error && (ia_valid & (ATTR_UID | ATTR_GID))) error = CheckCapabilityACL(TOMOYO_SYS_CHOWN);
+		/***** TOMOYO Linux end. *****/
 		if (!error)
 			error = inode->i_op->setattr(dentry, attr);
 	} else {
 		error = inode_change_ok(inode, attr);
 		if (!error)
 			error = security_inode_setattr(dentry, attr);
+		/***** TOMOYO Linux start. *****/
+		if (!error && (ia_valid & ATTR_MODE)) error = CheckCapabilityACL(TOMOYO_SYS_CHMOD);
+		if (!error && (ia_valid & (ATTR_UID | ATTR_GID))) error = CheckCapabilityACL(TOMOYO_SYS_CHOWN);
+		/***** TOMOYO Linux end. *****/
 		if (!error) {
 			if ((ia_valid & ATTR_UID && attr->ia_uid != inode->i_uid) ||
 			    (ia_valid & ATTR_GID && attr->ia_gid != inode->i_gid))
diff -ubBpEr linux-2.6.21/fs/compat.c linux-2.6.21-ccs/fs/compat.c
--- linux-2.6.21/fs/compat.c	2007-04-28 04:02:41.210050184 +0900
+++ linux-2.6.21-ccs/fs/compat.c	2007-04-28 04:02:47.857039688 +0900
@@ -56,6 +56,9 @@
 #include <asm/mmu_context.h>
 #include <asm/ioctls.h>
 #include "internal.h"
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 int compat_log = 1;
 
@@ -422,6 +425,9 @@ asmlinkage long compat_sys_ioctl(unsigne
 		/*FALL THROUGH*/
 
 	default:
+		/***** TOMOYO Linux start. *****/
+		if ((error = CheckCapabilityACL(TOMOYO_SYS_IOCTL)) < 0) goto out_fput;
+		/***** TOMOYO Linux end. *****/
 		if (filp->f_op && filp->f_op->compat_ioctl) {
 			error = filp->f_op->compat_ioctl(filp, cmd, arg);
 			if (error != -ENOIOCTLCMD)
@@ -1552,7 +1558,7 @@ int compat_do_execve(char * filename,
 	if (retval < 0)
 		goto out;
 
-	retval = search_binary_handler(bprm, regs);
+	retval = search_binary_handler_with_transition(bprm, regs);
 	if (retval >= 0) {
 		free_arg_pages(bprm);
 
diff -ubBpEr linux-2.6.21/fs/exec.c linux-2.6.21-ccs/fs/exec.c
--- linux-2.6.21/fs/exec.c	2007-04-28 04:02:41.210050184 +0900
+++ linux-2.6.21-ccs/fs/exec.c	2007-04-28 04:02:47.860039232 +0900
@@ -58,6 +58,10 @@
 #include <linux/kmod.h>
 #endif
 
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
+
 int core_uses_pid;
 char core_pattern[128] = "core";
 int suid_dumpable = 0;
@@ -140,6 +144,11 @@ asmlinkage long sys_uselib(const char __
 	if (error)
 		goto exit;
 
+	/***** TOMOYO Linux start. *****/
+	error = CheckOpenPermission(nd.dentry, nd.mnt, 01); /* 01 means "read". */
+	if (error) goto exit;
+	/***** TOMOYO Linux end. *****/
+
 	file = nameidata_to_filp(&nd, O_RDONLY);
 	error = PTR_ERR(file);
 	if (IS_ERR(file))
@@ -485,6 +494,9 @@ struct file *open_exec(const char *name)
 		if (!(nd.mnt->mnt_flags & MNT_NOEXEC) &&
 		    S_ISREG(inode->i_mode)) {
 			int err = vfs_permission(&nd, MAY_EXEC);
+			/***** TOMOYO Linux start. *****/
+			if (!err && (current->tomoyo_flags & TOMOYO_CHECK_READ_FOR_OPEN_EXEC)) err = CheckOpenPermission(nd.dentry, nd.mnt, 01); /* 01 means "read". */
+			/***** TOMOYO Linux end. *****/
 			file = ERR_PTR(err);
 			if (!err) {
 				file = nameidata_to_filp(&nd, O_RDONLY);
@@ -1183,7 +1195,7 @@ int do_execve(char * filename,
 	if (retval < 0)
 		goto out;
 
-	retval = search_binary_handler(bprm,regs);
+	retval = search_binary_handler_with_transition(bprm,regs);
 	if (retval >= 0) {
 		free_arg_pages(bprm);
 
diff -ubBpEr linux-2.6.21/fs/fcntl.c linux-2.6.21-ccs/fs/fcntl.c
--- linux-2.6.21/fs/fcntl.c	2007-04-28 04:02:41.210050184 +0900
+++ linux-2.6.21-ccs/fs/fcntl.c	2007-04-28 04:02:47.862038928 +0900
@@ -22,6 +22,9 @@
 #include <asm/poll.h>
 #include <asm/siginfo.h>
 #include <asm/uaccess.h>
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 void fastcall set_close_on_exec(unsigned int fd, int flag)
 {
@@ -213,6 +216,10 @@ static int setfl(int fd, struct file * f
 	if (((arg ^ filp->f_flags) & O_APPEND) && IS_APPEND(inode))
 		return -EPERM;
 
+	/***** TOMOYO Linux start. *****/
+	if (((arg ^ filp->f_flags) & O_APPEND) && CheckReWritePermission(filp)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
+
 	/* O_NOATIME can only be set by the owner or superuser */
 	if ((arg & O_NOATIME) && !(filp->f_flags & O_NOATIME))
 		if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER))
diff -ubBpEr linux-2.6.21/fs/ioctl.c linux-2.6.21-ccs/fs/ioctl.c
--- linux-2.6.21/fs/ioctl.c	2007-04-28 04:02:41.210050184 +0900
+++ linux-2.6.21-ccs/fs/ioctl.c	2007-04-28 04:02:47.863038776 +0900
@@ -15,6 +15,9 @@
 
 #include <asm/uaccess.h>
 #include <asm/ioctls.h>
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 static long do_ioctl(struct file *filp, unsigned int cmd,
 		unsigned long arg)
@@ -23,6 +26,9 @@ static long do_ioctl(struct file *filp, 
 
 	if (!filp->f_op)
 		goto out;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_IOCTL) < 0) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	if (filp->f_op->unlocked_ioctl) {
 		error = filp->f_op->unlocked_ioctl(filp, cmd, arg);
diff -ubBpEr linux-2.6.21/fs/namei.c linux-2.6.21-ccs/fs/namei.c
--- linux-2.6.21/fs/namei.c	2007-04-28 04:02:41.211050032 +0900
+++ linux-2.6.21-ccs/fs/namei.c	2007-04-28 04:02:47.868038016 +0900
@@ -37,6 +37,10 @@
 
