=== fs/utimes.c
==================================================================
--- fs/utimes.c	(revision 2367)
+++ fs/utimes.c	(local)
@@ -27,12 +27,6 @@
 {
 	struct timespec tv[2];
 
-#ifdef CONFIG_RSBAC
-	enum  rsbac_target_t          rsbac_target;
-	union rsbac_target_id_t       rsbac_target_id;
-	union rsbac_attribute_value_t rsbac_attribute_value;
-#endif
-
 	if (times) {
 		if (get_user(tv[0].tv_sec, &times->actime) ||
 		    get_user(tv[1].tv_sec, &times->modtime))
=== include/rsbac/aci_data_structures.h
==================================================================
--- include/rsbac/aci_data_structures.h	(revision 2367)
+++ include/rsbac/aci_data_structures.h	(local)
@@ -2,7 +2,7 @@
 /* Rule Set Based Access Control      */
 /* Author and (c) 1999-2007: Amon Ott */
 /* Data structures                    */
-/* Last modified: 16/Feb/2007         */
+/* Last modified: 17/Sep/2007         */
 /**************************************/
 
 #ifndef __RSBAC_DATA_STRUC_H
@@ -120,7 +120,7 @@
 };
 #endif
 
-#define RSBAC_GEN_FD_ACI_VERSION 7
+#define RSBAC_GEN_FD_ACI_VERSION 8
 #define RSBAC_GEN_FD_ACI_KEY 1001
 struct rsbac_gen_fd_aci_t {
 	rsbac_log_array_t log_array_low;	/* file/dir based logging, */
@@ -133,6 +133,7 @@
 	rsbac_enum_t linux_dac_disable;
 	rsbac_fake_root_uid_int_t fake_root_uid;
 	rsbac_uid_t auid_exempt;
+	rsbac_um_set_t vset;
 };
 #define DEFAULT_GEN_FD_ACI \
     { \
@@ -145,6 +146,7 @@
       .linux_dac_disable = LDD_inherit, \
       .fake_root_uid = FR_off, \
       .auid_exempt = RSBAC_NO_USER, \
+      .vset = RSBAC_UM_VIRTUAL_KEEP, \
     }
 
 #define DEFAULT_GEN_ROOT_DIR_ACI \
@@ -158,22 +160,23 @@
       .linux_dac_disable = LDD_false, \
       .fake_root_uid = FR_off, \
       .auid_exempt = RSBAC_NO_USER, \
+      .vset = RSBAC_UM_VIRTUAL_KEEP, \
     }
 
-#define RSBAC_GEN_FD_OLD_ACI_VERSION 6
+#define RSBAC_GEN_FD_OLD_ACI_VERSION 7
 struct rsbac_gen_fd_old_aci_t {
 	rsbac_log_array_t log_array_low;	/* file/dir based logging, */
 	rsbac_log_array_t log_array_high;	/* high and low bits */
 	rsbac_request_vector_t log_program_based;	/* Program based logging */
+	rsbac_enum_t symlink_add_remote_ip;
 	rsbac_enum_t symlink_add_uid;
 	rsbac_enum_t symlink_add_mac_level;
 	rsbac_enum_t symlink_add_rc_role;
 	rsbac_enum_t linux_dac_disable;
 	rsbac_fake_root_uid_int_t fake_root_uid;
-	rsbac_uid_t auid_exempt;
+	rsbac_old_uid_t auid_exempt;
 };
-
-#define RSBAC_GEN_FD_OLD_OLD_ACI_VERSION 5
+#define RSBAC_GEN_FD_OLD_OLD_ACI_VERSION 6
 struct rsbac_gen_fd_old_old_aci_t {
 	rsbac_log_array_t log_array_low;	/* file/dir based logging, */
 	rsbac_log_array_t log_array_high;	/* high and low bits */
@@ -183,9 +186,10 @@
 	rsbac_enum_t symlink_add_rc_role;
 	rsbac_enum_t linux_dac_disable;
 	rsbac_fake_root_uid_int_t fake_root_uid;
+	rsbac_old_uid_t auid_exempt;
 };
 
-#define RSBAC_GEN_FD_OLD_OLD_OLD_ACI_VERSION 4
+#define RSBAC_GEN_FD_OLD_OLD_OLD_ACI_VERSION 5
 struct rsbac_gen_fd_old_old_old_aci_t {
 	rsbac_log_array_t log_array_low;	/* file/dir based logging, */
 	rsbac_log_array_t log_array_high;	/* high and low bits */
@@ -194,6 +198,7 @@
 	rsbac_enum_t symlink_add_mac_level;
 	rsbac_enum_t symlink_add_rc_role;
 	rsbac_enum_t linux_dac_disable;
+	rsbac_fake_root_uid_int_t fake_root_uid;
 };
 
 #if defined(CONFIG_RSBAC_MAC)
@@ -432,7 +437,7 @@
     }
 #endif
 
-#define RSBAC_FD_NR_ATTRIBUTES 33
+#define RSBAC_FD_NR_ATTRIBUTES 34
 #define RSBAC_FD_ATTR_LIST { \
       A_security_level, \
       A_mac_categories, \
@@ -466,7 +471,8 @@
       A_pax_flags, \
       A_fake_root_uid, \
       A_auid_exempt, \
-      A_daz_do_scan \
+      A_daz_do_scan, \
+      A_vset \
       }
 
 #ifdef __KERNEL__
@@ -719,7 +725,8 @@
 #define RSBAC_PAX_ACI_USER_NAME   "u_pax"
 #define RSBAC_RES_ACI_USER_NAME   "u_res"
 
-#define RSBAC_GEN_USER_ACI_VERSION 1
+#define RSBAC_GEN_USER_ACI_VERSION 2
+#define RSBAC_GEN_USER_OLD_ACI_VERSION 1
 #define RSBAC_GEN_USER_ACI_KEY 1001
 struct rsbac_gen_user_aci_t {
 	rsbac_pseudo_t pseudo;
@@ -732,10 +739,11 @@
     }
 
 #if defined(CONFIG_RSBAC_MAC)
-#define RSBAC_MAC_USER_ACI_VERSION 4
-#define RSBAC_MAC_USER_OLD_ACI_VERSION 3
-#define RSBAC_MAC_USER_OLD_OLD_ACI_VERSION 2
-#define RSBAC_MAC_USER_OLD_OLD_OLD_ACI_VERSION 1
+#define RSBAC_MAC_USER_ACI_VERSION 5
+#define RSBAC_MAC_USER_OLD_ACI_VERSION 4
+#define RSBAC_MAC_USER_OLD_OLD_ACI_VERSION 3
+#define RSBAC_MAC_USER_OLD_OLD_OLD_ACI_VERSION 2
+#define RSBAC_MAC_USER_OLD_OLD_OLD_OLD_ACI_VERSION 1
 #define RSBAC_MAC_USER_ACI_KEY 1001
 struct rsbac_mac_user_aci_t {
 	rsbac_security_level_t security_level;	/* maximum level */
@@ -814,7 +822,8 @@
 #endif
 
 #if defined(CONFIG_RSBAC_PM)
-#define RSBAC_PM_USER_ACI_VERSION 1
+#define RSBAC_PM_USER_ACI_VERSION 2
+#define RSBAC_PM_USER_OLD_ACI_VERSION 1
 #define RSBAC_PM_USER_ACI_KEY 1001
 struct rsbac_pm_user_aci_t {
 	rsbac_pm_task_set_id_t pm_task_set;
@@ -848,18 +857,21 @@
 #endif
 
 #if defined(CONFIG_RSBAC_DAZ)
-#define RSBAC_DAZ_USER_ACI_VERSION 1
+#define RSBAC_DAZ_USER_ACI_VERSION 2
+#define RSBAC_DAZ_USER_OLD_ACI_VERSION 1
 #define RSBAC_DAZ_USER_ACI_KEY 1001
 #endif
 
 #if defined(CONFIG_RSBAC_FF)
-#define RSBAC_FF_USER_ACI_VERSION 1
+#define RSBAC_FF_USER_ACI_VERSION 2
+#define RSBAC_FF_USER_OLD_ACI_VERSION 1
 #define RSBAC_FF_USER_ACI_KEY 1001
 #endif
 
 #if defined(CONFIG_RSBAC_RC)
-#define RSBAC_RC_USER_ACI_VERSION 2
-#define RSBAC_RC_USER_OLD_ACI_VERSION 1
+#define RSBAC_RC_USER_ACI_VERSION 3
+#define RSBAC_RC_USER_OLD_ACI_VERSION 2
+#define RSBAC_RC_USER_OLD_OLD_ACI_VERSION 1
 #define RSBAC_RC_USER_ACI_KEY 1001
 struct rsbac_rc_user_aci_t {
 	rsbac_rc_role_id_t rc_role;
@@ -888,14 +900,16 @@
 #endif
 
 #if defined(CONFIG_RSBAC_AUTH)
-#define RSBAC_AUTH_USER_ACI_VERSION 1
+#define RSBAC_AUTH_USER_ACI_VERSION 2
+#define RSBAC_AUTH_USER_OLD_ACI_VERSION 1
 #define RSBAC_AUTH_USER_ACI_KEY 1001
 
 #endif				/* AUTH */
 
 #if defined(CONFIG_RSBAC_CAP)
-#define RSBAC_CAP_USER_ACI_VERSION 2
-#define RSBAC_CAP_USER_OLD_ACI_VERSION 1
+#define RSBAC_CAP_USER_ACI_VERSION 3
+#define RSBAC_CAP_USER_OLD_ACI_VERSION 2
+#define RSBAC_CAP_USER_OLD_OLD_ACI_VERSION 1
 #define RSBAC_CAP_USER_ACI_KEY 1001
 struct rsbac_cap_user_aci_t {
 	rsbac_system_role_int_t cap_role;	/* System role for CAP administration */
@@ -941,17 +955,20 @@
 #endif
 
 #if defined(CONFIG_RSBAC_JAIL)
-#define RSBAC_JAIL_USER_ACI_VERSION 1
+#define RSBAC_JAIL_USER_ACI_VERSION 2
+#define RSBAC_JAIL_USER_OLD_ACI_VERSION 1
 #define RSBAC_JAIL_USER_ACI_KEY 1001
 #endif
 
 #if defined(CONFIG_RSBAC_PAX)
-#define RSBAC_PAX_USER_ACI_VERSION 1
+#define RSBAC_PAX_USER_ACI_VERSION 2
+#define RSBAC_PAX_USER_OLD_ACI_VERSION 1
 #define RSBAC_PAX_USER_ACI_KEY 1001221
 #endif
 
 #if defined(CONFIG_RSBAC_RES)
-#define RSBAC_RES_USER_ACI_VERSION 1
+#define RSBAC_RES_USER_ACI_VERSION 2
+#define RSBAC_RES_USER_OLD_ACI_VERSION 1
 #define RSBAC_RES_USER_ACI_KEY 1002
 struct rsbac_res_user_aci_t {
 	rsbac_system_role_int_t res_role;	/* System role for RES administration */
@@ -1165,6 +1182,7 @@
 	rsbac_uid_t auid_exempt;
 	__u32 remote_ip;
 	rsbac_boolean_t kernel_thread;
+	rsbac_um_set_t vset;
 };
 #define DEFAULT_GEN_P_ACI \
     { \
@@ -1174,8 +1192,10 @@
       .auid_exempt = RSBAC_NO_USER, \
       .remote_ip = 0, \
       .kernel_thread = 0, \
+      .vset = 0, \
     }
 
+
 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
 #define RSBAC_MAC_PROCESS_ACI_VERSION 1
 #define RSBAC_MAC_PROCESS_ACI_KEY 1001
@@ -1385,7 +1405,7 @@
     }
 #endif
 
-#define RSBAC_PROCESS_NR_ATTRIBUTES 38
+#define RSBAC_PROCESS_NR_ATTRIBUTES 39
 #define RSBAC_PROCESS_ATTR_LIST { \
       A_security_level, \
       A_min_security_level, \
@@ -1424,7 +1444,8 @@
       A_audit_uid, \
       A_auid_exempt, \
       A_auth_last_auth, \
-      A_remote_ip \
+      A_remote_ip, \
+      A_vset \
       }
 
 #ifdef __KERNEL__
=== include/rsbac/acl_data_structures.h
==================================================================
--- include/rsbac/acl_data_structures.h	(revision 2367)
+++ include/rsbac/acl_data_structures.h	(local)
@@ -1,9 +1,9 @@
 /**************************************/
 /* Rule Set Based Access Control      */
-/* Author and (c) 1999-2006:          */
+/* Author and (c) 1999-2007:          */
 /*   Amon Ott <ao@rsbac.org>          */
 /* Data structures / ACL              */
-/* Last modified: 09/Sep/2006         */
+/* Last modified: 25/Sep/2007         */
 /**************************************/
 
 #ifndef __RSBAC_ACL_DATA_STRUC_H
@@ -311,10 +311,12 @@
 #define RSBAC_ACL_FD_OLD_FILENAME "aclfd."
 #define RSBAC_ACL_DEF_FD_FILENAME "aclfd.df"
 #define RSBAC_ACL_NR_FD_LISTS 4
-#define RSBAC_ACL_FD_LIST_VERSION 2
-#define RSBAC_ACL_DEF_FD_LIST_VERSION 2
-#define RSBAC_ACL_FD_OLD_LIST_VERSION 1
-#define RSBAC_ACL_DEF_FD_OLD_LIST_VERSION 1
+#define RSBAC_ACL_FD_LIST_VERSION 3
+#define RSBAC_ACL_DEF_FD_LIST_VERSION 3
+#define RSBAC_ACL_FD_OLD_LIST_VERSION 2
+#define RSBAC_ACL_DEF_FD_OLD_LIST_VERSION 2
+#define RSBAC_ACL_FD_OLD_OLD_LIST_VERSION 1
+#define RSBAC_ACL_DEF_FD_OLD_OLD_LIST_VERSION 1
 
 /* The list of devices is also a double linked list, so we define list    */
 /* items and a list head.                                                 */
@@ -344,20 +346,23 @@
 
 #define RSBAC_ACL_DEV_FILENAME "acldev"
 #define RSBAC_ACL_DEV_MAJOR_FILENAME "acldevm"
-#define RSBAC_ACL_DEV_LIST_VERSION 3
-#define RSBAC_ACL_DEV_OLD_LIST_VERSION 2
-#define RSBAC_ACL_DEV_OLD_OLD_LIST_VERSION 1
+#define RSBAC_ACL_DEV_LIST_VERSION 4
+#define RSBAC_ACL_DEV_OLD_LIST_VERSION 3
+#define RSBAC_ACL_DEV_OLD_OLD_LIST_VERSION 2
+#define RSBAC_ACL_DEV_OLD_OLD_OLD_LIST_VERSION 1
 #define RSBAC_ACL_DEF_DEV_FILENAME "acldev.df"
-#define RSBAC_ACL_DEF_DEV_LIST_VERSION 2
-#define RSBAC_ACL_DEF_DEV_OLD_LIST_VERSION 1
+#define RSBAC_ACL_DEF_DEV_LIST_VERSION 3
+#define RSBAC_ACL_DEF_DEV_OLD_LIST_VERSION 2
+#define RSBAC_ACL_DEF_DEV_OLD_OLD_LIST_VERSION 1
 
 /**********************************************/
 /* ACL entries for IPC ACL                    */
 /**********************************************/
 
 #define RSBAC_ACL_DEF_IPC_FILENAME "aclipc.df"
-#define RSBAC_ACL_DEF_IPC_LIST_VERSION 2
-#define RSBAC_ACL_DEF_IPC_OLD_LIST_VERSION 1
+#define RSBAC_ACL_DEF_IPC_LIST_VERSION 3
+#define RSBAC_ACL_DEF_IPC_OLD_LIST_VERSION 2
+#define RSBAC_ACL_DEF_IPC_OLD_OLD_LIST_VERSION 1
 
 /**********************************************/
 /* ACL entries for SCD ACL                    */
@@ -365,74 +370,88 @@
 
 #define RSBAC_ACL_SCD_FILENAME "aclscd"
 #define RSBAC_ACL_DEF_SCD_FILENAME "aclscd.df"
-#define RSBAC_ACL_SCD_LIST_VERSION 2
-#define RSBAC_ACL_DEF_SCD_LIST_VERSION 2
-#define RSBAC_ACL_SCD_OLD_LIST_VERSION 1
-#define RSBAC_ACL_DEF_SCD_OLD_LIST_VERSION 1
+#define RSBAC_ACL_SCD_LIST_VERSION 3
+#define RSBAC_ACL_SCD_OLD_LIST_VERSION 2
+#define RSBAC_ACL_SCD_OLD_OLD_LIST_VERSION 1
+#define RSBAC_ACL_DEF_SCD_LIST_VERSION 3
+#define RSBAC_ACL_DEF_SCD_OLD_LIST_VERSION 2
+#define RSBAC_ACL_DEF_SCD_OLD_OLD_LIST_VERSION 1
 
 /**********************************************/
 /* ACL entries for user ACL                   */
 /**********************************************/
 
 #define RSBAC_ACL_U_FILENAME "acluser"
-#define RSBAC_ACL_U_LIST_VERSION 1
+#define RSBAC_ACL_U_LIST_VERSION 2
+#define RSBAC_ACL_U_OLD_LIST_VERSION 1
 #define RSBAC_ACL_DEF_U_FILENAME "acluser.df"
-#define RSBAC_ACL_DEF_U_LIST_VERSION 2
-#define RSBAC_ACL_DEF_U_OLD_LIST_VERSION 1
+#define RSBAC_ACL_DEF_U_LIST_VERSION 3
+#define RSBAC_ACL_DEF_U_OLD_LIST_VERSION 2
+#define RSBAC_ACL_DEF_U_OLD_OLD_LIST_VERSION 1
 
 /**********************************************/
 /* ACL entries for process ACL                */
 /**********************************************/
 
 #define RSBAC_ACL_DEF_P_FILENAME "aclproc.df"
-#define RSBAC_ACL_DEF_P_LIST_VERSION 2
-#define RSBAC_ACL_DEF_P_OLD_LIST_VERSION 1
+#define RSBAC_ACL_DEF_P_LIST_VERSION 3
+#define RSBAC_ACL_DEF_P_OLD_LIST_VERSION 2
+#define RSBAC_ACL_DEF_P_OLD_OLD_LIST_VERSION 1
 
 /**********************************************/
 /* ACL entries for Linux group ACL            */
 /**********************************************/
 
 #define RSBAC_ACL_G_FILENAME "acllgrp"
-#define RSBAC_ACL_G_LIST_VERSION 1
+#define RSBAC_ACL_G_LIST_VERSION 2
+#define RSBAC_ACL_G_OLD_LIST_VERSION 1
 #define RSBAC_ACL_DEF_G_FILENAME "acllgrp.df"
-#define RSBAC_ACL_DEF_G_LIST_VERSION 2
-#define RSBAC_ACL_DEF_G_OLD_LIST_VERSION 1
+#define RSBAC_ACL_DEF_G_LIST_VERSION 3
+#define RSBAC_ACL_DEF_G_OLD_LIST_VERSION 2
+#define RSBAC_ACL_DEF_G_OLD_OLD_LIST_VERSION 1
 
 /**********************************************/
 /* ACL entries for Network Device ACL         */
 /**********************************************/
 
 #define RSBAC_ACL_NETDEV_FILENAME "aclndev"
-#define RSBAC_ACL_NETDEV_LIST_VERSION 2
-#define RSBAC_ACL_NETDEV_OLD_LIST_VERSION 1
+#define RSBAC_ACL_NETDEV_LIST_VERSION 3
+#define RSBAC_ACL_NETDEV_OLD_LIST_VERSION 2
+#define RSBAC_ACL_NETDEV_OLD_OLD_LIST_VERSION 1
 #define RSBAC_ACL_DEF_NETDEV_FILENAME "aclndev.df"
-#define RSBAC_ACL_DEF_NETDEV_LIST_VERSION 2
-#define RSBAC_ACL_DEF_NETDEV_OLD_LIST_VERSION 1
+#define RSBAC_ACL_DEF_NETDEV_LIST_VERSION 3
+#define RSBAC_ACL_DEF_NETDEV_OLD_LIST_VERSION 2
+#define RSBAC_ACL_DEF_NETDEV_OLD_OLD_LIST_VERSION 1
 
 /**********************************************/
 /* ACL entries for Network Template NT (template protection) ACL */
 /**********************************************/
 
 #define RSBAC_ACL_NETTEMP_NT_FILENAME "aclntnt"
-#define RSBAC_ACL_NETTEMP_NT_LIST_VERSION 2
-#define RSBAC_ACL_NETTEMP_NT_OLD_LIST_VERSION 1
+#define RSBAC_ACL_NETTEMP_NT_LIST_VERSION 3
+#define RSBAC_ACL_NETTEMP_NT_OLD_LIST_VERSION 2
+#define RSBAC_ACL_NETTEMP_NT_OLD_OLD_LIST_VERSION 1
 #define RSBAC_ACL_DEF_NETTEMP_NT_FILENAME "aclntnt.df"
-#define RSBAC_ACL_DEF_NETTEMP_NT_LIST_VERSION 2
-#define RSBAC_ACL_DEF_NETTEMP_NT_OLD_LIST_VERSION 1
+#define RSBAC_ACL_DEF_NETTEMP_NT_LIST_VERSION 3
+#define RSBAC_ACL_DEF_NETTEMP_NT_OLD_LIST_VERSION 2
+#define RSBAC_ACL_DEF_NETTEMP_NT_OLD_OLD_LIST_VERSION 1
 
 /**********************************************/
 /* ACL entries for Network Object ACL         */
 /**********************************************/
 
 #define RSBAC_ACL_NETTEMP_FILENAME "aclnt"
-#define RSBAC_ACL_NETTEMP_LIST_VERSION 2
-#define RSBAC_ACL_NETTEMP_OLD_LIST_VERSION 1
+#define RSBAC_ACL_NETTEMP_LIST_VERSION 3
+#define RSBAC_ACL_NETTEMP_OLD_LIST_VERSION 2
+#define RSBAC_ACL_NETTEMP_OLD_OLD_LIST_VERSION 1
 #define RSBAC_ACL_NETOBJ_FILENAME "aclno"
-#define RSBAC_ACL_NETOBJ_LIST_VERSION 2
-#define RSBAC_ACL_NETOBJ_OLD_LIST_VERSION 1
+#define RSBAC_ACL_NETOBJ_LIST_VERSION 3
+#define RSBAC_ACL_NETOBJ_OLD_LIST_VERSION 2
+#define RSBAC_ACL_NETOBJ_OLD_OLD_LIST_VERSION 1
 #define RSBAC_ACL_DEF_NETOBJ_FILENAME "aclno.df"
-#define RSBAC_ACL_DEF_NETOBJ_LIST_VERSION 2
-#define RSBAC_ACL_DEF_NETOBJ_OLD_LIST_VERSION 1
+#define RSBAC_ACL_DEF_NETOBJ_LIST_VERSION 3
+#define RSBAC_ACL_DEF_NETOBJ_OLD_LIST_VERSION 2
+#define RSBAC_ACL_DEF_NETOBJ_OLD_OLD_LIST_VERSION 1
 
 
 /**********************************************/
@@ -444,6 +463,7 @@
 
 /* In acl_types.h: #define RSBAC_ACL_GROUP_VERSION 2 */
 
-#define RSBAC_ACL_GM_VERSION 1
+#define RSBAC_ACL_GM_VERSION 2
+#define RSBAC_ACL_GM_OLD_VERSION 1
 
 #endif
=== include/rsbac/acl_types.h
==================================================================
--- include/rsbac/acl_types.h	(revision 2367)
+++ include/rsbac/acl_types.h	(local)
@@ -1,10 +1,10 @@
 /************************************ */
 /* Rule Set Based Access Control      */
-/* Author and (c) 1999-2005:          */
+/* Author and (c) 1999-2007:          */
 /*   Amon Ott <ao@rsbac.org>          */
 /* API: Data types for attributes     */
 /*      and standard module calls     */
-/* Last modified: 09/Feb/2005         */
+/* Last modified: 25/Sep/2007         */
 /************************************ */
 
 #ifndef __RSBAC_ACL_TYPES_H
@@ -19,7 +19,8 @@
 enum rsbac_acl_subject_type_t {ACLS_USER, ACLS_ROLE, ACLS_GROUP, ACLS_NONE};
 
 typedef __u8 rsbac_acl_int_subject_type_t;
-typedef __u32 rsbac_acl_subject_id_t;
+typedef __u64 rsbac_acl_subject_id_t;
+typedef __u32 rsbac_acl_old_subject_id_t;
 
 #define RSBAC_ACL_GROUP_EVERYONE 0
 
@@ -103,6 +104,12 @@
     rsbac_acl_subject_id_t       subj_id;
   };
 
+struct rsbac_acl_old_entry_desc_t
+  {
+    rsbac_acl_int_subject_type_t subj_type;  /* enum rsbac_acl_subject_type_t */
+    rsbac_acl_old_subject_id_t   subj_id;
+  };
+
 enum rsbac_acl_group_type_t {ACLG_GLOBAL, ACLG_PRIVATE, ACLG_NONE};
 
 typedef __u32 rsbac_acl_group_id_t;
=== include/rsbac/auth_data_structures.h
==================================================================
--- include/rsbac/auth_data_structures.h	(revision 2367)
+++ include/rsbac/auth_data_structures.h	(local)
@@ -1,9 +1,9 @@
 /**************************************/
 /* Rule Set Based Access Control      */
-/* Author and (c) 1999-2006:          */
+/* Author and (c) 1999-2007:          */
 /*   Amon Ott <ao@rsbac.org> */
 /* Data structures / AUTH             */
-/* Last modified: 12/Jan/2006         */
+/* Last modified: 16/Sep/2007         */
 /**************************************/
 
 #ifndef __RSBAC_AUTH_DATA_STRUC_H
@@ -45,13 +45,20 @@
 #define RSBAC_AUTH_NR_CAP_GROUP_FD_LISTS 4
 #define RSBAC_AUTH_NR_CAP_GROUP_EFF_FD_LISTS 2
 #define RSBAC_AUTH_NR_CAP_GROUP_FS_FD_LISTS 2
-#define RSBAC_AUTH_FD_LIST_VERSION 1
-#define RSBAC_AUTH_FD_EFF_LIST_VERSION 1
-#define RSBAC_AUTH_FD_FS_LIST_VERSION 1
-#define RSBAC_AUTH_FD_GROUP_LIST_VERSION 1
-#define RSBAC_AUTH_FD_GROUP_EFF_LIST_VERSION 1
-#define RSBAC_AUTH_FD_GROUP_FS_LIST_VERSION 1
 
+#define RSBAC_AUTH_FD_LIST_VERSION 2
+#define RSBAC_AUTH_FD_EFF_LIST_VERSION 2
+#define RSBAC_AUTH_FD_FS_LIST_VERSION 2
+#define RSBAC_AUTH_FD_GROUP_LIST_VERSION 2
+#define RSBAC_AUTH_FD_GROUP_EFF_LIST_VERSION 2
+#define RSBAC_AUTH_FD_GROUP_FS_LIST_VERSION 2
+#define RSBAC_AUTH_FD_OLD_LIST_VERSION 1
+#define RSBAC_AUTH_FD_EFF_OLD_LIST_VERSION 1
+#define RSBAC_AUTH_FD_FS_OLD_LIST_VERSION 1
+#define RSBAC_AUTH_FD_GROUP_OLD_LIST_VERSION 1
+#define RSBAC_AUTH_FD_GROUP_EFF_OLD_LIST_VERSION 1
+#define RSBAC_AUTH_FD_GROUP_FS_OLD_LIST_VERSION 1
+
 /* The list of devices is also a double linked list, so we define list    */
 /* items and a list head.                                                 */
 
=== include/rsbac/getname.h
==================================================================
--- include/rsbac/getname.h	(revision 2367)
+++ include/rsbac/getname.h	(local)
@@ -1,15 +1,18 @@
 /******************************** */
 /* Rule Set Based Access Control  */
-/* Author and (c) 1999-2005:      */
+/* Author and (c) 1999-2007:      */
 /* Amon Ott <ao@rsbac.org>        */
 /* Getname functions for all parts*/
-/* Last modified: 27/May/2005     */
+/* Last modified: 17/Sep/2007     */
 /******************************** */
 
 #ifndef __RSBAC_GETNAME_H
 #define __RSBAC_GETNAME_H
 
 #include <rsbac/types.h>
+#ifdef CONFIG_RSBAC_XSTATS
+#include <rsbac/syscalls.h>
+#endif
 
 #if defined(__KERNEL__) && defined(CONFIG_RSBAC_LOG_FULL_PATH)
 #include <linux/fs.h>
@@ -89,4 +92,9 @@
 
 int get_cap_nr(const char * name);
 
+#ifdef CONFIG_RSBAC_XSTATS
+char *get_syscall_name(char *syscall_name,
+                       enum rsbac_syscall_t syscall);
 #endif
+
+#endif
=== include/rsbac/helpers.h
==================================================================
--- include/rsbac/helpers.h	(revision 2367)
+++ include/rsbac/helpers.h	(local)
@@ -1,8 +1,8 @@
 /************************************* */
 /* Rule Set Based Access Control       */
-/* Author and (c) 1999-2005: Amon Ott  */
+/* Author and (c) 1999-2007: Amon Ott  */
 /* Helper functions for all parts      */
-/* Last modified:  21/Jun/2005         */
+/* Last modified:  26/Sep/2007         */
 /************************************* */
 
 #ifndef __RSBAC_HELPER_H
@@ -21,7 +21,12 @@
 /* convert u_long_long to binary string representation for MAC module */
 char * u64tostrmac(char[], __u64);
 
+char * u32tostrcap(char * str, __u32 i);
+__u32 strtou32cap(char * str, __u32 * i_p);
+
 #ifndef __KERNEL__
+void locale_init(void);
+
 int rsbac_lib_version(void);
 int rsbac_u32_compare(__u32 * a, __u32 * b);
 int rsbac_u32_void_compare(const void *a, const void *b);
@@ -88,6 +93,15 @@
 #ifdef __KERNEL__
 #include <asm/uaccess.h>
 