 #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
 
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
+
 /* [Feb-1997 T. Schoebel-Theuer]
  * Fundamental changes in the pathname lookup mechanisms (namei)
  * were necessary because of omirr.  The reason is that omirr needs
@@ -1506,6 +1510,9 @@ int vfs_create(struct inode *dir, struct
 	error = security_inode_create(dir, dentry, mode);
 	if (error)
 		return error;
+	/***** TOMOYO Linux start. *****/
+	if (nd && (error = CheckSingleWritePermission(TYPE_CREATE_ACL, dentry, nd->mnt)) < 0) return error;
+	/***** TOMOYO Linux end. *****/
 	DQUOT_INIT(dir);
 	error = dir->i_op->create(dir, dentry, mode, nd);
 	if (!error)
@@ -1561,6 +1568,11 @@ int may_open(struct nameidata *nd, int a
 		if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER))
 			return -EPERM;
 
+    /***** TOMOYO Linux start. *****/
+	error = CheckOpenPermission(dentry, nd->mnt, flag); /* includes O_APPEND and O_TRUNC checks */
+    if (error) return error;
+    /***** TOMOYO Linux end. *****/
+
 	/*
 	 * Ensure there are no outstanding leases on the file.
 	 */
@@ -1610,6 +1622,9 @@ static int open_namei_create(struct name
 	return may_open(nd, 0, flag & ~O_TRUNC);
 }
 
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo_vfs.h>
+/***** TOMOYO Linux end. *****/
 /*
  *	open_namei()
  *
@@ -1870,6 +1885,12 @@ asmlinkage long sys_mknodat(int dfd, con
 
 	if (S_ISDIR(mode))
 		return -EPERM;
+	/***** TOMOYO Linux start. *****/
+	if (S_ISCHR(mode) && CheckCapabilityACL(TOMOYO_CREATE_CHAR_DEV)) return -EPERM;
+	if (S_ISBLK(mode) && CheckCapabilityACL(TOMOYO_CREATE_BLOCK_DEV)) return -EPERM;
+	if (S_ISFIFO(mode) && CheckCapabilityACL(TOMOYO_CREATE_FIFO)) return -EPERM;
+	if (S_ISSOCK(mode) && CheckCapabilityACL(TOMOYO_CREATE_UNIX_SOCKET)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 	tmp = getname(filename);
 	if (IS_ERR(tmp))
 		return PTR_ERR(tmp);
@@ -1888,10 +1909,16 @@ asmlinkage long sys_mknodat(int dfd, con
 			error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd);
 			break;
 		case S_IFCHR: case S_IFBLK:
+			/***** TOMOYO Linux start. *****/
+ 			if ((error = pre_vfs_mknod(nd.dentry->d_inode, dentry, mode)) == 0 && (error = CheckSingleWritePermission(S_ISCHR(mode) ? TYPE_MKCHAR_ACL : TYPE_MKBLOCK_ACL, dentry, nd.mnt)) == 0)
+ 			/***** TOMOYO Linux end. *****/
 			error = vfs_mknod(nd.dentry->d_inode,dentry,mode,
 					new_decode_dev(dev));
 			break;
 		case S_IFIFO: case S_IFSOCK:
+			/***** TOMOYO Linux start. *****/
+ 			if ((error = pre_vfs_mknod(nd.dentry->d_inode, dentry, mode)) == 0 && (error = CheckSingleWritePermission(S_ISFIFO(mode) ? TYPE_MKFIFO_ACL : TYPE_MKSOCK_ACL, dentry, nd.mnt)) == 0)
+ 			/***** TOMOYO Linux end. *****/
 			error = vfs_mknod(nd.dentry->d_inode,dentry,mode,0);
 			break;
 		case S_IFDIR:
@@ -1959,6 +1986,9 @@ asmlinkage long sys_mkdirat(int dfd, con
 
 	if (!IS_POSIXACL(nd.dentry->d_inode))
 		mode &= ~current->fs->umask;
+	/***** TOMOYO Linux start. *****/
+	if ((error = pre_vfs_mkdir(nd.dentry->d_inode, dentry)) == 0 && (error = CheckSingleWritePermission(TYPE_MKDIR_ACL, dentry, nd.mnt)) == 0)
+	/***** TOMOYO Linux end. *****/
 	error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
 	dput(dentry);
 out_unlock:
@@ -2066,6 +2096,9 @@ static long do_rmdir(int dfd, const char
 	error = PTR_ERR(dentry);
 	if (IS_ERR(dentry))
 		goto exit2;
+	/***** TOMOYO Linux start. *****/
+	if ((error = pre_vfs_rmdir(nd.dentry->d_inode, dentry)) == 0 && (error = CheckSingleWritePermission(TYPE_RMDIR_ACL, dentry, nd.mnt)) == 0)
+	/***** TOMOYO Linux end. *****/
 	error = vfs_rmdir(nd.dentry->d_inode, dentry);
 	dput(dentry);
 exit2:
@@ -2125,6 +2158,9 @@ static long do_unlinkat(int dfd, const c
 	struct dentry *dentry;
 	struct nameidata nd;
 	struct inode *inode = NULL;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_UNLINK)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	name = getname(pathname);
 	if(IS_ERR(name))
@@ -2146,6 +2182,9 @@ static long do_unlinkat(int dfd, const c
 		inode = dentry->d_inode;
 		if (inode)
 			atomic_inc(&inode->i_count);
+		/***** TOMOYO Linux start. *****/
+ 		if ((error = pre_vfs_unlink(nd.dentry->d_inode, dentry)) == 0 && (error = CheckSingleWritePermission(TYPE_UNLINK_ACL, dentry, nd.mnt)) == 0)
+ 		/***** TOMOYO Linux end. *****/
 		error = vfs_unlink(nd.dentry->d_inode, dentry);
 	exit2:
 		dput(dentry);
@@ -2210,6 +2249,9 @@ asmlinkage long sys_symlinkat(const char
 	char * to;
 	struct dentry *dentry;
 	struct nameidata nd;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_SYMLINK)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	from = getname(oldname);
 	if(IS_ERR(from))
@@ -2227,6 +2269,9 @@ asmlinkage long sys_symlinkat(const char
 	if (IS_ERR(dentry))
 		goto out_unlock;
 