+#ifdef CONFIG_RSBAC_UM_VIRTUAL
+rsbac_um_set_t rsbac_get_vset(void);
+#else
+static inline rsbac_um_set_t rsbac_get_vset(void)
+  {
+    return 0;
+  }
+#endif
+
 int rsbac_get_owner(rsbac_uid_t * user_p);
 
 static inline int rsbac_get_user(unsigned char * kern_p, unsigned char * user_p, int size)
=== include/rsbac/lists.h
==================================================================
--- include/rsbac/lists.h	(revision 2367)
+++ include/rsbac/lists.h	(local)
@@ -2,7 +2,7 @@
 /* Rule Set Based Access Control                     */
 /* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org> */
 /* Generic List Management                           */
-/* Last modified: 12/Feb/2007                        */
+/* Last modified: 19/Sep/2007                        */
 /*************************************************** */
 
 /* Note: lol = list of lists, a two-level list structure */
@@ -109,6 +109,12 @@
  */
 typedef int rsbac_list_data_compare_function_t(void *data1, void *data2);
 
+/* Function to compare two descs with a parameter, returns TRUE,
+ * if item is selected, and FALSE, if not.
+ * Used for selected lists of descriptors.
+ */
+typedef int rsbac_list_desc_selector_function_t(void *desc, void * param);
+
 /* conversion function to upconvert old on-disk descs and datas to actual version */
 /* must return 0 on success or error otherwise */
 /* Attention: if old or new data_size is 0, the respective data pointer is NULL! */
@@ -211,7 +217,8 @@
 			u_int flags,
 			rsbac_list_compare_function_t * compare,
 			rsbac_list_get_conv_t * get_conv,
-			void *def_data, char *name, kdev_t device,
+			void *def_data,
+			char *name, kdev_t device,
 			u_int nr_hashes,
 			rsbac_list_hash_function_t hash_function,
 			char * old_base_name);
@@ -225,7 +232,8 @@
 			rsbac_list_get_conv_t * get_conv,
 			rsbac_list_get_conv_t * get_subconv,
 			void *def_data,
-			void *def_subdata, char *name, kdev_t device,
+			void *def_subdata,
+			char *name, kdev_t device,
 			u_int nr_hashes,
 			rsbac_list_hash_function_t hash_function,
 			char * old_base_name);
@@ -527,6 +535,15 @@
 	return rsbac_ta_list_get_desc(0, handle, desc, data, compare);
 }
 
+int rsbac_ta_list_get_desc_selector(
+	rsbac_list_ta_number_t ta_number,
+	rsbac_list_handle_t handle,
+	void *desc,
+	void *data,
+	rsbac_list_data_compare_function_t compare,
+	rsbac_list_desc_selector_function_t selector,
+	void * param);
+
 int rsbac_ta_list_lol_get_desc(rsbac_list_ta_number_t ta_number,
 			       rsbac_list_handle_t handle,
 			       void *desc,
@@ -541,6 +558,15 @@
 	return rsbac_ta_list_lol_get_desc(0, handle, desc, data, compare);
 }
 
+int rsbac_ta_list_lol_get_desc_selector(
+	rsbac_list_ta_number_t ta_number,
+	rsbac_list_handle_t handle,
+	void *desc,
+	void *data,
+	rsbac_list_data_compare_function_t compare,
+	rsbac_list_desc_selector_function_t selector,
+	void * param);
+
 /* get maximum desc (uses compare function) */
 int rsbac_ta_list_get_max_desc(rsbac_list_ta_number_t ta_number,
 			       rsbac_list_handle_t handle, void *desc);
@@ -565,6 +591,14 @@
 	return rsbac_ta_list_get_next_desc(0, handle, old_desc, next_desc);
 }
 
+int rsbac_ta_list_get_next_desc_selector(
+		rsbac_list_ta_number_t ta_number,
+		rsbac_list_handle_t handle,
+		void *old_desc,
+		void *next_desc,
+		rsbac_list_desc_selector_function_t selector,
+		void * param);
+
 int rsbac_ta_list_lol_get_next_desc(rsbac_list_ta_number_t ta_number,
 				    rsbac_list_handle_t handle,
 				    void *old_desc, void *next_desc);
@@ -576,6 +610,14 @@
 					       next_desc);
 }
 
+int rsbac_ta_list_lol_get_next_desc_selector(
+		rsbac_list_ta_number_t ta_number,
+		rsbac_list_handle_t handle,
+		void *old_desc,
+		void *next_desc,
+		rsbac_list_desc_selector_function_t selector,
+		void * param);
+
 /* does item exist? */
 /* returns TRUE, if item exists, FALSE, if not or error */
 int rsbac_ta_list_exist(rsbac_list_ta_number_t ta_number,
@@ -676,6 +718,12 @@
 	return rsbac_ta_list_get_all_desc(0, handle, array_p);
 }
 
+long rsbac_ta_list_get_all_desc_selector (
+	rsbac_list_ta_number_t ta_number,
+	rsbac_list_handle_t handle, void **array_p,
+	rsbac_list_desc_selector_function_t selector,
+	void * param);
+
 long rsbac_ta_list_lol_get_all_subdesc_ttl(rsbac_list_ta_number_t
 					   ta_number,
 					   rsbac_list_handle_t handle,
@@ -710,6 +758,13 @@
 	return rsbac_ta_list_lol_get_all_desc(0, handle, array_p);
 }
 
+long rsbac_ta_list_lol_get_all_desc_selector (
+        rsbac_list_ta_number_t ta_number,
+        rsbac_list_handle_t handle,
+        void **array_p,
+        rsbac_list_desc_selector_function_t selector,
+        void * param);
+
 /* Get array of all datas */
 /* Returns number of elements or negative error code */
 /* If return value > 0, *array_p contains a pointer to a vmalloc'd array of datas,
=== include/rsbac/mac_data_structures.h
==================================================================
--- include/rsbac/mac_data_structures.h	(revision 2367)
+++ include/rsbac/mac_data_structures.h	(local)
@@ -25,7 +25,8 @@
 #define RSBAC_MAC_FD_FILENAME "macfdtru"
 #define RSBAC_MAC_FD_OLD_FILENAME "macfdtru."
 #define RSBAC_MAC_NR_TRU_FD_LISTS 4
-#define RSBAC_MAC_FD_LIST_VERSION 1
+#define RSBAC_MAC_FD_LIST_VERSION 2
+#define RSBAC_MAC_FD_OLD_LIST_VERSION 1
 
 /* The list of devices is also a double linked list, so we define list    */
 /* items and a list head.                                                 */
=== include/rsbac/pm_ticket.h
==================================================================
--- include/rsbac/pm_ticket.h	(revision 2367)
+++ include/rsbac/pm_ticket.h	(local)
@@ -396,15 +396,6 @@
 /*******************/
 
 #ifdef __KERNEL__
-struct rsbac_pm_old_tkt_data_t
-    {
-             rsbac_pm_tkt_id_t                       id;
-             rsbac_old_uid_t                         issuer;
-      enum   rsbac_pm_tkt_function_type_t            function_type;
-      union  rsbac_pm_tkt_internal_function_param_t  function_param;
-             rsbac_pm_time_stamp_t                   valid_until;
-    };
-
 struct rsbac_pm_tkt_data_t
     {
              rsbac_pm_tkt_id_t                       id;
=== include/rsbac/syscalls.h
==================================================================
--- include/rsbac/syscalls.h	(revision 2367)
+++ include/rsbac/syscalls.h	(local)
@@ -1,10 +1,10 @@
 /************************************* */
 /* Rule Set Based Access Control       */
-/* Author and (c) 1999-2006:           */
+/* Author and (c) 1999-2007:           */
 /*   Amon Ott <ao@rsbac.org>           */
 /* Syscall wrapper functions for all   */
 /* parts                               */
-/* Last modified: 13/Jul/2006          */
+/* Last modified: 26/Sep/2007          */
 /************************************* */
 
 #ifndef __RSBAC_SYSCALLS_H
@@ -115,6 +115,7 @@
     RSYS_acl_list_all_group,
     RSYS_list_all_ipc,
     RSYS_rc_select_fd_create_type,
+    RSYS_um_select_vset,
     RSYS_none
   };
 
@@ -580,7 +581,7 @@
   {
            rsbac_list_ta_number_t ta_number;
            rsbac_uid_t  uid;
-           rsbac_gid_t  gid;
+           rsbac_gid_num_t  gid;
            rsbac_time_t ttl;
   };
 
@@ -632,7 +633,7 @@
   {
           rsbac_list_ta_number_t ta_number;
           rsbac_uid_t  uid;
-          rsbac_gid_t  gid;
+          rsbac_gid_num_t  gid;
   };
 
 struct rsys_um_user_exists_t
@@ -657,6 +658,7 @@
 struct rsys_um_get_user_list_t
   {
           rsbac_list_ta_number_t ta_number;
+          rsbac_um_set_t vset;
           rsbac_uid_t * user_array;
           u_int         maxnum;
   };
@@ -665,7 +667,7 @@
   {
           rsbac_list_ta_number_t ta_number;
           rsbac_uid_t   user;
-          rsbac_gid_t * group_array;
+          rsbac_gid_num_t * group_array;
           u_int         maxnum;
   };
 
@@ -673,13 +675,14 @@
   {
           rsbac_list_ta_number_t ta_number;
           rsbac_gid_t   group;
-          rsbac_uid_t * user_array;
+          rsbac_uid_num_t * user_array;
           u_int         maxnum;
   };
 
 struct rsys_um_get_group_list_t
   {
           rsbac_list_ta_number_t ta_number;
+          rsbac_um_set_t vset;
           rsbac_gid_t * group_array;
           u_int         maxnum;
   };
@@ -728,6 +731,11 @@
     char * name;
   };
 
+struct rsys_um_select_vset_t
+  {
+    rsbac_um_set_t vset;
+  };
+
 struct rsys_list_ta_begin_t
   {
     rsbac_time_t ttl;
@@ -902,6 +910,7 @@
     struct rsys_acl_list_all_group_t acl_list_all_group;
     struct rsys_list_all_ipc_t list_all_ipc;
     struct rsys_rc_select_fd_create_type_t rc_select_fd_create_type;
+    struct rsys_um_select_vset_t um_select_vset;
            int dummy;
   };
 
@@ -1102,7 +1111,7 @@
 
 int rsbac_rc_get_current_role (rsbac_rc_role_id_t * role_p);
 
-int rsbac_rc_sys_select_fd_create_type(rsbac_rc_type_id_t type);
+int rsbac_rc_select_fd_create_type(rsbac_rc_type_id_t type);
 
 /************** AUTH ***************/
 
@@ -1260,7 +1269,7 @@
 int rsbac_um_add_gm(
   rsbac_list_ta_number_t ta_number,
   rsbac_uid_t uid,
-  rsbac_gid_t gid,
+  rsbac_gid_num_t gid,
   rsbac_time_t ttl);
 
 int rsbac_um_mod_user(
@@ -1298,7 +1307,7 @@
 int rsbac_um_remove_gm(
   rsbac_list_ta_number_t ta_number,
   rsbac_uid_t uid,
-  rsbac_gid_t gid);
+  rsbac_gid_num_t gid);
 
 int rsbac_um_user_exists(
   rsbac_list_ta_number_t ta_number,
@@ -1315,23 +1324,25 @@
 
 int rsbac_um_get_user_list(
   rsbac_list_ta_number_t ta_number,
+  rsbac_um_set_t vset,
   rsbac_uid_t user_array[],
   u_int       maxnum);
 
 int rsbac_um_get_gm_list(
   rsbac_list_ta_number_t ta_number,
   rsbac_uid_t user,
-  rsbac_gid_t group_array[],
+  rsbac_gid_num_t group_array[],
   u_int       maxnum);
 
 int rsbac_um_get_gm_user_list(
   rsbac_list_ta_number_t ta_number,
   rsbac_gid_t group,
-  rsbac_uid_t user_array[],
+  rsbac_uid_num_t user_array[],
   u_int       maxnum);
 
 int rsbac_um_get_group_list(
   rsbac_list_ta_number_t ta_number,
+  rsbac_um_set_t vset,
   rsbac_gid_t group_array[],
   u_int       maxnum);
 
@@ -1360,6 +1371,8 @@
 
 int rsbac_um_check_account_name(char * name);
 
+int rsbac_um_select_vset(rsbac_um_set_t vset);
+
 int rsbac_list_ta_begin(rsbac_time_t ttl,
                         rsbac_list_ta_number_t * ta_number_p,
                         rsbac_uid_t commit_uid,
=== include/rsbac/types.h
==================================================================
--- include/rsbac/types.h	(revision 2367)
+++ include/rsbac/types.h	(local)
@@ -4,7 +4,7 @@
 /*   Amon Ott <ao@rsbac.org>         */
 /* API: Data types for attributes    */
 /*      and standard module calls    */
-/* Last modified: 19/Feb/2007        */
+/* Last modified: 21/Sep/2007        */
 /*********************************** */
 
 #ifndef __RSBAC_TYPES_H
@@ -14,10 +14,10 @@
 #ifdef CONFIG_MODULES
 #endif
 
-#define RSBAC_VERSION "1.3.5"
+#define RSBAC_VERSION "1.4.0-pre1"
 #define RSBAC_VERSION_MAJOR 1
-#define RSBAC_VERSION_MID 3
-#define RSBAC_VERSION_MINOR 5
+#define RSBAC_VERSION_MID 4
+#define RSBAC_VERSION_MINOR 0
 #define RSBAC_VERSION_NR \
  ((RSBAC_VERSION_MAJOR << 16) | (RSBAC_VERSION_MID << 8) | RSBAC_VERSION_MINOR)
 #define RSBAC_VERSION_MAKE_NR(x,y,z) \
@@ -31,13 +31,26 @@
 #endif
 
 typedef __u32 rsbac_version_t;
-typedef __u32 rsbac_uid_t;                   /* Same as user in Linux kernel */
-typedef __u32 rsbac_gid_t;                   /* Same as group in Linux kernel */
-typedef __u16 rsbac_old_uid_t;               /* Same as user in Linux kernel */
-typedef __u16 rsbac_old_gid_t;               /* Same as group in Linux kernel */
-typedef __u32 rsbac_time_t;                  /* Same as time_t in Linux kernel */
-typedef __u32 rsbac_cap_vector_t;            /* Same as kernel_cap_t in Linux kernel */
+typedef __u64 rsbac_uid_t;           /* High 32 Bit virtual set, low uid */
+typedef __u64 rsbac_gid_t;           /* High 32 Bit virtual set, low gid */
+typedef __u32 rsbac_old_uid_t;       /* Same as user in Linux kernel */
+typedef __u32 rsbac_uid_num_t;       /* Same as user in Linux kernel */
+typedef __u32 rsbac_old_gid_t;       /* Same as group in Linux kernel */
+typedef __u32 rsbac_gid_num_t;       /* Same as user in Linux kernel */
+typedef __u32 rsbac_um_set_t;
+typedef __u32 rsbac_time_t;          /* Same as time_t in Linux kernel */
+typedef __u32 rsbac_cap_vector_t;    /* Same as kernel_cap_t in Linux kernel */
 