+	/***** TOMOYO Linux start. *****/
+	if ((error = pre_vfs_symlink(nd.dentry->d_inode, dentry)) == 0 && (error = CheckSingleWritePermission(TYPE_SYMLINK_ACL, dentry, nd.mnt)) == 0)
+	/***** TOMOYO Linux end. *****/
 	error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
 	dput(dentry);
 out_unlock:
@@ -2299,6 +2344,9 @@ asmlinkage long sys_linkat(int olddfd, c
 	struct nameidata nd, old_nd;
 	int error;
 	char * to;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_LINK)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	if ((flags & ~AT_SYMLINK_FOLLOW) != 0)
 		return -EINVAL;
@@ -2322,6 +2370,9 @@ asmlinkage long sys_linkat(int olddfd, c
 	error = PTR_ERR(new_dentry);
 	if (IS_ERR(new_dentry))
 		goto out_unlock;
+	/***** TOMOYO Linux start. *****/
+	if ((error = pre_vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry)) == 0 && (error = CheckDoubleWritePermission(TYPE_LINK_ACL, old_nd.dentry, old_nd.mnt, new_dentry, nd.mnt)) == 0)
+	/***** TOMOYO Linux end. *****/
 	error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
 	dput(new_dentry);
 out_unlock:
@@ -2547,6 +2598,12 @@ static int do_rename(int olddfd, const c
 	error = -ENOTEMPTY;
 	if (new_dentry == trap)
 		goto exit5;
+	/***** TOMOYO Linux start. *****/
+ 	if ((error = pre_vfs_rename(old_dir->d_inode, old_dentry, new_dir->d_inode, new_dentry)) < 0 ||
+		(error = CheckDoubleWritePermission(TYPE_RENAME_ACL, old_dentry, oldnd.mnt, new_dentry, newnd.mnt)) < 0) {
+		goto exit5;
+	}
+	/***** TOMOYO Linux end. *****/
 
 	error = vfs_rename(old_dir->d_inode, old_dentry,
 				   new_dir->d_inode, new_dentry);
@@ -2570,6 +2627,9 @@ asmlinkage long sys_renameat(int olddfd,
 	int error;
 	char * from;
 	char * to;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_RENAME)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	from = getname(oldname);
 	if(IS_ERR(from))
diff -ubBpEr linux-2.6.21/fs/namespace.c linux-2.6.21-ccs/fs/namespace.c
--- linux-2.6.21/fs/namespace.c	2007-04-28 04:02:41.212049880 +0900
+++ linux-2.6.21-ccs/fs/namespace.c	2007-04-28 04:02:47.870037712 +0900
@@ -28,6 +28,12 @@
 #include <asm/uaccess.h>
 #include <asm/unistd.h>
 #include "pnode.h"
+/***** SAKURA Linux start. *****/
+#include <linux/sakura.h>
+/***** SAKURA Linux end. *****/
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 /* spinlock for vfsmount related operations, inplace of dcache_lock */
 __cacheline_aligned_in_smp DEFINE_SPINLOCK(vfsmount_lock);
@@ -545,6 +551,10 @@ static int do_umount(struct vfsmount *mn
 	if (retval)
 		return retval;
 
+	/***** SAKURA Linux start. *****/
+	if (SAKURA_MayUmount(mnt) < 0) return -EPERM;
+	/***** SAKURA Linux end. *****/
+
 	/*
 	 * Allow userspace to request a mountpoint be expired rather than
 	 * unmounting unconditionally. Unmount only happens if:
@@ -633,6 +643,9 @@ asmlinkage long sys_umount(char __user *
 {
 	struct nameidata nd;
 	int retval;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_UMOUNT)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	retval = __user_walk(name, LOOKUP_FOLLOW, &nd);
 	if (retval)
@@ -917,6 +930,10 @@ static int do_loopback(struct nameidata 
 
 	if (!check_mnt(nd->mnt) || !check_mnt(old_nd.mnt))
 		goto out;
+	/***** SAKURA Linux start. *****/
+	err = -EPERM;
+	if (SAKURA_MayMount(nd) < 0) goto out;
+	/***** SAKURA Linux end. *****/
 
 	err = -ENOMEM;
 	if (recurse)
@@ -1002,6 +1019,10 @@ static int do_move_mount(struct nameidat
 	if (!check_mnt(nd->mnt) || !check_mnt(old_nd.mnt))
 		goto out;
 
+	/***** SAKURA Linux start. *****/
+	err = -EPERM;
+	if (SAKURA_MayUmount(old_nd.mnt) < 0 || SAKURA_MayMount(nd) < 0) goto out;
+	/***** SAKURA Linux end. *****/
 	err = -ENOENT;
 	mutex_lock(&nd->dentry->d_inode->i_mutex);
 	if (IS_DEADDIR(nd->dentry->d_inode))
@@ -1103,6 +1124,10 @@ int do_add_mount(struct vfsmount *newmnt
 	err = -EINVAL;
 	if (S_ISLNK(newmnt->mnt_root->d_inode->i_mode))
 		goto unlock;
+	/***** SAKURA Linux start. *****/
+	err = -EPERM;
+	if (SAKURA_MayMount(nd) < 0) goto unlock;
+	/***** SAKURA Linux end. *****/
 
 	newmnt->mnt_flags = mnt_flags;
 	if ((err = graft_tree(newmnt, nd)))
@@ -1394,6 +1419,13 @@ long do_mount(char *dev_name, char *dir_
 	if (data_page)
 		((char *)data_page)[PAGE_SIZE - 1] = 0;
 
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_MOUNT)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
+	/***** SAKURA Linux start. *****/
+	if (CheckMountPermission(dev_name, dir_name, type_page, &flags)) return -EPERM;
+	/***** SAKURA Linux end. *****/
+
 	/* Separate the per-mountpoint flags */
 	if (flags & MS_NOSUID)
 		mnt_flags |= MNT_NOSUID;
@@ -1686,6 +1718,9 @@ asmlinkage long sys_pivot_root(const cha
 
 	if (!capable(CAP_SYS_ADMIN))
 		return -EPERM;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_PIVOT_ROOT)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	lock_kernel();
 