+#define RSBAC_UID_SET(x) ((rsbac_um_set_t) (x >> 32))
+#define RSBAC_UID_NUM(x) ((rsbac_uid_num_t) (x & (rsbac_uid_num_t) -1))
+#define RSBAC_GEN_UID(x,y) ((rsbac_uid_t) x << 32 | RSBAC_UID_NUM(y))
+#define RSBAC_GID_SET(x) ((rsbac_um_set_t) (x >> 32))
+#define RSBAC_GID_NUM(x) ((rsbac_gid_num_t) (x & (rsbac_gid_num_t) -1))
+#define RSBAC_GEN_GID(x,y) ((rsbac_gid_t) x << 32 | RSBAC_GID_NUM(y))
+#define RSBAC_UM_VIRTUAL_KEEP ((rsbac_um_set_t) -1)
+#define RSBAC_UM_VIRTUAL_ALL ((rsbac_um_set_t) -2)
+#define RSBAC_UM_VIRTUAL_MAX ((rsbac_um_set_t) -10)
+
 typedef __u32 rsbac_list_ta_number_t;
 
 struct rsbac_nanotime_t
@@ -116,10 +129,10 @@
 
 #define RSBAC_OLD_NO_USER 65533
 #define RSBAC_OLD_ALL_USERS 65532
-#define RSBAC_NO_USER ((rsbac_uid_t) -3)
-#define RSBAC_ALL_USERS ((rsbac_uid_t) -4)
-#define RSBAC_NO_GROUP ((rsbac_gid_t) -3)
-#define RSBAC_ALL_GROUPS ((rsbac_gid_t) -4)
+#define RSBAC_NO_USER ((rsbac_uid_num_t) -3)
+#define RSBAC_ALL_USERS ((rsbac_uid_num_t) -4)
+#define RSBAC_NO_GROUP ((rsbac_gid_num_t) -3)
+#define RSBAC_ALL_GROUPS ((rsbac_gid_num_t) -4)
 
 #ifndef FALSE
 #define FALSE 0
@@ -372,19 +385,23 @@
 /**** AUTH ****/
 /* special cap value, replaced by process owner at execute time */
 #define RSBAC_AUTH_MAX_MAXNUM 1000000
-#define RSBAC_AUTH_OLD_OWNER_F_CAP (rsbac_old_uid_t) -3
-#define RSBAC_AUTH_OWNER_F_CAP ((rsbac_uid_t) -3)
-#define RSBAC_AUTH_DAC_OWNER_F_CAP ((rsbac_uid_t) -4)
-#define RSBAC_AUTH_MAX_RANGE_UID ((rsbac_uid_t) -10)
-#define RSBAC_AUTH_GROUP_F_CAP ((rsbac_gid_t) -3)
-#define RSBAC_AUTH_DAC_GROUP_F_CAP ((rsbac_gid_t) -4)
-#define RSBAC_AUTH_MAX_RANGE_GID ((rsbac_gid_t) -10)
+#define RSBAC_AUTH_OWNER_F_CAP ((rsbac_uid_num_t) -3)
+#define RSBAC_AUTH_DAC_OWNER_F_CAP ((rsbac_uid_num_t) -4)
+#define RSBAC_AUTH_MAX_RANGE_UID ((rsbac_uid_num_t) -10)
+#define RSBAC_AUTH_GROUP_F_CAP ((rsbac_uid_num_t) -3)
+#define RSBAC_AUTH_DAC_GROUP_F_CAP ((rsbac_uid_num_t) -4)
+#define RSBAC_AUTH_MAX_RANGE_GID ((rsbac_uid_num_t) -10)
 typedef struct rsbac_fs_file_t rsbac_auth_file_t;
 struct rsbac_auth_cap_range_t
   {
     rsbac_uid_t first;
     rsbac_uid_t last;
   };
+struct rsbac_auth_old_cap_range_t
+  {
+    rsbac_old_uid_t first;
+    rsbac_old_uid_t last;
+  };
 enum    rsbac_auth_cap_type_t {ACT_real, ACT_eff, ACT_fs, 
                                ACT_group_real, ACT_group_eff, ACT_group_fs,
                                ACT_none};
@@ -724,6 +741,7 @@
     A_remote_ip,
     A_cap_ld_env,
     A_daz_do_scan,
+    A_vset,
 #ifdef __KERNEL__
     /* adf-request helpers */
     A_owner,
@@ -855,8 +873,9 @@
          rsbac_uid_t                 audit_uid;
          rsbac_uid_t                 auid_exempt;
          __u32                       remote_ip;
+         rsbac_um_set_t             vset;
 #ifdef __KERNEL__
-         rsbac_gid_t                 group;        /* process/fd group */
+         rsbac_gid_num_t             group;        /* process/fd group */
     struct sockaddr                * sockaddr_p; /* socket address */
          long                        signal;        /* signal for kill */
          int                         mode;    /* mode for create/mount */
@@ -951,6 +970,7 @@
          rsbac_uid_t                 audit_uid;
          rsbac_uid_t                 auid_exempt;
          __u32                       remote_ip;
+         rsbac_um_set_t              vset;
          u_char                      u_char_dummy;
          u_short                     u_short_dummy;
          int                         dummy;
=== include/rsbac/um.h
==================================================================
--- include/rsbac/um.h	(revision 2367)
+++ include/rsbac/um.h	(local)
@@ -1,10 +1,10 @@
 /************************************ */
 /* Rule Set Based Access Control      */
-/* Author and (c) 1999-2005:          */
+/* Author and (c) 1999-2007:          */
 /*   Amon Ott <ao@rsbac.org>          */
 /* API: Data structures               */
 /* and functions for User Management  */
-/* Last modified: 08/Jul/2005         */
+/* Last modified: 20/Sep/2007         */
 /************************************ */
 
 #ifndef __RSBAC_UM_H
@@ -60,7 +60,7 @@
 int rsbac_um_add_gm(
   rsbac_list_ta_number_t ta_number,
   rsbac_uid_t user,
-  rsbac_gid_t group,
+  rsbac_gid_num_t group,
   rsbac_time_t ttl);
 
 int rsbac_um_mod_user(
@@ -106,7 +106,7 @@
 int rsbac_um_remove_gm(
   rsbac_list_ta_number_t ta_number,
   rsbac_uid_t user,
-  rsbac_gid_t group);
+  rsbac_gid_num_t group);
 
 int rsbac_um_get_next_user(
   rsbac_list_ta_number_t ta_number,
@@ -115,20 +115,22 @@
 
 int rsbac_um_get_user_list(
   rsbac_list_ta_number_t ta_number,
+  rsbac_um_set_t vset,
   rsbac_uid_t ** list_pp);
 
 int rsbac_um_get_gm_list(
   rsbac_list_ta_number_t ta_number,
   rsbac_uid_t user,
-  rsbac_gid_t ** list_pp);
+  rsbac_gid_num_t ** list_pp);
 
 int rsbac_um_get_gm_user_list(
   rsbac_list_ta_number_t ta_number,
   rsbac_gid_t group,
-  rsbac_uid_t ** list_pp);
+  rsbac_uid_num_t ** list_pp);
 
 int rsbac_um_get_group_list(
   rsbac_list_ta_number_t ta_number,
+  rsbac_um_set_t vset,
   rsbac_gid_t ** list_pp);
 
 int rsbac_um_get_user_entry(
=== include/rsbac/um_types.h
==================================================================
--- include/rsbac/um_types.h	(revision 2367)
+++ include/rsbac/um_types.h	(local)
@@ -1,8 +1,8 @@
 /**************************************/
 /* Rule Set Based Access Control      */
-/* Author and (c) 1999-2004: Amon Ott */
+/* Author and (c) 1999-2007: Amon Ott */
 /* User Management Data structures    */
-/* Last modified: 29/Sep/2005         */
+/* Last modified: 16/Sep/2007         */
 /**************************************/
 
 #ifndef __RSBAC_UM_TYPES_H
@@ -30,15 +30,17 @@
 #define RSBAC_UM_NR_GROUP_LISTS  8
 #define RSBAC_UM_NR_USER_PWHISTORY_LISTS  8
 
-#define RSBAC_UM_USER_LIST_VERSION 1
-#define RSBAC_UM_GROUP_LIST_VERSION 1
-#define RSBAC_UM_USER_PWHISTORY_LIST_VERSION 1
+#define RSBAC_UM_USER_LIST_VERSION 2
+#define RSBAC_UM_GROUP_LIST_VERSION 2
+#define RSBAC_UM_USER_PWHISTORY_LIST_VERSION 2
+#define RSBAC_UM_USER_OLD_LIST_VERSION 1
+#define RSBAC_UM_GROUP_OLD_LIST_VERSION 1
+#define RSBAC_UM_USER_PWHISTORY_OLD_LIST_VERSION 1
 
 #define RSBAC_UM_USER_LIST_KEY 6363636
 #define RSBAC_UM_GROUP_LIST_KEY 9847298
 #define RSBAC_UM_USER_PWHISTORY_LIST_KEY 8854687
 
-
 #define RSBAC_UM_NAME_LEN 16
 #define RSBAC_UM_PASS_LEN 24
 #define RSBAC_UM_FULLNAME_LEN 30
@@ -55,7 +57,7 @@
 
 union rsbac_um_mod_data_t {
 	char string[RSBAC_MAXNAMELEN];
-	rsbac_gid_t group;
+	rsbac_gid_num_t group;
 	rsbac_um_days_t days;
 	rsbac_time_t ttl;
 };
@@ -66,7 +68,7 @@
 	char fullname[RSBAC_UM_FULLNAME_LEN];
 	char homedir[RSBAC_UM_HOMEDIR_LEN];
 	char shell[RSBAC_UM_SHELL_LEN];
-	rsbac_gid_t group;
+	rsbac_gid_num_t group;
 	rsbac_um_days_t lastchange;
 	rsbac_um_days_t minchange;
 	rsbac_um_days_t maxchange;
=== rsbac/Kconfig
==================================================================
--- rsbac/Kconfig	(revision 2367)
+++ rsbac/Kconfig	(local)
@@ -419,6 +419,23 @@
 	---help---
 	  This is the number of passwords RSBAC User Management will
 	  remember and check against when changing a password.
+
+config RSBAC_UM_VIRTUAL
+	bool 'Support virtual users'
+	default n
+	depends on RSBAC_UM=y
+	---help---
+	  If enabled, RSBAC User Management supports virtual users,
+	  which are organized in sets with 32 Bit ID numbers. ID 0 is
+          the main set.
+
+config RSBAC_UM_VIRTUAL_ISOLATE
+	bool 'Isolate virtual user sets'
+	default y
+	depends on RSBAC_UM_VIRTUAL=y
+	---help---
+	  Select this option to ensure that users in virtual sets > 0
+	  never see users and groups in other virtual sets.
 endmenu
 
 if NET
=== rsbac/adf/acl/acl_main.c
==================================================================
--- rsbac/adf/acl/acl_main.c	(revision 2367)
+++ rsbac/adf/acl/acl_main.c	(local)
@@ -4,9 +4,9 @@
 /* Facility (ADF) - Access Control Lists (ACL)        */
 /* File: rsbac/adf/acl/acl_main.c                     */
 /*                                                    */
-/* Author and (c) 1999-2006: Amon Ott <ao@rsbac.org>  */
+/* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org>  */
 /*                                                    */
-/* Last modified: 14/Jun/2006                         */
+/* Last modified: 24/Sep/2007                         */
 /**************************************************** */
 
 #include <linux/string.h>
@@ -416,6 +416,7 @@
                 case A_audit_uid:
                 case A_auid_exempt:
                 case A_remote_ip:
+                case A_vset:
                   if (!rsbac_acl_check_right(target, tid, owner, caller_pid, request))
                     return(NOT_GRANTED);
                   else
=== rsbac/adf/adf_main.c
==================================================================
--- rsbac/adf/adf_main.c	(revision 2367)
+++ rsbac/adf/adf_main.c	(local)
@@ -5,7 +5,7 @@
 /*                                                   */
 /* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org> */
 /*                                                   */
-/* Last modified: 27/Aug/2007                        */
+/* Last modified: 24/Sep/2007                        */
 /*************************************************** */
 
 #include <linux/string.h>
@@ -215,7 +215,7 @@
 
 /* No decision possible before init (called at boot time) -> don't care */
     if (!rsbac_is_initialized())
-      return(DO_NOT_CARE);
+      return DO_NOT_CARE;
 
 /* Always granted for kernel (pid 0) and logging daemon */
     if (   !caller_pid
@@ -223,7 +223,7 @@
         || (caller_pid == rsbaclogd_pid)
         #endif
        )
-      return(GRANTED);
+      return GRANTED;
 
 /* Checking base values */
     if(   request >= R_NONE
@@ -232,7 +232,7 @@
       {
         rsbac_printk(KERN_WARNING
                "rsbac_adf_request_int(): called with invalid request, target or attribute\n");
-        return(NOT_GRANTED);
+        return NOT_GRANTED;
       }
     request_vector = RSBAC_REQUEST_VECTOR(request);
 
@@ -272,6 +272,13 @@
     else  /* caller_pid = 1 -> init, always owned by root */
       owner = 0;
 
+#ifdef CONFIG_RSBAC_UM_VIRTUAL
+   if (attr == A_owner)
+     attr_val_p->owner = RSBAC_GEN_UID(RSBAC_UID_SET(owner), attr_val_p->owner);
+   else
+   if (attr == A_group)
+     attr_val_p->group = RSBAC_GEN_GID(RSBAC_UID_SET(owner), attr_val_p->group);
+#endif
 
 /******************************************************/
 /* General work for all modules - before module calls */
@@ -294,6 +301,7 @@
               result = DO_NOT_CARE;
               goto log;
             }
+
 #endif
           /* No decision on pseudo pipefs */
           if(   (target == T_FIFO)
@@ -326,12 +334,12 @@
                     if(tmperr == -RSBAC_EINVALIDDEV)
                       {
 //                        rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr);
-                        return(DO_NOT_CARE);  /* last calls on shutdown */
+                        return DO_NOT_CARE;  /* last calls on shutdown */
                       }
                     else
                       {
                         rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr);
-                        return(NOT_GRANTED);  /* something weird happened */
+                        return NOT_GRANTED;  /* something weird happened */
                       }
                   }
                 /* no access to rsbac_internal objects is granted in any case */
@@ -351,10 +359,21 @@
                     #endif
                   }
             }
+
+#if defined(CONFIG_RSBAC_UM_VIRTUAL_ISOLATE)
+          if (attr == A_vset && (RSBAC_UID_SET(owner))) {
+            result = adf_and_plus(result, NOT_GRANTED);
+#ifdef CONFIG_RSBAC_SOFTMODE_IND
+            ret_result = adf_and_plus(ret_result, NOT_GRANTED);
+#endif
+          }
+#endif
+
           break;
 
+#if defined(CONFIG_RSBAC_UM_EXCL) || defined(CONFIG_RSBAC_UM_VIRTUAL_ISOLATE)
+        case T_PROCESS:
 #if defined(CONFIG_RSBAC_UM_EXCL)
-        case T_PROCESS:
           switch(request)
             {
               case R_CHANGE_OWNER:
@@ -400,9 +419,31 @@
               default:
                 break;
             }
+#endif
+#if defined(CONFIG_RSBAC_UM_VIRTUAL_ISOLATE)
+          if (attr == A_vset && (RSBAC_UID_SET(owner))) {
+            result = adf_and_plus(result, NOT_GRANTED);
+#ifdef CONFIG_RSBAC_SOFTMODE_IND
+            ret_result = adf_and_plus(ret_result, NOT_GRANTED);
+#endif
+          }
+#endif
           break;
-#endif /* UM_EXCL */
+#endif /* UM_EXCL || UM_VIRTUAL_ISOLATE */
 