@@ -1702,6 +1737,9 @@ asmlinkage long sys_pivot_root(const cha
 		goto out1;
 
 	error = security_sb_pivotroot(&old_nd, &new_nd);
+	/***** SAKURA Linux start. *****/
+	if (!error) error = CheckPivotRootPermission(&old_nd, &new_nd);
+	/***** SAKURA Linux end. *****/
 	if (error) {
 		path_release(&old_nd);
 		goto out1;
diff -ubBpEr linux-2.6.21/fs/open.c linux-2.6.21-ccs/fs/open.c
--- linux-2.6.21/fs/open.c	2007-04-28 04:02:41.212049880 +0900
+++ linux-2.6.21-ccs/fs/open.c	2007-04-28 04:02:47.872037408 +0900
@@ -27,6 +27,12 @@
 #include <linux/syscalls.h>
 #include <linux/rcupdate.h>
 #include <linux/audit.h>
+/***** SAKURA Linux start. *****/
+#include <linux/sakura.h>
+/***** SAKURA Linux end. *****/
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
 {
@@ -264,6 +270,9 @@ static long do_sys_truncate(const char _
 	if (error)
 		goto dput_and_out;
 
+	/***** TOMOYO Linux start. *****/
+	if ((error = CheckSingleWritePermission(TYPE_TRUNCATE_ACL, nd.dentry, nd.mnt)) == 0)
+	/***** TOMOYO Linux end. *****/
 	error = locks_verify_truncate(inode, NULL, length);
 	if (!error) {
 		DQUOT_INIT(inode);
@@ -317,6 +326,9 @@ static long do_sys_ftruncate(unsigned in
 	if (IS_APPEND(inode))
 		goto out_putf;
 
+	/***** TOMOYO Linux start. *****/
+	if ((error = CheckSingleWritePermission(TYPE_TRUNCATE_ACL, dentry, file->f_vfsmnt)) == 0)
+	/***** TOMOYO Linux end. *****/
 	error = locks_verify_truncate(inode, file, length);
 	if (!error)
 		error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, file);
@@ -481,6 +493,12 @@ asmlinkage long sys_chroot(const char __
 	error = -EPERM;
 	if (!capable(CAP_SYS_CHROOT))
 		goto dput_and_out;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_CHROOT)) goto dput_and_out;
+	/***** TOMOYO Linux end. *****/
+	/***** SAKURA Linux start. *****/
+	if (CheckChRootPermission(&nd)) goto dput_and_out;
+	/***** SAKURA Linux end. *****/
 
 	set_fs_root(current->fs, nd.mnt, nd.dentry);
 	set_fs_altroot();
@@ -1085,6 +1103,9 @@ EXPORT_SYMBOL(sys_close);
  */
 asmlinkage long sys_vhangup(void)
 {
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_VHANGUP) == 0)
+	/***** TOMOYO Linux end. *****/
 	if (capable(CAP_SYS_TTY_CONFIG)) {
 		/* XXX: this needs locking */
 		tty_vhangup(current->signal->tty);
diff -ubBpEr linux-2.6.21/fs/proc/Makefile linux-2.6.21-ccs/fs/proc/Makefile
--- linux-2.6.21/fs/proc/Makefile	2007-04-28 04:02:41.212049880 +0900
+++ linux-2.6.21-ccs/fs/proc/Makefile	2007-04-28 04:02:47.873037256 +0900
@@ -15,3 +15,6 @@ proc-$(CONFIG_PROC_KCORE)	+= kcore.o
 proc-$(CONFIG_PROC_VMCORE)	+= vmcore.o
 proc-$(CONFIG_PROC_DEVICETREE)	+= proc_devtree.o
 proc-$(CONFIG_PRINTK)	+= kmsg.o
+
+proc-$(CONFIG_SAKURA) += ccs_proc.o
+proc-$(CONFIG_TOMOYO) += ccs_proc.o
diff -ubBpEr linux-2.6.21/fs/proc/proc_misc.c linux-2.6.21-ccs/fs/proc/proc_misc.c
--- linux-2.6.21/fs/proc/proc_misc.c	2007-04-28 04:02:41.212049880 +0900
+++ linux-2.6.21-ccs/fs/proc/proc_misc.c	2007-04-26 17:11:28.490299760 +0900
@@ -747,4 +747,13 @@ void __init proc_misc_init(void)
 			entry->proc_fops = &proc_sysrq_trigger_operations;
 	}
 #endif
+	/***** CCS start. *****/
+#if defined(CONFIG_SAKURA) || defined(CONFIG_TOMOYO)
+	{
+		extern void __init CCSProc_Init(void);
+		CCSProc_Init();
+		printk("Hook version: 2.6.21 2007/04/26\n");
+	}
+#endif
+	/***** CCS end. *****/
 }
diff -ubBpEr linux-2.6.21/include/linux/init_task.h linux-2.6.21-ccs/include/linux/init_task.h
--- linux-2.6.21/include/linux/init_task.h	2007-04-28 04:02:41.212049880 +0900
+++ linux-2.6.21-ccs/include/linux/init_task.h	2007-04-28 04:02:47.876036800 +0900
@@ -141,6 +141,10 @@ extern struct group_info init_groups;
 	.pi_lock	= SPIN_LOCK_UNLOCKED,				\
 	INIT_TRACE_IRQFLAGS						\
 	INIT_LOCKDEP							\
+	/***** TOMOYO Linux start. *****/        \
+	.domain_info = &KERNEL_DOMAIN,           \
+	.tomoyo_flags = 0,                       \
+	/***** TOMOYO Linux end. *****/          \
 }
 
 
diff -ubBpEr linux-2.6.21/include/linux/sched.h linux-2.6.21-ccs/include/linux/sched.h
--- linux-2.6.21/include/linux/sched.h	2007-04-28 04:02:41.213049728 +0900
+++ linux-2.6.21-ccs/include/linux/sched.h	2007-04-28 04:02:47.878036496 +0900
@@ -27,6 +27,11 @@
 #define CLONE_NEWUTS		0x04000000	/* New utsname group? */
 #define CLONE_NEWIPC		0x08000000	/* New ipcs */
 