+#if defined(CONFIG_RSBAC_UM_VIRTUAL_ISOLATE)
+        case T_USER:
+          if(   RSBAC_UID_SET(owner)
+             && (RSBAC_UID_SET(owner) != RSBAC_UID_SET(tid_p->user))
+            ) {
+                    result = adf_and_plus(result, NOT_GRANTED);
+#ifdef CONFIG_RSBAC_SOFTMODE_IND
+                    ret_result = adf_and_plus(ret_result, NOT_GRANTED);
+#endif
+          }
+          break;
+#endif
+
 #ifdef CONFIG_RSBAC_NET_OBJ
 #if defined(CONFIG_RSBAC_IND_NETOBJ_LOG) || defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_RC)
 	case T_NETOBJ:
@@ -1207,20 +1248,28 @@
         if (rsbac_get_attr(SW_GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE))
           {
             rsbac_ds_get_error("rsbac_adf_request()", A_audit_uid);
-            return(NOT_GRANTED);  /* something weird happened */
+            return NOT_GRANTED;  /* something weird happened */
           }
         audit_uid = i_attr_val.audit_uid;
         if(audit_uid == RSBAC_NO_USER)
           audit_uid = owner;
-        else
-          sprintf(audit_uid_name, "audit uid %u, ", audit_uid);
+        else {
+#ifdef CONFIG_RSBAC_UM_VIRTUAL
+          if (RSBAC_UID_SET(audit_uid))
+            sprintf(audit_uid_name, "audit uid %u/%u, ",
+                    RSBAC_UID_SET(audit_uid),
+                    RSBAC_UID_NUM(audit_uid));
+          else
+#endif
+          sprintf(audit_uid_name, "audit uid %u, ", RSBAC_UID_NUM(audit_uid));
+        }
 #ifdef CONFIG_RSBAC_LOG_PSEUDO
         /* Get owner's logging pseudo */
         i_tid.user = audit_uid;
         if (rsbac_get_attr(SW_GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE))
           {
             rsbac_ds_get_error("rsbac_adf_request()", A_pseudo);
-            return(NOT_GRANTED);  /* something weird happened */
+            return NOT_GRANTED;  /* something weird happened */
           }
         /* if pseudo is not registered, return attribute value is 0 (see later) */
         pseudo = i_attr_val.pseudo;
@@ -1232,7 +1281,7 @@
         if (rsbac_get_attr(SW_GEN,T_PROCESS,i_tid,A_remote_ip,&i_attr_val,FALSE))
           {
             rsbac_ds_get_error("rsbac_adf_request()", A_remote_ip);
-            return(NOT_GRANTED);  /* something weird happened */
+            return NOT_GRANTED;  /* something weird happened */
           }
         if(i_attr_val.remote_ip)
           sprintf(remote_ip_name, "remote ip %u.%u.%u.%u, ", NIPQUAD(i_attr_val.remote_ip));
@@ -1308,14 +1357,26 @@
         else
 #endif
           {
+            char * owner_name;
+                    
+            owner_name = rsbac_kmalloc(32);
+#ifdef CONFIG_RSBAC_UM_VIRTUAL
+            if (RSBAC_UID_SET(owner))
+              sprintf(owner_name, "%u/%u",
+                      RSBAC_UID_SET(owner),
+                      RSBAC_UID_NUM(owner));
+            else
+#endif
+              sprintf(owner_name, "%u", RSBAC_UID_NUM(owner));
     #ifdef CONFIG_RSBAC_SOFTMODE
             if(rsbac_softmode)
-              rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
-                           request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
+              rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %s, %s%starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
+                           request_name, caller_pid, parent_pid, command, program_path, owner_name, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
             else
     #endif
-              rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s by%s\n",
-                           request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
+              rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %s, %s%starget_type %s, tid %s, attr %s, value %s, result %s by%s\n",
+                           request_name, caller_pid, parent_pid, command, program_path, owner_name, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
+            rsbac_kfree(owner_name);
           }
         /* rsbac_kfree all helper mem */
         rsbac_kfree(request_name);
@@ -1836,6 +1897,21 @@
                             }
                         }
                     }
+                  #ifdef CONFIG_RSBAC_UM_VIRTUAL
+                  /* set vset of new process */
+                  i_attr_val.vset = RSBAC_UID_SET(owner);
+                  if(i_attr_val.vset)
+                    {
+                      /* set vset for new process */
+                      if (rsbac_set_attr(SW_GEN, new_target,
+                                         new_tid,
+                                         A_vset,
+                                         i_attr_val))
+                        {
+                          rsbac_ds_set_error("rsbac_adf_set_attr()", A_vset);
+                        }
+                    }
+                  #endif
                   break;
 
                 default:
@@ -1961,6 +2037,33 @@
                         }
                     }
                   #endif
+                  #ifdef CONFIG_RSBAC_UM_VIRTUAL
+                  /* get vset from file */
+                  if (rsbac_get_attr(SW_GEN,
+                                     target,
+                                     tid,
+                                     A_vset,
+                                     &i_attr_val,
+                                     FALSE))
+                    {
+                      rsbac_ds_get_error("rsbac_adf_set_attr()", A_vset);
+                    }
+                  else
+                    {
+                      /* set vset for process */
+                      if(i_attr_val.vset != RSBAC_UM_VIRTUAL_KEEP)
+                        {
+                          i_tid.process = caller_pid;
+                          if (rsbac_set_attr(SW_GEN, T_PROCESS,
+                                             i_tid,
+                                             A_vset,
+                                             i_attr_val))
+                            {
+                              rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
+                            }
+                        }
+                    }
+                  #endif
                   /* get auid_exempt from file */
                   if (rsbac_get_attr(SW_GEN,
                                      target,
@@ -2130,6 +2233,7 @@
         char * new_target_id_name;
         char * attr_name;
         rsbac_uid_t audit_uid;
+        char * audit_uid_name;
 #ifdef CONFIG_RSBAC_LOG_PSEUDO
         rsbac_pseudo_t  pseudo = 0;
 #endif
@@ -2141,9 +2245,21 @@
             rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid);
             return -RSBAC_EREADFAILED;  /* something weird happened */
           }
+        audit_uid_name = rsbac_kmalloc(32);
         audit_uid = i_attr_val.audit_uid;
-        if(audit_uid == RSBAC_NO_USER)
+        if(audit_uid == RSBAC_NO_USER) {
+          audit_uid_name[0] = 0;
           audit_uid = owner;
+        } else {
+#ifdef CONFIG_RSBAC_UM_VIRTUAL
+          if (RSBAC_UID_SET(audit_uid))
+            sprintf(audit_uid_name, "audit uid %u/%u, ",
+                    RSBAC_UID_SET(audit_uid),
+                    RSBAC_UID_NUM(audit_uid));
+          else
+#endif
+          sprintf(audit_uid_name, "audit uid %u, ", RSBAC_UID_NUM(audit_uid));
+        }
 #ifdef CONFIG_RSBAC_LOG_PSEUDO
         /* Get owner's logging pseudo */
         i_tid.user = audit_uid;
@@ -2194,10 +2310,25 @@
                        new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
         else
 #endif
+        {
+          char * owner_name = rsbac_kmalloc(32);
+
+#ifdef CONFIG_RSBAC_UM_VIRTUAL
+          if (RSBAC_UID_SET(owner))
+            sprintf(owner_name, "%u/%u",
+                    RSBAC_UID_SET(owner),
+                    RSBAC_UID_NUM(owner));
+          else
+#endif
+            sprintf(owner_name, "%u", RSBAC_UID_NUM(owner));
+
           rsbac_printk(KERN_INFO
-                       "rsbac_adf_set_attr(): request %s, pid %u, uid %u, audit_uid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
-                       request_name, (u_int) caller_pid, owner, audit_uid, target_type_name, target_id_name,
+                       "rsbac_adf_set_attr(): request %s, pid %u, uid %s, %starget_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
+                       request_name, (u_int) caller_pid, owner_name, audit_uid_name, target_type_name, target_id_name,
                        new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
+          rsbac_kfree(owner_name);
+          rsbac_kfree(audit_uid_name);
+        }
         /* rsbac_kfree all helper mem */
         rsbac_kfree(request_name);
         rsbac_kfree(target_type_name);
=== rsbac/adf/auth/auth_main.c
==================================================================
--- rsbac/adf/auth/auth_main.c	(revision 2367)
+++ rsbac/adf/auth/auth_main.c	(local)
@@ -6,7 +6,7 @@
 /*                                                    */
 /* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org>  */
 /*                                                    */
-/* Last modified: 11/Apr/2007                         */
+/* Last modified: 24/Sep/2007                         */
 /**************************************************** */
 
 #include <linux/string.h>
@@ -104,7 +104,7 @@
 #if defined(CONFIG_RSBAC_AUTH_GROUP)
                 case T_PROCESS:
                   if(attr != A_group)
-                    return(UNDEFINED);
+                    return(NOT_GRANTED);
 #if defined(CONFIG_RSBAC_AUTH_ALLOW_SAME)
                   if(attr_val.group == current->gid)
                     return DO_NOT_CARE;
@@ -178,7 +178,7 @@
               {
                 case T_PROCESS:
                   if(attr != A_owner)
-                    return(UNDEFINED);
+                    return(NOT_GRANTED);
 #if defined(CONFIG_RSBAC_AUTH_ALLOW_SAME)
                   if(attr_val.owner == owner)
                     return DO_NOT_CARE;
@@ -241,7 +241,7 @@
               {
                 case T_PROCESS:
                   if(attr != A_owner)
-                    return(UNDEFINED);
+                    return(NOT_GRANTED);
                   if(attr_val.owner == owner)
                     return DO_NOT_CARE;
 #if defined(CONFIG_RSBAC_AUTH_ALLOW_SAME)
@@ -304,7 +304,7 @@
               {
                 case T_PROCESS:
                   if(attr != A_owner)
-                    return(UNDEFINED);
+                    return(NOT_GRANTED);
                   if(attr_val.owner == owner)
                     return DO_NOT_CARE;
 #if defined(CONFIG_RSBAC_AUTH_ALLOW_SAME)
@@ -371,7 +371,7 @@
               {
                 case T_PROCESS:
                   if(attr != A_group)
-                    return(UNDEFINED);
+                    return(NOT_GRANTED);
                   if(attr_val.group == current->gid)
                     return DO_NOT_CARE;
 #if defined(CONFIG_RSBAC_AUTH_ALLOW_SAME)
@@ -410,7 +410,7 @@
               {
                 case T_PROCESS:
                   if(attr != A_group)
-                    return(UNDEFINED);
+                    return(NOT_GRANTED);
                   if(attr_val.group == current->gid)
                     return DO_NOT_CARE;
 #if defined(CONFIG_RSBAC_AUTH_ALLOW_SAME)
@@ -684,7 +684,7 @@
                 case T_NONE:
                   /* we need the switch_target */
                   if(attr != A_switch_target)
-                    return(UNDEFINED);
+                    return(NOT_GRANTED);
 #ifndef CONFIG_RSBAC_AUTH_OTHER_PROT
                   /* do not care for other modules */
                   if(   (attr_val.switch_target != SW_AUTH)
@@ -724,7 +724,7 @@
         default: return DO_NOT_CARE;
       }
 
-    return(result);
+    return result;
   } /* end of rsbac_adf_request_auth() */
 
 
=== rsbac/adf/cap/cap_main.c
==================================================================
--- rsbac/adf/cap/cap_main.c	(revision 2367)
+++ rsbac/adf/cap/cap_main.c	(local)
@@ -4,9 +4,9 @@
 /* Facility (ADF) - Linux Capabilities (CAP)          */
 /* File: rsbac/adf/cap/main.c                         */
 /*                                                    */
-/* Author and (c) 1999-2006: Amon Ott <ao@rsbac.org>  */
+/* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org>  */
 /*                                                    */
-/* Last modified: 11/Dec/2006                         */
+/* Last modified: 24/Sep/2007                         */
 /**************************************************** */
 
 #include <linux/string.h>
@@ -158,7 +158,7 @@
                 case T_NONE:
                   /* we need the switch_target */
                   if(attr != A_switch_target)
-                    return(UNDEFINED);
+                    return NOT_GRANTED;
                   /* do not care for other modules */
                   if(   (attr_val.switch_target != SW_CAP)
                      #ifdef CONFIG_RSBAC_CAP_AUTH_PROT
=== rsbac/adf/daz/daz_main.c
==================================================================
--- rsbac/adf/daz/daz_main.c	(revision 2367)
+++ rsbac/adf/daz/daz_main.c	(local)
@@ -4,11 +4,11 @@
 /* Facility (ADF) - Dazuko Malware Scan              */
 /* File: rsbac/adf/daz/daz_main.c                    */
 /*                                                   */
-/* Author and (c) 1999-2006: Amon Ott <ao@rsbac.org> */
+/* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org> */
 /* Copyright (c) 2004 H+BEDV Datentechnik GmbH       */
 /* Written by John Ogness <jogness@antivir.de>       */
 /*                                                   */
-/* Last modified: 11/Dec/2006                        */
+/* Last modified: 24/Sep/2007                        */
 /*************************************************** */
 
 /* Dazuko RSBAC. 
@@ -890,7 +890,7 @@
 				case R_SWITCH_MODULE:
 					/* we need the switch_target */
 					if(attr != A_switch_target)
-						return UNDEFINED;
+						return NOT_GRANTED;
 					/* do not care for other modules */
 					if(   (attr_val.switch_target != SW_DAZ)
 #ifdef CONFIG_RSBAC_SOFTMODE
=== rsbac/adf/ff/ff_main.c
==================================================================
--- rsbac/adf/ff/ff_main.c	(revision 2367)
+++ rsbac/adf/ff/ff_main.c	(local)
@@ -4,9 +4,9 @@
 /* Facility (ADF) - File Flags                       */
 /* File: rsbac/adf/ff/main.c                         */
 /*                                                   */
-/* Author and (c) 1999-2006: Amon Ott <ao@rsbac.org> */
+/* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org> */
 /*                                                   */
-/* Last modified: 11/Dec/2006                        */
+/* Last modified: 24/Sep/2007                        */
 /*************************************************** */
 
 #include <linux/types.h>
@@ -444,6 +444,7 @@
                 case A_audit_uid:
                 case A_auid_exempt:
                 case A_remote_ip:
+                case A_vset:
                 #endif
                 /* All attributes (remove target!) */
                 case A_none:
@@ -554,7 +555,7 @@
                 case T_NONE:
                   /* we need the switch_target */
                   if(attr != A_switch_target)
-                    return(UNDEFINED);
+                    return NOT_GRANTED;
                   /* do not care for other modules */
                   if(   (attr_val.switch_target != SW_FF)
                      #ifdef CONFIG_RSBAC_SOFTMODE
=== rsbac/adf/jail/jail_main.c
==================================================================
--- rsbac/adf/jail/jail_main.c	(revision 2367)
+++ rsbac/adf/jail/jail_main.c	(local)
@@ -6,7 +6,7 @@
 /*                                                    */
 /* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org>  */
 /*                                                    */
-/* Last modified: 30/Jan/2007                         */
+/* Last modified: 24/Sep/2007                         */
 /**************************************************** */
 