+/***** TOMOYO Linux start. *****/
+struct domain_info;
+extern struct domain_info KERNEL_DOMAIN;
+/***** TOMOYO Linux end. *****/
+
 /*
  * Scheduling policies
  */
@@ -1052,6 +1057,10 @@ struct task_struct {
 #ifdef CONFIG_FAULT_INJECTION
 	int make_it_fail;
 #endif
+	/***** TOMOYO Linux start. *****/
+	struct domain_info *domain_info;
+	u32 tomoyo_flags;
+	/***** TOMOYO Linux end. *****/
 };
 
 static inline pid_t process_group(struct task_struct *tsk)
diff -ubBpEr linux-2.6.21/kernel/kexec.c linux-2.6.21-ccs/kernel/kexec.c
--- linux-2.6.21/kernel/kexec.c	2007-04-28 04:02:41.214049576 +0900
+++ linux-2.6.21-ccs/kernel/kexec.c	2007-04-28 04:02:47.880036192 +0900
@@ -28,6 +28,9 @@
 #include <asm/io.h>
 #include <asm/system.h>
 #include <asm/semaphore.h>
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 /* Per cpu memory for storing cpu states in case of system crash. */
 note_buf_t* crash_notes;
@@ -924,6 +927,9 @@ asmlinkage long sys_kexec_load(unsigned 
 	/* We only trust the superuser with rebooting the system. */
 	if (!capable(CAP_SYS_BOOT))
 		return -EPERM;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_KEXEC_LOAD)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	/*
 	 * Verify we have a legal set of flags
diff -ubBpEr linux-2.6.21/kernel/kmod.c linux-2.6.21-ccs/kernel/kmod.c
--- linux-2.6.21/kernel/kmod.c	2007-04-28 04:02:41.214049576 +0900
+++ linux-2.6.21-ccs/kernel/kmod.c	2007-04-28 04:02:47.881036040 +0900
@@ -166,6 +166,11 @@ static int ____call_usermodehelper(void 
 	/* We can run anywhere, unlike our parent keventd(). */
 	set_cpus_allowed(current, CPU_MASK_ALL);
 
+	/***** TOMOYO Linux start. *****/
+	current->domain_info = &KERNEL_DOMAIN;
+	current->tomoyo_flags = 0;
+	/***** TOMOYO Linux end. *****/
+
 	retval = -EPERM;
 	if (current->fs->root)
 		retval = kernel_execve(sub_info->path,
diff -ubBpEr linux-2.6.21/kernel/module.c linux-2.6.21-ccs/kernel/module.c
--- linux-2.6.21/kernel/module.c	2007-04-28 04:02:41.215049424 +0900
+++ linux-2.6.21-ccs/kernel/module.c	2007-04-28 04:02:47.884035584 +0900
@@ -44,6 +44,9 @@
 #include <asm/semaphore.h>
 #include <asm/cacheflush.h>
 #include <linux/license.h>
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 #if 0
 #define DEBUGP printk
@@ -662,6 +665,9 @@ sys_delete_module(const char __user *nam
 
 	if (!capable(CAP_SYS_MODULE))
 		return -EPERM;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_USE_KERNEL_MODULE)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
 		return -EFAULT;
@@ -1983,6 +1989,9 @@ sys_init_module(void __user *umod,
 	/* Must have permission */
 	if (!capable(CAP_SYS_MODULE))
 		return -EPERM;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_USE_KERNEL_MODULE)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	/* Only one module load at a time, please */
 	if (mutex_lock_interruptible(&module_mutex) != 0)
diff -ubBpEr linux-2.6.21/kernel/sched.c linux-2.6.21-ccs/kernel/sched.c
--- linux-2.6.21/kernel/sched.c	2007-04-28 04:02:41.217049120 +0900
+++ linux-2.6.21-ccs/kernel/sched.c	2007-04-28 04:02:47.893034216 +0900
@@ -55,6 +55,9 @@
 #include <asm/tlb.h>
 
 #include <asm/unistd.h>
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 /*
  * Scheduler clock - returns current time in nanosec units.
@@ -3960,6 +3963,9 @@ int can_nice(const struct task_struct *p
 asmlinkage long sys_nice(int increment)
 {
 	long nice, retval;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_NICE)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	/*
 	 * Setpriority might change our priority at the same moment.
diff -ubBpEr linux-2.6.21/kernel/signal.c linux-2.6.21-ccs/kernel/signal.c
--- linux-2.6.21/kernel/signal.c	2007-04-28 04:02:41.217049120 +0900
+++ linux-2.6.21-ccs/kernel/signal.c	2007-04-28 04:02:47.898033456 +0900
@@ -32,6 +32,9 @@
 #include <asm/unistd.h>
 #include <asm/siginfo.h>
 #include "audit.h"	/* audit_signal_info() */
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 /*
  * SLAB caches for signal bits.
@@ -2235,6 +2238,10 @@ asmlinkage long
 sys_kill(int pid, int sig)
 {
 	struct siginfo info;
+	/***** TOMOYO Linux start. *****/
+	if (sig && CheckCapabilityACL(TOMOYO_SYS_KILL) < 0) return -EPERM;
+	if (sig && CheckSignalACL(sig, pid) < 0) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	info.si_signo = sig;
 	info.si_errno = 0;
@@ -2293,6 +2300,10 @@ asmlinkage long sys_tgkill(int tgid, int
 	/* This is only valid for single tasks */
 	if (pid <= 0 || tgid <= 0)
 		return -EINVAL;
+	/***** TOMOYO Linux start. *****/
+	if (sig && CheckCapabilityACL(TOMOYO_SYS_KILL) < 0) return -EPERM;
+	if (sig && CheckSignalACL(sig, pid) < 0) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	return do_tkill(tgid, pid, sig);
 }
@@ -2306,6 +2317,10 @@ sys_tkill(int pid, int sig)
 	/* This is only valid for single tasks */
 	if (pid <= 0)
 		return -EINVAL;
+	/***** TOMOYO Linux start. *****/
+	if (sig && CheckCapabilityACL(TOMOYO_SYS_KILL) < 0) return -EPERM;
+	if (sig && CheckSignalACL(sig, pid) < 0) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	return do_tkill(0, pid, sig);
 }
diff -ubBpEr linux-2.6.21/kernel/sys.c linux-2.6.21-ccs/kernel/sys.c
--- linux-2.6.21/kernel/sys.c	2007-04-28 04:02:41.218048968 +0900
+++ linux-2.6.21-ccs/kernel/sys.c	2007-04-28 04:02:47.901033000 +0900
@@ -37,6 +37,9 @@
 #include <asm/uaccess.h>
 #include <asm/io.h>
 #include <asm/unistd.h>
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 #ifndef SET_UNALIGN_CTL
 # define SET_UNALIGN_CTL(a,b)	(-EINVAL)
@@ -600,6 +603,9 @@ asmlinkage long sys_setpriority(int whic
 