 #include <linux/string.h>
@@ -855,7 +855,7 @@
 		case R_SWITCH_MODULE:
 			/* we need the switch_target */
 			if (attr != A_switch_target)
-				return (UNDEFINED);
+				return NOT_GRANTED;
 			/* do not care for other modules */
 			if ((attr_val.switch_target != SW_JAIL)
 #ifdef CONFIG_RSBAC_SOFTMODE
=== rsbac/adf/mac/mac_main.c
==================================================================
--- rsbac/adf/mac/mac_main.c	(revision 2367)
+++ rsbac/adf/mac/mac_main.c	(local)
@@ -4,11 +4,11 @@
 /* Facility (ADF) - Mandatory Access Control         */
 /* File: rsbac/adf/mac/main.c                        */
 /*                                                   */
-/* Author and (c) 1999-2006: Amon Ott <ao@rsbac.org> */
+/* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org> */
 /* MAC_LIGHT Modifications (c) 2000 Stanislav Ievlev */
 /*                     and (c) 2001 Amon Ott         */
 /*                                                   */
-/* Last modified: 11/Dec/2006                        */
+/* Last modified: 24/Sep/2007                        */
 /*************************************************** */
 
 #include <linux/string.h>
@@ -2627,6 +2627,7 @@
 		case A_auid_exempt:
 		case A_remote_ip:
 		case A_kernel_thread:
+		case A_vset:
 #endif
 #ifdef CONFIG_RSBAC_MAC_AUTH_PROT
 		case A_auth_may_setuid:
@@ -2956,6 +2957,7 @@
 		case A_auid_exempt:
 		case A_remote_ip:
 		case A_kernel_thread:
+		case A_vset:	
 #endif
 #ifdef CONFIG_RSBAC_MAC_AUTH_PROT
 		case A_auth_may_setuid:
@@ -3171,7 +3173,7 @@
 		case T_NONE:
 			/* we need the switch_target */
 			if (attr != A_switch_target)
-				return (UNDEFINED);
+				return NOT_GRANTED;
 			/* do not care for other modules */
 			if ((attr_val.switch_target != SW_MAC)
 #ifdef CONFIG_RSBAC_MAC_AUTH_PROT
=== rsbac/adf/pax/pax_main.c
==================================================================
--- rsbac/adf/pax/pax_main.c	(revision 2367)
+++ rsbac/adf/pax/pax_main.c	(local)
@@ -4,9 +4,9 @@
 /* Facility (ADF) - PAX                               */
 /* File: rsbac/adf/pax/pax_main.c                     */
 /*                                                    */
-/* Author and (c) 1999-2006: Amon Ott <ao@rsbac.org>  */
+/* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org>  */
 /*                                                    */
-/* Last modified: 11/Dec/2006                         */
+/* Last modified: 24/Sep/2007                         */
 /**************************************************** */
 
 #include <linux/string.h>
@@ -203,7 +203,7 @@
                 case T_NONE:
                   /* we need the switch_target */
                   if(attr != A_switch_target)
-                    return(UNDEFINED);
+                    return NOT_GRANTED;
                   /* do not care for other modules */
                   if(   (attr_val.switch_target != SW_PAX)
                      #ifdef CONFIG_RSBAC_SOFTMODE
=== rsbac/adf/pm/pm_main.c
==================================================================
--- rsbac/adf/pm/pm_main.c	(revision 2367)
+++ rsbac/adf/pm/pm_main.c	(local)
@@ -4,9 +4,9 @@
 /* Facility (ADF) - Privacy Model                    */
 /* File: rsbac/adf/pm/main.c                         */
 /*                                                   */
-/* Author and (c) 1999-2006: Amon Ott <ao@rsbac.org> */
+/* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org> */
 /*                                                   */
-/* Last modified: 11/Dec/2006                        */
+/* Last modified: 24/Sep/2007                        */
 /*************************************************** */
 
 #include <linux/string.h>
@@ -1495,6 +1495,7 @@
                 #ifdef CONFIG_RSBAC_PM_GEN_PROT
                 case A_owner:
                 case A_pseudo:
+                case A_vset:
                 #endif
                 #ifdef CONFIG_RSBAC_PM_AUTH_PROT
                 case A_auth_may_setuid:
@@ -1841,6 +1842,7 @@
                 case A_fake_root_uid:
                 case A_audit_uid:
                 case A_auid_exempt:
+                case A_vset:
                 #endif
                 #ifdef CONFIG_RSBAC_PM_AUTH_PROT
                 case A_auth_may_setuid:
@@ -2218,7 +2220,7 @@
                 case T_NONE:
                   /* we need the switch_target */
                   if(attr != A_switch_target)
-                    return(UNDEFINED);
+                    return NOT_GRANTED;
                   /* deny PM to be switched, do not care for others */
                   if(   (attr_val.switch_target == SW_PM)
                      #ifdef CONFIG_RSBAC_PM_AUTH_PROT
=== rsbac/adf/rc/rc_main.c
==================================================================
--- rsbac/adf/rc/rc_main.c	(revision 2367)
+++ rsbac/adf/rc/rc_main.c	(local)
@@ -6,7 +6,7 @@
 /*                                                   */
 /* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org> */
 /*                                                   */
-/* Last modified: 11/Apr/2007                        */
+/* Last modified: 24/Sep/2007                        */
 /*************************************************** */
 
 #include <linux/string.h>
@@ -1319,7 +1319,7 @@
 			/* you may only change a user's pseudo, if you also may assign her role */
 		case A_pseudo:
 			if (target != T_USER)
-				return UNDEFINED;
+				return NOT_GRANTED;
 			/* test assign_roles of process for user's role only */
 			if (rsbac_rc_test_assign_roles
 			    (target, tid, A_rc_def_role,
@@ -1341,6 +1341,7 @@
 		case A_audit_uid:
 		case A_auid_exempt:
 		case A_remote_ip:
+		case A_vset:
 			/* Explicitely granted? */
 			result =
 			    check_comp_rc(target, tid, request,
@@ -1513,6 +1514,7 @@
 		case A_audit_uid:
 		case A_auid_exempt:
 		case A_remote_ip:
+		case A_vset:
 #endif
 			/* Explicitely granted? */
 			result =
@@ -1674,7 +1676,7 @@
 		case T_NONE:
 			/* we need the switch_target */
 			if (attr != A_switch_target)
-				return (UNDEFINED);
+				return NOT_GRANTED;
 			/* do not care for other modules */
 			if ((attr_val.switch_target != SW_RC)
 #ifdef CONFIG_RSBAC_SOFTMODE
=== rsbac/adf/reg/reg_main.c
==================================================================
--- rsbac/adf/reg/reg_main.c	(revision 2367)
+++ rsbac/adf/reg/reg_main.c	(local)
@@ -4,9 +4,9 @@
 /* Facility (ADF) - REG / Decision Module Registration */
 /* File: rsbac/adf/reg/main.c                        */
 /*                                                   */
-/* Author and (c) 1999-2006: Amon Ott <ao@rsbac.org> */
+/* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org> */
 /*                                                   */
-/* Last modified: 11/Dec/2006                        */
+/* Last modified: 24/Sep/2007                        */
 /*************************************************** */
 
 #include <linux/types.h>
=== rsbac/adf/res/res_main.c
==================================================================
--- rsbac/adf/res/res_main.c	(revision 2367)
+++ rsbac/adf/res/res_main.c	(local)
@@ -141,7 +141,7 @@
                 case T_NONE:
                   /* we need the switch_target */
                   if(attr != A_switch_target)
-                    return(UNDEFINED);
+                    return NOT_GRANTED;
                   /* do not care for other modules */
                   if(   (attr_val.switch_target != SW_RES)
                      #ifdef CONFIG_RSBAC_SOFTMODE
=== rsbac/data_structures/aci_data_structures.c
==================================================================
--- rsbac/data_structures/aci_data_structures.c	(revision 2367)
+++ rsbac/data_structures/aci_data_structures.c	(local)
@@ -5,7 +5,7 @@
 /* (some smaller parts copied from fs/namei.c        */
 /*  and others)                                      */
 /*                                                   */
-/* Last modified: 12/Mar/2007                        */
+/* Last modified: 27/Sep/2007                        */
 /*************************************************** */
 
 #include <linux/types.h>
@@ -152,9 +152,14 @@
 static __u64 fd_cache_misses[SW_NONE];
 static u_int fd_cache_invalidates;
 static u_int fd_cache_invalidate_alls;
+__u64 syscall_count[RSYS_none];
 #endif
 #endif
 
+#ifdef CONFIG_RSBAC_XSTATS
+__u64 syscall_count[RSYS_none];
+#endif
+
 static struct rsbac_dev_handles_t dev_handles;
 static struct rsbac_dev_handles_t dev_major_handles;
 static struct rsbac_ipc_handles_t ipc_handles;
@@ -665,21 +670,22 @@
 	new_aci->log_array_low = old_aci->log_array_low;
 	new_aci->log_array_high = old_aci->log_array_high;
 	new_aci->log_program_based = old_aci->log_program_based;
-	new_aci->symlink_add_remote_ip = 0;
+	new_aci->symlink_add_remote_ip = old_aci->symlink_add_remote_ip;
 	new_aci->symlink_add_uid = old_aci->symlink_add_uid;
 	new_aci->symlink_add_mac_level = old_aci->symlink_add_mac_level;
 	new_aci->symlink_add_rc_role = old_aci->symlink_add_rc_role;
 	new_aci->linux_dac_disable = old_aci->linux_dac_disable;
 	new_aci->fake_root_uid = old_aci->fake_root_uid;
 	new_aci->auid_exempt = old_aci->auid_exempt;
+	new_aci->vset = RSBAC_UM_VIRTUAL_KEEP;
 	return 0;
 }
 
 static int gen_fd_old_conv(void *old_desc,
-			   void *old_data, void *new_desc, void *new_data)
+		       void *old_data, void *new_desc, void *new_data)
 {
 	struct rsbac_gen_fd_aci_t *new_aci = new_data;
-	struct rsbac_gen_fd_old_aci_t *old_aci = old_data;
+	struct rsbac_gen_fd_old_old_aci_t *old_aci = old_data;
 
 	memcpy(new_desc, old_desc, sizeof(rsbac_inode_nr_t));
 	new_aci->log_array_low = old_aci->log_array_low;
@@ -691,40 +697,18 @@
 	new_aci->symlink_add_rc_role = old_aci->symlink_add_rc_role;
 	new_aci->linux_dac_disable = old_aci->linux_dac_disable;
 	new_aci->fake_root_uid = old_aci->fake_root_uid;
-	new_aci->auid_exempt = RSBAC_NO_USER;
+	new_aci->auid_exempt = old_aci->auid_exempt;
+	new_aci->vset = RSBAC_UM_VIRTUAL_KEEP;
 	return 0;
 }
 
-static int gen_fd_old_old_conv(void *old_desc,
-			       void *old_data,
-			       void *new_desc, void *new_data)
+static rsbac_list_conv_function_t *gen_fd_get_conv(rsbac_version_t old_version)
 {
-	struct rsbac_gen_fd_aci_t *new_aci = new_data;
-	struct rsbac_gen_fd_old_old_aci_t *old_aci = old_data;
-
-	memcpy(new_desc, old_desc, sizeof(rsbac_inode_nr_t));
-	new_aci->log_array_low = old_aci->log_array_low;
-	new_aci->log_array_high = old_aci->log_array_high;
-	new_aci->log_program_based = old_aci->log_program_based;
-	new_aci->symlink_add_remote_ip = 0;
-	new_aci->symlink_add_uid = old_aci->symlink_add_uid;
-	new_aci->symlink_add_mac_level = old_aci->symlink_add_mac_level;
-	new_aci->symlink_add_rc_role = old_aci->symlink_add_rc_role;
-	new_aci->linux_dac_disable = old_aci->linux_dac_disable;
-	new_aci->fake_root_uid = FR_off;
-	new_aci->auid_exempt = RSBAC_NO_USER;
-	return 0;
-}
-
-rsbac_list_conv_function_t *gen_fd_get_conv(rsbac_version_t old_version)
-{
 	switch (old_version) {
 	case RSBAC_GEN_FD_OLD_ACI_VERSION:
 		return gen_fd_conv;
 	case RSBAC_GEN_FD_OLD_OLD_ACI_VERSION:
 		return gen_fd_old_conv;
-	case RSBAC_GEN_FD_OLD_OLD_OLD_ACI_VERSION:
-		return gen_fd_old_old_conv;
 	default:
 		return NULL;
 	}
@@ -743,7 +727,7 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *gen_dev_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *gen_dev_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_GEN_DEV_OLD_ACI_VERSION:
@@ -753,6 +737,25 @@
 	}
 }
 
+static int gen_user_conv(void *old_desc,
+			     void *old_data,
+			     void *new_desc, void *new_data)
+{
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
+	memcpy(new_data, old_data, sizeof(struct rsbac_gen_user_aci_t));
+	return 0;
+}
+
+static rsbac_list_conv_function_t *gen_user_get_conv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_GEN_USER_OLD_ACI_VERSION:
+		return gen_user_conv;
+	default:
+		return NULL;
+	}
+}
+
 #ifdef CONFIG_RSBAC_MAC
 static int mac_old_fd_conv(void *old_desc,
 			   void *old_data, void *new_desc, void *new_data)
@@ -804,7 +807,7 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *mac_fd_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *mac_fd_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_MAC_FD_OLD_ACI_VERSION:
@@ -831,7 +834,7 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *mac_dev_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *mac_dev_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_MAC_DEV_OLD_ACI_VERSION:
@@ -841,6 +844,15 @@
 	}
 }
 
+static int mac_user_conv(void *old_desc,
+			     void *old_data,
+			     void *new_desc, void *new_data)
+{
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
+	memcpy(new_data, old_data, sizeof(struct rsbac_mac_user_aci_t));
+	return 0;
+}
+
 static int mac_old_user_conv(void *old_desc,
 			     void *old_data,
 			     void *new_desc, void *new_data)
@@ -848,7 +860,7 @@
 	struct rsbac_mac_user_aci_t *new_aci = new_data;
 	struct rsbac_mac_user_old_aci_t *old_aci = old_data;
 
-	memcpy(new_desc, old_desc, sizeof(rsbac_uid_t));
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
 	new_aci->security_level = old_aci->access_appr;
 	new_aci->initial_security_level = old_aci->access_appr;
 	new_aci->min_security_level = old_aci->min_access_appr;
@@ -869,7 +881,7 @@
 	struct rsbac_mac_user_aci_t *new_aci = new_data;
 	struct rsbac_mac_user_old_old_aci_t *old_aci = old_data;
 
-	memcpy(new_desc, old_desc, sizeof(rsbac_uid_t));
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
 	new_aci->security_level = old_aci->access_appr;
 	new_aci->initial_security_level = old_aci->access_appr;
 	new_aci->min_security_level = old_aci->min_access_appr;
@@ -888,7 +900,7 @@
 	struct rsbac_mac_user_aci_t *new_aci = new_data;
 	struct rsbac_mac_user_old_old_old_aci_t *old_aci = old_data;
 
-	memcpy(new_desc, old_desc, sizeof(rsbac_uid_t));
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
 	new_aci->security_level = old_aci->access_appr;
 	new_aci->initial_security_level = old_aci->access_appr;
 	new_aci->min_security_level = SL_unclassified;
@@ -900,14 +912,16 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *mac_user_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *mac_user_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_MAC_USER_OLD_ACI_VERSION:
+		return mac_user_conv;
+	case RSBAC_MAC_USER_OLD_OLD_ACI_VERSION:
 		return mac_old_user_conv;
-	case RSBAC_MAC_USER_OLD_OLD_ACI_VERSION:
+	case RSBAC_MAC_USER_OLD_OLD_OLD_ACI_VERSION:
 		return mac_old_old_user_conv;
-	case RSBAC_MAC_USER_OLD_OLD_OLD_ACI_VERSION:
+	case RSBAC_MAC_USER_OLD_OLD_OLD_OLD_ACI_VERSION:
 		return mac_old_old_old_user_conv;
 	default:
 		return NULL;
@@ -929,7 +943,7 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *pm_dev_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *pm_dev_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_PM_DEV_OLD_ACI_VERSION:
@@ -938,8 +952,94 @@
 		return NULL;
 	}
 }
+static int pm_user_conv(void *old_desc,
+			     void *old_data,
+			     void *new_desc, void *new_data)
+{
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
+	memcpy(new_data, old_data, sizeof(struct rsbac_pm_user_aci_t));
+	return 0;
+}
+
+static rsbac_list_conv_function_t *pm_user_get_conv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_PM_USER_OLD_ACI_VERSION:
+		return pm_user_conv;
+	default:
+		return NULL;
+	}
+}
 #endif
 
+#ifdef CONFIG_RSBAC_DAZ
+static int daz_old_fd_conv(
+	void * old_desc,
+	void * old_data,
+	void * new_desc,
+	void * new_data)
+  {
+    struct rsbac_daz_fd_aci_t     * new_aci = new_data;
+    struct rsbac_daz_fd_old_aci_t * old_aci = old_data;
+
+    memcpy(new_desc, old_desc, sizeof(rsbac_inode_nr_t));
+    new_aci->daz_scanner = old_aci->daz_scanner;
+    new_aci->daz_do_scan = DEFAULT_DAZ_FD_DO_SCAN;
+    return 0;
+  }
+
+static rsbac_list_conv_function_t * daz_fd_get_conv(rsbac_version_t old_version)
+  {
+    switch(old_version)
+      {
+        case RSBAC_DAZ_FD_OLD_ACI_VERSION:
+          return daz_old_fd_conv;
+        default:
+          return NULL;
+      }
+  }
+
+static int daz_user_conv(void *old_desc,
+			     void *old_data,
+			     void *new_desc, void *new_data)
+{
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
+	memcpy(new_data, old_data, sizeof(rsbac_system_role_int_t));
+	return 0;
+}
+
+static rsbac_list_conv_function_t *daz_user_get_conv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_DAZ_USER_OLD_ACI_VERSION:
+		return daz_user_conv;
+	default:
+		return NULL;
+	}
+}
+#endif
+
+#ifdef CONFIG_RSBAC_FF
+static int ff_user_conv(void *old_desc,
+			     void *old_data,
+			     void *new_desc, void *new_data)
+{
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
+	memcpy(new_data, old_data, sizeof(rsbac_system_role_int_t));
+	return 0;
+}
+
+static rsbac_list_conv_function_t *ff_user_get_conv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_FF_USER_OLD_ACI_VERSION:
+		return ff_user_conv;
+	default:
+		return NULL;
+	}
+}
+#endif
+
 #ifdef CONFIG_RSBAC_RC
 static int rc_dev_conv(void *old_desc,
 		       void *old_data, void *new_desc, void *new_data)
@@ -954,7 +1054,7 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *rc_dev_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *rc_dev_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_RC_DEV_OLD_ACI_VERSION:
@@ -965,22 +1065,33 @@
 }
 
 static int rc_user_conv(void *old_desc,
+			     void *old_data,
+			     void *new_desc, void *new_data)
+{
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
+	memcpy(new_data, old_data, sizeof(struct rsbac_rc_user_aci_t));
+	return 0;
+}
+
+static int rc_user_old_conv(void *old_desc,
 			void *old_data, void *new_desc, void *new_data)
 {
 	struct rsbac_rc_user_aci_t *new_aci = new_data;
 	rsbac_rc_role_id_t *old_aci = old_data;
 
-	memcpy(new_desc, old_desc, sizeof(rsbac_uid_t));
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
 	new_aci->rc_role = *old_aci;
 	new_aci->rc_type = RSBAC_RC_GENERAL_TYPE;
 	return 0;
 }
 
-rsbac_list_conv_function_t *rc_user_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *rc_user_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_RC_USER_OLD_ACI_VERSION:
 		return rc_user_conv;
+	case RSBAC_RC_USER_OLD_OLD_ACI_VERSION:
+		return rc_user_old_conv;
 	default:
 		return NULL;
 	}
@@ -1001,7 +1112,7 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *auth_fd_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *auth_fd_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_AUTH_FD_OLD_ACI_VERSION:
@@ -1011,34 +1122,24 @@
 	}
 }
 
-#endif
+static int auth_user_conv(void *old_desc,
+			     void *old_data,
+			     void *new_desc, void *new_data)
+{
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
+	memcpy(new_data, old_data, sizeof(rsbac_system_role_int_t));
+	return 0;
+}
 
-#ifdef CONFIG_RSBAC_DAZ
-static int daz_old_fd_conv(
-	void * old_desc,
-	void * old_data,
-	void * new_desc,
-	void * new_data)
-  {
-    struct rsbac_daz_fd_aci_t     * new_aci = new_data;
-    struct rsbac_daz_fd_old_aci_t * old_aci = old_data;
-
-    memcpy(new_desc, old_desc, sizeof(rsbac_inode_nr_t));
-    new_aci->daz_scanner = old_aci->daz_scanner;
-    new_aci->daz_do_scan = DEFAULT_DAZ_FD_DO_SCAN;
-    return 0;
-  }
-
-rsbac_list_conv_function_t * daz_fd_get_conv(rsbac_version_t old_version)
-  {
-    switch(old_version)
-      {
-        case RSBAC_DAZ_FD_OLD_ACI_VERSION:
-          return daz_old_fd_conv;
-        default:
-          return NULL;
-      }
-  }
+static rsbac_list_conv_function_t *auth_user_get_conv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_AUTH_USER_OLD_ACI_VERSION:
+		return auth_user_conv;
+	default:
+		return NULL;
+	}
+}
 #endif
 
 #ifdef CONFIG_RSBAC_CAP
@@ -1054,7 +1155,7 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *cap_fd_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *cap_fd_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_CAP_FD_OLD_ACI_VERSION:
@@ -1064,12 +1165,21 @@
 	}
 }
 
+static int cap_user_conv(void *old_desc,
+			     void *old_data,
+			     void *new_desc, void *new_data)
+{
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
+	memcpy(new_data, old_data, sizeof(struct rsbac_cap_user_aci_t));
+	return 0;
+}
+
 static int cap_old_user_conv(void *old_desc, void *old_data, void *new_desc, void *new_data)
 {
 	struct rsbac_cap_user_aci_t *new_aci = new_data;
 	struct rsbac_cap_user_old_aci_t *old_aci = old_data;
 
-        memcpy(new_desc, old_desc, sizeof(rsbac_inode_nr_t));
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
 	new_aci->cap_role = old_aci->cap_role;
 	new_aci->min_caps = old_aci->min_caps;
 	new_aci->max_caps = old_aci->max_caps;
@@ -1077,10 +1187,12 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *cap_user_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *cap_user_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 		case RSBAC_CAP_USER_OLD_ACI_VERSION:
+			return cap_user_conv;
+		case RSBAC_CAP_USER_OLD_OLD_ACI_VERSION:
 			return cap_old_user_conv;
 		default:
 			return NULL;
@@ -1088,6 +1200,70 @@
 }
 #endif
 
+#ifdef CONFIG_RSBAC_JAIL
+static int jail_user_conv(void *old_desc,
+			     void *old_data,
+			     void *new_desc, void *new_data)
+{
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
+	memcpy(new_data, old_data, sizeof(rsbac_system_role_int_t));
+	return 0;
+}
+
+static rsbac_list_conv_function_t *jail_user_get_conv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_JAIL_USER_OLD_ACI_VERSION:
+		return jail_user_conv;
+	default:
+		return NULL;
+	}
+}
+#endif
+
+#ifdef CONFIG_RSBAC_PAX
+static int pax_user_conv(void *old_desc,
+			     void *old_data,
+			     void *new_desc, void *new_data)
+{
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
+	memcpy(new_data, old_data, sizeof(rsbac_system_role_int_t));
+	return 0;
+}
+
+static rsbac_list_conv_function_t *pax_user_get_conv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_PAX_USER_OLD_ACI_VERSION:
+		return pax_user_conv;
+	default:
+		return NULL;
+	}
+}
+#endif
+
+#ifdef CONFIG_RSBAC_RES
+static int res_user_conv(void *old_desc,
+			     void *old_data,
+			     void *new_desc, void *new_data)
+{
+	*((rsbac_uid_t *)new_desc) = *((rsbac_old_uid_t *)old_desc);
+	memcpy(new_data, old_data, sizeof(struct rsbac_res_user_aci_t));
+	return 0;
+}
+
+static rsbac_list_conv_function_t *res_user_get_conv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_RES_USER_OLD_ACI_VERSION:
+		return res_user_conv;
+	default:
+		return NULL;
+	}
+}
+#endif
+
+
 #ifdef CONFIG_RSBAC_NET_OBJ
 static int net_temp_old_conv(void *old_desc, void *old_data, void *new_desc, void *new_data)
 {
@@ -1123,7 +1299,7 @@
 }
 
 
-rsbac_list_conv_function_t *net_temp_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *net_temp_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 		case RSBAC_NET_TEMP_OLD_VERSION:
@@ -4085,6 +4261,31 @@
 	if (pos > offset + length)
 		goto out;
 
+	len +=
+	    sprintf(buffer + len,
+		    "Syscall counts\n-------------\n");
+	pos = begin + len;
+	if (pos < offset) {
+		len = 0;
+		begin = pos;
+	}
+	if (pos > offset + length)
+		goto out;
+
+	for (i = 0; i < RSYS_none; i++) {
+		get_syscall_name(name, i);
+		name[30] = 0;
+		len += sprintf(buffer + len, "%-25s %llu\n",
+		               name, syscall_count[i]);
+		pos = begin + len;
+		if (pos < offset) {
+			len = 0;
+			begin = pos;
+		}
+		if (pos > offset + length)
+			goto out;
+	}
+
 	len += sprintf(buffer + len,
 		       "\n\nData Structures:\nrsbac_get_attr calls:\nfile: %lu, dir: %lu, fifo: %lu, symlink: %lu, dev: %lu, ipc: %lu, scd: %lu, user: %lu, process: %lu, netdev: %lu, nettemp: %lu, netobj: %lu, group: %lu, unixsock: %lu\n",
 		       get_attr_count[T_FILE],
@@ -5986,7 +6187,8 @@
 #endif
 					  RSBAC_LIST_PERSIST |
 					  RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE,
-					  NULL, NULL,
+					  NULL,
+					  gen_user_get_conv,
 					  &def_aci,
 					  RSBAC_GEN_ACI_USER_NAME,
 					  RSBAC_AUTO_DEV,
@@ -6067,7 +6269,8 @@
 #endif
 					  RSBAC_LIST_PERSIST |
 					  RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE,
-					  NULL, NULL,
+					  NULL,
+					  pm_user_get_conv,
 					  &def_aci, RSBAC_PM_ACI_USER_NAME,
 					  RSBAC_AUTO_DEV,
 					  1,
@@ -6124,7 +6327,8 @@
 #endif
 					  RSBAC_LIST_PERSIST |
 					  RSBAC_LIST_DEF_DATA,
-					  NULL, NULL,
+					  NULL,
+					  daz_user_get_conv,
 					  &def_aci,
 					  RSBAC_DAZ_ACI_USER_NAME,
 					  RSBAC_AUTO_DEV);
@@ -6164,7 +6368,8 @@
 #endif
 					  RSBAC_LIST_PERSIST |
 					  RSBAC_LIST_DEF_DATA,
-					  NULL, NULL,
+					  NULL,
+					  ff_user_get_conv,
 					  &def_aci, RSBAC_FF_ACI_USER_NAME,
 					  RSBAC_AUTO_DEV);
 		if (err) {
@@ -6334,7 +6539,8 @@
 #endif
 					  RSBAC_LIST_PERSIST |
 					  RSBAC_LIST_DEF_DATA,
-					  NULL, NULL,
+					  NULL,
+					  auth_user_get_conv,
 					  &def_aci,
 					  RSBAC_AUTH_ACI_USER_NAME,
 					  RSBAC_AUTO_DEV);
@@ -6381,7 +6587,8 @@
 #endif
 					  RSBAC_LIST_PERSIST |
 					  RSBAC_LIST_DEF_DATA,
-					  NULL, NULL,
+					  NULL,
+					  jail_user_get_conv,
 					  &def_aci,
 					  RSBAC_JAIL_ACI_USER_NAME,
 					  RSBAC_AUTO_DEV);
@@ -6422,8 +6629,8 @@
 #endif
 					  RSBAC_LIST_PERSIST,
 					  NULL,
+					  res_user_get_conv,
 					  NULL,
-					  NULL,
 					  RSBAC_RES_ACI_USER_NAME,
 					  RSBAC_AUTO_DEV);
 		if (err) {
@@ -6466,7 +6673,8 @@
 #endif
 					  RSBAC_LIST_PERSIST |
 					  RSBAC_LIST_DEF_DATA,
-					  NULL, NULL,
+					  NULL,
+					  pax_user_get_conv,
 					  &def_aci,
 					  RSBAC_PAX_ACI_USER_NAME,
 					  RSBAC_AUTO_DEV);
@@ -9410,6 +9618,10 @@
 					value->auid_exempt =
 					    aci.auid_exempt;
 					break;
+				case A_vset:
+					value->vset =
+					    aci.vset;
+					break;
 				default:
 					err = -RSBAC_EINVALIDATTR;
 				}
@@ -10570,6 +10782,9 @@
 			case A_kernel_thread:
 				value->kernel_thread = aci.kernel_thread;
 				break;
+			case A_vset:
+				value->vset = aci.vset;
+				break;
 			default:
 				err = -RSBAC_EINVALIDATTR;
 			}
@@ -11679,6 +11894,9 @@
 			case A_auid_exempt:
 				aci.auid_exempt = value_p->auid_exempt;
 				break;
+			case A_vset:
+				aci.vset = value_p->vset;
+				break;
 			default:
 				err = -RSBAC_EINVALIDATTR;
 			}
@@ -12790,6 +13008,9 @@
 			case A_kernel_thread:
 				aci.kernel_thread = value_p->kernel_thread;
 				break;
+			case A_vset:
+				aci.vset = value_p->vset;
+				break;
 			default:
 				err = -RSBAC_EINVALIDATTR;
 			}
=== rsbac/data_structures/acl_data_structures.c
==================================================================
--- rsbac/data_structures/acl_data_structures.c	(revision 2367)
+++ rsbac/data_structures/acl_data_structures.c	(local)
@@ -1,9 +1,9 @@
 /*************************************************** */
 /* Rule Set Based Access Control                     */
 /* Implementation of ACL data structures             */
-/* Author and (c) 1999-2006: Amon Ott <ao@rsbac.org> */
+/* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org> */
 /*                                                   */
-/* Last modified: 23/Nov/2006                        */
+/* Last modified: 27/Sep/2007                        */
 /*************************************************** */
 