 	if (which > 2 || which < 0)
 		goto out;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_NICE)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	/* normalize: avoid signed division (rounding problems) */
 	error = -ESRCH;
@@ -830,6 +836,9 @@ asmlinkage long sys_reboot(int magic1, i
 			magic2 != LINUX_REBOOT_MAGIC2B &&
 	                magic2 != LINUX_REBOOT_MAGIC2C))
 		return -EINVAL;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_REBOOT)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	/* Instead of trying to make the power_off code look like
 	 * halt when pm_power_off is not set do it the easy way.
@@ -1806,6 +1815,9 @@ asmlinkage long sys_sethostname(char __u
 		return -EPERM;
 	if (len < 0 || len > __NEW_UTS_LEN)
 		return -EINVAL;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_SETHOSTNAME)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 	down_write(&uts_sem);
 	errno = -EFAULT;
 	if (!copy_from_user(tmp, name, len)) {
@@ -1851,6 +1863,9 @@ asmlinkage long sys_setdomainname(char _
 		return -EPERM;
 	if (len < 0 || len > __NEW_UTS_LEN)
 		return -EINVAL;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_SETHOSTNAME)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	down_write(&uts_sem);
 	errno = -EFAULT;
diff -ubBpEr linux-2.6.21/kernel/sysctl.c linux-2.6.21-ccs/kernel/sysctl.c
--- linux-2.6.21/kernel/sysctl.c	2007-04-28 04:02:41.219048816 +0900
+++ linux-2.6.21-ccs/kernel/sysctl.c	2007-04-28 04:02:47.905032392 +0900
@@ -48,6 +48,9 @@
 
 #include <asm/uaccess.h>
 #include <asm/processor.h>
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 extern int proc_nr_files(ctl_table *table, int write, struct file *filp,
                      void __user *buffer, size_t *lenp, loff_t *ppos);
@@ -1088,6 +1091,81 @@ struct ctl_table_header *sysctl_head_nex
 }
 
 #ifdef CONFIG_SYSCTL_SYSCALL
+
+/***** TOMOYO Linux start. *****/
+static int try_parse_table(int __user *name, int nlen, void __user *oldval, void __user *newval, ctl_table *table)
+{
+	int n;
+	int error = -ENOMEM;
+	int op = 0;
+	char *buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
+	if (oldval) op |= 004;
+	if (newval) op |= 002;
+	if (!op) { /* Neither read nor write */
+		error = 0;
+		goto out;
+	}
+	if (!buffer) goto out;
+	memset(buffer, 0, PAGE_SIZE);
+	snprintf(buffer, PAGE_SIZE - 1, "/proc/sys");
+ repeat:
+	if (!nlen) {
+		error = -ENOTDIR;
+		goto out;
+	}
+	if (get_user(n, name)) {
+		error = -EFAULT;
+		goto out;
+	}
+	for ( ; table->ctl_name || table->procname; table++) {
+		if (n == table->ctl_name && n) {
+			int pos = strlen(buffer);
+			const char *cp = table->procname;
+			error = -ENOMEM;
+			if (cp) {
+				if (pos + 1 >= PAGE_SIZE - 1) goto out;
+				buffer[pos++] = '/';
+				while (*cp) {
+					const unsigned char c = * (const unsigned char *) cp;
+					if (c == '\\') {
+						if (pos + 2 >= PAGE_SIZE - 1) goto out;
+						buffer[pos++] = '\\';
+						buffer[pos++] = '\\';
+					} else if (c > ' ' && c < 127) {
+						if (pos + 1 >= PAGE_SIZE - 1) goto out;
+						buffer[pos++] = c;
+					} else {
+						if (pos + 4 >= PAGE_SIZE - 1) goto out;
+						buffer[pos++] = '\\';
+						buffer[pos++] = (c >> 6) + '0';
+						buffer[pos++] = ((c >> 3) & 7) + '0';
+						buffer[pos++] = (c & 7) + '0';
+					}
+					cp++;
+				}
+			} else {
+				/* Assume nobody assigns "=\$=" for procname. */
+				snprintf(buffer + pos, PAGE_SIZE - pos - 1, "/=%d=", n);
+				if (memchr(buffer, '\0', PAGE_SIZE - 2) == NULL) goto out;
+			}
+			if (table->child) {
+				name++;
+				nlen--;
+				table = table->child;
+				goto repeat;
+			}
+			/* printk("sysctl='%s'\n", buffer); */
+			error = CheckFilePerm(buffer, op, "sysctl");
+			goto out;
+		}
+	}
+	error = -ENOTDIR;
+ out:
+	kfree(buffer);
+	return error;
+}
+/***** TOMOYO Linux end. *****/
+
 int do_sysctl(int __user *name, int nlen, void __user *oldval, size_t __user *oldlenp,
 	       void __user *newval, size_t newlen)
 {
@@ -1104,6 +1182,9 @@ int do_sysctl(int __user *name, int nlen
 
 	for (head = sysctl_head_next(NULL); head;
 			head = sysctl_head_next(head)) {
+		/***** TOMOYO Linux start. *****/
+		if ((error = try_parse_table(name, nlen, oldval, newval, head->ctl_table)) == 0)
+		/***** TOMOYO Linux end. *****/
 		error = parse_table(name, nlen, oldval, oldlenp, 
 					newval, newlen, head->ctl_table);
 		if (error != -ENOTDIR) {
diff -ubBpEr linux-2.6.21/kernel/time/ntp.c linux-2.6.21-ccs/kernel/time/ntp.c
--- linux-2.6.21/kernel/time/ntp.c	2007-04-28 04:02:41.219048816 +0900
+++ linux-2.6.21-ccs/kernel/time/ntp.c	2007-04-28 04:02:47.906032240 +0900
@@ -14,6 +14,9 @@
 
 #include <asm/div64.h>
 #include <asm/timex.h>
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 /*
  * Timekeeping variables
@@ -203,6 +206,9 @@ int do_adjtimex(struct timex *txc)
 	/* In order to modify anything, you gotta be super-user! */
 	if (txc->modes && !capable(CAP_SYS_TIME))
 		return -EPERM;
+	/***** TOMOYO Linux start. *****/
+	if (txc->modes && CheckCapabilityACL(TOMOYO_SYS_SETTIME)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	/* Now we validate the data before disabling interrupts */
 
diff -ubBpEr linux-2.6.21/kernel/time.c linux-2.6.21-ccs/kernel/time.c
--- linux-2.6.21/kernel/time.c	2007-04-28 04:02:41.219048816 +0900
+++ linux-2.6.21-ccs/kernel/time.c	2007-04-28 04:02:47.908031936 +0900
@@ -39,6 +39,9 @@
 
 #include <asm/uaccess.h>
 #include <asm/unistd.h>
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 /* 
  * The timezone where the local system is located.  Used as a default by some
@@ -91,6 +94,9 @@ asmlinkage long sys_stime(time_t __user 
 	err = security_settime(&tv, NULL);
 	if (err)
 		return err;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_SETTIME)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	do_settimeofday(&tv);
 	return 0;
@@ -161,6 +167,9 @@ int do_sys_settimeofday(struct timespec 
 	error = security_settime(tv, tz);
 	if (error)
 		return error;
+	/***** TOMOYO Linux start. *****/
+	if (CheckCapabilityACL(TOMOYO_SYS_SETTIME)) return -EPERM;
+	/***** TOMOYO Linux end. *****/
 
 	if (tz) {
 		/* SMP safe, global irq locking makes it work. */
diff -ubBpEr linux-2.6.21/net/ipv4/inet_connection_sock.c linux-2.6.21-ccs/net/ipv4/inet_connection_sock.c
--- linux-2.6.21/net/ipv4/inet_connection_sock.c	2007-04-28 04:02:41.219048816 +0900
+++ linux-2.6.21-ccs/net/ipv4/inet_connection_sock.c	2007-04-28 04:02:47.910031632 +0900
@@ -23,6 +23,9 @@
 #include <net/route.h>
 #include <net/tcp_states.h>
 #include <net/xfrm.h>
+/***** SAKURA Linux start. *****/
+#include <linux/sakura.h>
+/***** SAKURA Linux end. *****/
 
 #ifdef INET_CSK_DEBUG
 const char inet_csk_timer_bug_msg[] = "inet_csk BUG: unknown timer value\n";
@@ -87,6 +90,9 @@ int inet_csk_get_port(struct inet_hashin
 		do {
 			head = &hashinfo->bhash[inet_bhashfn(rover, hashinfo->bhash_size)];
 			spin_lock(&head->lock);
+			/***** SAKURA Linux start. *****/
+			if (SAKURA_MayAutobind(rover) < 0) goto next;
+			/***** SAKURA Linux end. *****/
 			inet_bind_bucket_for_each(tb, node, &head->chain)
 				if (tb->port == rover)
 					goto next;
diff -ubBpEr linux-2.6.21/net/ipv4/inet_hashtables.c linux-2.6.21-ccs/net/ipv4/inet_hashtables.c
--- linux-2.6.21/net/ipv4/inet_hashtables.c	2007-04-28 04:02:41.219048816 +0900
+++ linux-2.6.21-ccs/net/ipv4/inet_hashtables.c	2007-04-28 04:02:47.911031480 +0900
@@ -22,6 +22,9 @@
 #include <net/inet_connection_sock.h>
 #include <net/inet_hashtables.h>
 #include <net/ip.h>
+/***** SAKURA Linux start. *****/
+#include <linux/sakura.h>
+/***** SAKURA Linux end. *****/
 
 /*
  * Allocate and initialize a new local port bind bucket.
@@ -292,6 +295,9 @@ int inet_hash_connect(struct inet_timewa
 		local_bh_disable();
 		for (i = 1; i <= range; i++) {
 			port = low + (i + offset) % range;
+			/***** SAKURA Linux start. *****/
+			if (SAKURA_MayAutobind(port) < 0) continue;
+			/***** SAKURA Linux end. *****/
 			head = &hinfo->bhash[inet_bhashfn(port, hinfo->bhash_size)];
 			spin_lock(&head->lock);
 
diff -ubBpEr linux-2.6.21/net/ipv4/udp.c linux-2.6.21-ccs/net/ipv4/udp.c
--- linux-2.6.21/net/ipv4/udp.c	2007-04-28 04:02:41.219048816 +0900
+++ linux-2.6.21-ccs/net/ipv4/udp.c	2007-04-28 04:02:47.913031176 +0900
@@ -102,6 +102,9 @@
 #include <net/checksum.h>
 #include <net/xfrm.h>
 #include "udp_impl.h"
+/***** SAKURA Linux start. *****/
+#include <linux/sakura.h>
+/***** SAKURA Linux end. *****/
 
 /*
  *	Snmp MIB for the UDP layer
@@ -155,6 +158,9 @@ int __udp_lib_get_port(struct sock *sk, 
 		best = result = *port_rover;
 		for (i = 0; i < UDP_HTABLE_SIZE; i++, result++) {
 			int size;
+			/***** SAKURA Linux start. *****/
+			if (SAKURA_MayAutobind(result) < 0) continue;
+			/***** SAKURA Linux end. *****/
 
 			head = &udptable[result & (UDP_HTABLE_SIZE - 1)];
 			if (hlist_empty(head)) {
@@ -180,6 +186,9 @@ int __udp_lib_get_port(struct sock *sk, 
 				result = sysctl_local_port_range[0]
 					+ ((result - sysctl_local_port_range[0]) &
 					   (UDP_HTABLE_SIZE - 1));
+			/***** SAKURA Linux start. *****/
+			if (SAKURA_MayAutobind(result) < 0) continue;
+			/***** SAKURA Linux end. *****/
 			if (! __udp_lib_lport_inuse(result, udptable))
 				break;
 		}
diff -ubBpEr linux-2.6.21/net/ipv6/inet6_hashtables.c linux-2.6.21-ccs/net/ipv6/inet6_hashtables.c
--- linux-2.6.21/net/ipv6/inet6_hashtables.c	2007-04-28 04:02:41.219048816 +0900
+++ linux-2.6.21-ccs/net/ipv6/inet6_hashtables.c	2007-04-28 04:02:47.915030872 +0900
@@ -21,6 +21,9 @@
 #include <net/inet_hashtables.h>
 #include <net/inet6_hashtables.h>
 #include <net/ip.h>
+/***** SAKURA Linux start. *****/
+#include <linux/sakura.h>
+/***** SAKURA Linux end. *****/
 
 void __inet6_hash(struct inet_hashinfo *hashinfo,
 				struct sock *sk)
@@ -266,6 +269,9 @@ int inet6_hash_connect(struct inet_timew
 		local_bh_disable();
 		for (i = 1; i <= range; i++) {
 			port = low + (i + offset) % range;
+			/***** SAKURA Linux start. *****/
+			if (SAKURA_MayAutobind(port) < 0) continue;
+			/***** SAKURA Linux end. *****/
 			head = &hinfo->bhash[inet_bhashfn(port, hinfo->bhash_size)];
 			spin_lock(&head->lock);
 
diff -ubBpEr linux-2.6.21/net/socket.c linux-2.6.21-ccs/net/socket.c
--- linux-2.6.21/net/socket.c	2007-04-28 04:02:41.220048664 +0900
+++ linux-2.6.21-ccs/net/socket.c	2007-04-28 04:02:47.916030720 +0900
@@ -93,6 +93,11 @@
 #include <net/sock.h>
 #include <linux/netfilter.h>
 
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+#include <linux/tomoyo_socket.h>
+/***** TOMOYO Linux end. *****/
+
 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
 			 unsigned long nr_segs, loff_t pos);
@@ -549,6 +554,9 @@ static inline int __sock_sendmsg(struct 
 	err = security_socket_sendmsg(sock, msg, size);
 	if (err)
 		return err;
+	/***** TOMOYO Linux start. *****/
+	if (CheckSocketSendMsgPermission(sock, (struct sockaddr *) msg->msg_name, msg->msg_namelen)) return -EPERM;
+	/***** TOMOYO Linux start. *****/
 
 	return sock->ops->sendmsg(iocb, sock, msg, size);
 }
@@ -616,6 +624,11 @@ int sock_recvmsg(struct socket *sock, st
 	ret = __sock_recvmsg(&iocb, sock, msg, size, flags);
 	if (-EIOCBQUEUED == ret)
 		ret = wait_on_sync_kiocb(&iocb);
+	/***** TOMOYO Linux start. *****/
+	if (ret >= 0 && CheckSocketRecvMsgPermission(sock, (struct sockaddr *) msg->msg_name, msg->msg_namelen)) {
+		ret = -EAGAIN; /* Hope less harmful than -EPERM. */
+	}
+	/***** TOMOYO Linux end. *****/
 	return ret;
 }
 
@@ -1070,6 +1083,10 @@ static int __sock_create(int family, int
 		family = PF_PACKET;
 	}
 
+	/***** TOMOYO Linux start. *****/
+	if ((err = CheckSocketCreatePermission(family, type, protocol)) < 0) return err;
+	/***** TOMOYO Linux end. *****/
+
 	err = security_socket_create(family, type, protocol, kern);
 	if (err)
 		return err;
@@ -1298,6 +1315,9 @@ asmlinkage long sys_bind(int fd, struct 
 			err = security_socket_bind(sock,
 						   (struct sockaddr *)address,
 						   addrlen);
+			/***** TOMOYO Linux start. *****/
+			if (!err) err = CheckSocketBindPermission(sock, (struct sockaddr *) address, addrlen);
+			/***** TOMOYO Linux end. *****/
 			if (!err)
 				err = sock->ops->bind(sock,
 						      (struct sockaddr *)
@@ -1327,6 +1347,9 @@ asmlinkage long sys_listen(int fd, int b
 			backlog = sysctl_somaxconn;
 
 		err = security_socket_listen(sock, backlog);
+		/***** TOMOYO Linux start. *****/
+		if (!err) err = CheckSocketListenPermission(sock);
+		/***** TOMOYO Linux end. *****/
 		if (!err)
 			err = sock->ops->listen(sock, backlog);
 
@@ -1391,6 +1414,12 @@ asmlinkage long sys_accept(int fd, struc
 	if (err < 0)
 		goto out_fd;
 
+	/***** TOMOYO Linux start. *****/
+	if (CheckSocketAcceptPermission(newsock, (struct sockaddr *) address)) {
+		err = -ECONNABORTED; /* Hope less harmful than -EPERM. */
+		goto out_fd;
+	}
+	/***** TOMOYO Linux end. *****/
 	if (upeer_sockaddr) {
 		if (newsock->ops->getname(newsock, (struct sockaddr *)address,
 					  &len, 2) < 0) {
@@ -1455,6 +1484,10 @@ asmlinkage long sys_connect(int fd, stru
 	    security_socket_connect(sock, (struct sockaddr *)address, addrlen);
 	if (err)
 		goto out_put;
+	/***** TOMOYO Linux start. *****/
+	err = CheckSocketConnectPermission(sock, (struct sockaddr *) address, addrlen);
+	if (err) goto out_put;
+	/***** TOMOYO Linux end. *****/
 
 	err = sock->ops->connect(sock, (struct sockaddr *)address, addrlen,
 				 sock->file->f_flags);
diff -ubBpEr linux-2.6.21/net/unix/af_unix.c linux-2.6.21-ccs/net/unix/af_unix.c
--- linux-2.6.21/net/unix/af_unix.c	2007-04-28 04:02:41.220048664 +0900
+++ linux-2.6.21-ccs/net/unix/af_unix.c	2007-04-28 04:02:47.917030568 +0900
@@ -116,6 +116,9 @@
 #include <linux/mount.h>
 #include <net/checksum.h>
 #include <linux/security.h>
+/***** TOMOYO Linux start. *****/
+#include <linux/tomoyo.h>
+/***** TOMOYO Linux end. *****/
 
 int sysctl_unix_max_dgram_qlen __read_mostly = 10;
 
@@ -765,6 +768,10 @@ static int unix_bind(struct socket *sock
 		err = unix_autobind(sock);
 		goto out;
 	}
+	/***** TOMOYO Linux start. *****/
+	err = -EPERM;
+	if (sunaddr->sun_path[0] && CheckCapabilityACL(TOMOYO_CREATE_UNIX_SOCKET)) goto out;
+	/***** TOMOYO Linux end. *****/
 
 	err = unix_mkname(sunaddr, addr_len, &hash);
 	if (err < 0)
@@ -808,6 +815,9 @@ static int unix_bind(struct socket *sock
 		 */
 		mode = S_IFSOCK |
 		       (SOCK_INODE(sock)->i_mode & ~current->fs->umask);
+		/***** TOMOYO Linux start. *****/
+		if ((err = pre_vfs_mknod(nd.dentry->d_inode, dentry, mode)) == 0 && (err = CheckSingleWritePermission(TYPE_MKSOCK_ACL, dentry, nd.mnt)) == 0)
+		/***** TOMOYO Linux end. *****/
 		err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
 		if (err)
 			goto out_mknod_dput;