 #include <linux/types.h>
@@ -175,6 +175,14 @@
 static int fd_conv(void *old_desc,
 		   void *old_data, void *new_desc, void *new_data)
 {
+	memcpy(new_desc, old_desc, sizeof(rsbac_inode_nr_t));
+	memcpy(new_data, old_data, sizeof(rsbac_acl_rights_vector_t));
+	return 0;
+}
+
+static int fd_old_conv(void *old_desc,
+		   void *old_data, void *new_desc, void *new_data)
+{
 	rsbac_acl_rights_vector_t *new = new_data;
 	rsbac_acl_rights_vector_t *old = old_data;
 
@@ -186,17 +194,27 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *fd_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *fd_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_FD_OLD_LIST_VERSION:
 		return fd_conv;
+	case RSBAC_ACL_FD_OLD_OLD_LIST_VERSION:
+		return fd_old_conv;
 	default:
 		return NULL;
 	}
 }
 
 static int dev_conv(void *old_desc,
+		   void *old_data, void *new_desc, void *new_data)
+{
+	memcpy(new_desc, old_desc, sizeof(struct rsbac_dev_desc_t));
+	memcpy(new_data, old_data, sizeof(rsbac_acl_rights_vector_t));
+	return 0;
+}
+
+static int dev_old_conv(void *old_desc,
 		    void *old_data, void *new_desc, void *new_data)
 {
 	rsbac_acl_rights_vector_t *new = new_data;
@@ -210,7 +228,7 @@
 	return 0;
 }
 
-static int dev_old_conv(void *old_desc,
+static int dev_old_old_conv(void *old_desc,
 			void *old_data, void *new_desc, void *new_data)
 {
 	struct rsbac_dev_desc_t *new = new_desc;
@@ -230,19 +248,29 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *dev_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *dev_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_DEV_OLD_LIST_VERSION:
 		return dev_conv;
 	case RSBAC_ACL_DEV_OLD_OLD_LIST_VERSION:
 		return dev_old_conv;
+	case RSBAC_ACL_DEV_OLD_OLD_OLD_LIST_VERSION:
+		return dev_old_old_conv;
 	default:
 		return NULL;
 	}
 }
 
 static int scd_conv(void *old_desc,
+		   void *old_data, void *new_desc, void *new_data)
+{
+	memcpy(new_desc, old_desc, sizeof(__u8));
+	memcpy(new_data, old_data, sizeof(rsbac_acl_rights_vector_t));
+	return 0;
+}
+
+static int scd_old_conv(void *old_desc,
 		    void *old_data, void *new_desc, void *new_data)
 {
 	rsbac_acl_rights_vector_t *new = new_data;
@@ -256,17 +284,70 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *scd_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *scd_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_SCD_OLD_LIST_VERSION:
 		return scd_conv;
+	case RSBAC_ACL_SCD_OLD_OLD_LIST_VERSION:
+		return scd_old_conv;
 	default:
 		return NULL;
 	}
 }
 
+static int u_conv(void *old_desc,
+		   void *old_data, void *new_desc, void *new_data)
+{
+	rsbac_uid_t *new = new_desc;
+	rsbac_old_uid_t *old = old_desc;
+
+	*new = *old;
+	memcpy(new_data, old_data, sizeof(rsbac_acl_rights_vector_t));
+	return 0;
+}
+
+static rsbac_list_conv_function_t *u_get_conv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_ACL_U_OLD_LIST_VERSION:
+		return u_conv;
+	default:
+		return NULL;
+	}
+}
+
+static int g_conv(void *old_desc,
+		   void *old_data, void *new_desc, void *new_data)
+{
+	rsbac_gid_t *new = new_desc;
+	rsbac_old_gid_t *old = old_desc;
+
+	*new = *old;
+	memcpy(new_data, old_data, sizeof(rsbac_acl_rights_vector_t));
+	return 0;
+}
+
+static rsbac_list_conv_function_t *g_get_conv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_ACL_G_OLD_LIST_VERSION:
+		return g_conv;
+	default:
+		return NULL;
+	}
+}
+
+#ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
 static int netdev_conv(void *old_desc,
+		   void *old_data, void *new_desc, void *new_data)
+{
+	memcpy(new_desc, old_desc, sizeof(rsbac_netdev_id_t));
+	memcpy(new_data, old_data, sizeof(rsbac_acl_rights_vector_t));
+	return 0;
+}
+
+static int netdev_old_conv(void *old_desc,
 		       void *old_data, void *new_desc, void *new_data)
 {
 	rsbac_acl_rights_vector_t *new = new_data;
@@ -280,17 +361,28 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *netdev_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *netdev_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_NETDEV_OLD_LIST_VERSION:
 		return netdev_conv;
+	case RSBAC_ACL_NETDEV_OLD_OLD_LIST_VERSION:
+		return netdev_old_conv;
 	default:
 		return NULL;
 	}
 }
+#endif
 
 static int nettemp_nt_conv(void *old_desc,
+		   void *old_data, void *new_desc, void *new_data)
+{
+	memcpy(new_desc, old_desc, sizeof(rsbac_net_temp_id_t));
+	memcpy(new_data, old_data, sizeof(rsbac_acl_rights_vector_t));
+	return 0;
+}
+
+static int nettemp_nt_old_conv(void *old_desc,
 			   void *old_data, void *new_desc, void *new_data)
 {
 	rsbac_acl_rights_vector_t *new = new_data;
@@ -304,17 +396,27 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *nettemp_nt_get_conv(rsbac_version_t
+static rsbac_list_conv_function_t *nettemp_nt_get_conv(rsbac_version_t
 						old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_NETTEMP_NT_OLD_LIST_VERSION:
 		return nettemp_nt_conv;
+	case RSBAC_ACL_NETTEMP_NT_OLD_OLD_LIST_VERSION:
+		return nettemp_nt_old_conv;
 	default:
 		return NULL;
 	}
 }
 
+static int nettemp_old_conv(void *old_desc,
+		   void *old_data, void *new_desc, void *new_data)
+{
+	memcpy(new_desc, old_desc, sizeof(rsbac_net_temp_id_t));
+	memcpy(new_data, old_data, sizeof(rsbac_acl_rights_vector_t));
+	return 0;
+}
+
 static int nettemp_conv(void *old_desc,
 			void *old_data, void *new_desc, void *new_data)
 {
@@ -329,24 +431,76 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *nettemp_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *nettemp_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_NETTEMP_OLD_LIST_VERSION:
 		return nettemp_conv;
+	case RSBAC_ACL_NETTEMP_OLD_OLD_LIST_VERSION:
+		return nettemp_old_conv;
 	default:
 		return NULL;
 	}
 }
 
+static int netobj_conv(void *old_desc,
+		   void *old_data, void *new_desc, void *new_data)
+{
+	memcpy(new_desc, old_desc, sizeof(rsbac_net_obj_id_t));
+	memcpy(new_data, old_data, sizeof(rsbac_acl_rights_vector_t));
+	return 0;
+}
 
+static rsbac_list_conv_function_t *netobj_get_conv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_ACL_NETOBJ_OLD_LIST_VERSION:
+		return netobj_conv;
+	default:
+		return NULL;
+	}
+}
+
+static int gm_conv(void *old_desc,
+		   void *old_data, void *new_desc, void *new_data)
+{
+	*((rsbac_uid_t *) new_desc) = *((rsbac_old_uid_t *) old_desc);
+	return 0;
+}
+
+static rsbac_list_conv_function_t *gm_get_conv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_ACL_GM_OLD_VERSION:
+		return gm_conv;
+	default:
+		return NULL;
+	}
+}
+
+
 static int common_subconv(void *old_desc,
 			  void *old_data, void *new_desc, void *new_data)
 {
+	struct rsbac_acl_entry_desc_t *new_d = new_desc;
+	struct rsbac_acl_old_entry_desc_t *old_d = old_desc;
+
+	memcpy(new_data, old_data, sizeof(rsbac_acl_rights_vector_t));
+	new_d->subj_type = old_d->subj_type;
+	new_d->subj_id = old_d->subj_id;
+	return 0;
+}
+
+static int common_old_subconv(void *old_desc,
+			  void *old_data, void *new_desc, void *new_data)
+{
 	rsbac_acl_rights_vector_t *new = new_data;
 	rsbac_acl_rights_vector_t *old = old_data;
+	struct rsbac_acl_entry_desc_t *new_d = new_desc;
+	struct rsbac_acl_old_entry_desc_t *old_d = old_desc;
 
-	memcpy(new_desc, old_desc, sizeof(struct rsbac_acl_entry_desc_t));
+	new_d->subj_type = old_d->subj_type;
+	new_d->subj_id = old_d->subj_id;
 	*new = (*old & RSBAC_ALL_REQUEST_VECTOR)
 	    | ((*old & ~(RSBAC_ALL_REQUEST_VECTOR)) <<
 	       (RSBAC_ACL_SPECIAL_RIGHT_BASE -
@@ -354,49 +508,75 @@
 	return 0;
 }
 
-rsbac_list_conv_function_t *fd_get_subconv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *fd_get_subconv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_FD_OLD_LIST_VERSION:
 		return common_subconv;
+	case RSBAC_ACL_FD_OLD_OLD_LIST_VERSION:
+		return common_old_subconv;
 	default:
 		return NULL;
 	}
 }
 
-rsbac_list_conv_function_t *dev_get_subconv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *dev_get_subconv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_DEV_OLD_LIST_VERSION:
 		return common_subconv;
 	case RSBAC_ACL_DEV_OLD_OLD_LIST_VERSION:
-		return common_subconv;
+		return common_old_subconv;
 	default:
 		return NULL;
 	}
 }
 
-rsbac_list_conv_function_t *scd_get_subconv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *scd_get_subconv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_SCD_OLD_LIST_VERSION:
 		return common_subconv;
+	case RSBAC_ACL_SCD_OLD_OLD_LIST_VERSION:
+		return common_old_subconv;
 	default:
 		return NULL;
 	}
 }
 
-rsbac_list_conv_function_t *netdev_get_subconv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *u_get_subconv(rsbac_version_t old_version)
 {
 	switch (old_version) {
+	case RSBAC_ACL_U_OLD_LIST_VERSION:
+		return common_subconv;
+	default:
+		return NULL;
+	}
+}
+
+static rsbac_list_conv_function_t *g_get_subconv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_ACL_G_OLD_LIST_VERSION:
+		return common_subconv;
+	default:
+		return NULL;
+	}
+}
+
+#ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
+static rsbac_list_conv_function_t *netdev_get_subconv(rsbac_version_t old_version)
+{
+	switch (old_version) {
 	case RSBAC_ACL_NETDEV_OLD_LIST_VERSION:
 		return common_subconv;
 	default:
 		return NULL;
 	}
 }
+#endif
 
-rsbac_list_conv_function_t *nettemp_nt_get_subconv(rsbac_version_t
+static rsbac_list_conv_function_t *nettemp_nt_get_subconv(rsbac_version_t
 						   old_version)
 {
 	switch (old_version) {
@@ -407,7 +587,7 @@
 	}
 }
 
-rsbac_list_conv_function_t *nettemp_get_subconv(rsbac_version_t
+static rsbac_list_conv_function_t *nettemp_get_subconv(rsbac_version_t
 						old_version)
 {
 	switch (old_version) {
@@ -418,104 +598,155 @@
 	}
 }
 
-rsbac_list_conv_function_t *def_fd_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *netobj_get_subconv(rsbac_version_t
+						old_version)
 {
 	switch (old_version) {
+	case RSBAC_ACL_NETOBJ_OLD_LIST_VERSION:
+		return common_subconv;
+	default:
+		return NULL;
+	}
+}
+
+static int gm_subconv(void *old_desc,
+			  void *old_data, void *new_desc, void *new_data)
+{
+	memcpy(new_desc, old_desc, sizeof(rsbac_acl_group_id_t));
+	return 0;
+}
+
+static rsbac_list_conv_function_t *gm_get_subconv(rsbac_version_t
+						old_version)
+{
+	switch (old_version) {
+	case RSBAC_ACL_GM_OLD_VERSION:
+		return gm_subconv;
+	default:
+		return NULL;
+	}
+}
+
+static rsbac_list_conv_function_t *def_fd_get_conv(rsbac_version_t old_version)
+{
+	switch (old_version) {
 	case RSBAC_ACL_DEF_FD_OLD_LIST_VERSION:
 		return common_subconv;
+	case RSBAC_ACL_DEF_FD_OLD_OLD_LIST_VERSION:
+		return common_old_subconv;
 	default:
 		return NULL;
 	}
 }
 
-rsbac_list_conv_function_t *def_dev_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *def_dev_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_DEF_DEV_OLD_LIST_VERSION:
 		return common_subconv;
+	case RSBAC_ACL_DEF_DEV_OLD_OLD_LIST_VERSION:
+		return common_old_subconv;
 	default:
 		return NULL;
 	}
 }
 
-rsbac_list_conv_function_t *def_ipc_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *def_ipc_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_DEF_IPC_OLD_LIST_VERSION:
 		return common_subconv;
+	case RSBAC_ACL_DEF_IPC_OLD_OLD_LIST_VERSION:
+		return common_old_subconv;
 	default:
 		return NULL;
 	}
 }
 
-rsbac_list_conv_function_t *def_scd_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *def_scd_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_DEF_SCD_OLD_LIST_VERSION:
 		return common_subconv;
+	case RSBAC_ACL_DEF_SCD_OLD_OLD_LIST_VERSION:
+		return common_old_subconv;
 	default:
 		return NULL;
 	}
 }
 
-rsbac_list_conv_function_t *def_u_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *def_u_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_DEF_U_OLD_LIST_VERSION:
 		return common_subconv;
+	case RSBAC_ACL_DEF_U_OLD_OLD_LIST_VERSION:
+		return common_old_subconv;
 	default:
 		return NULL;
 	}
 }
 
-rsbac_list_conv_function_t *def_p_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *def_p_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_DEF_P_OLD_LIST_VERSION:
 		return common_subconv;
+	case RSBAC_ACL_DEF_P_OLD_OLD_LIST_VERSION:
+		return common_old_subconv;
 	default:
 		return NULL;
 	}
 }
 
-rsbac_list_conv_function_t *def_g_get_conv(rsbac_version_t old_version)
+static rsbac_list_conv_function_t *def_g_get_conv(rsbac_version_t old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_DEF_G_OLD_LIST_VERSION:
 		return common_subconv;
+	case RSBAC_ACL_DEF_G_OLD_OLD_LIST_VERSION:
+		return common_old_subconv;
 	default:
 		return NULL;
 	}
 }
 
-rsbac_list_conv_function_t *def_netdev_get_conv(rsbac_version_t
+#ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
+static rsbac_list_conv_function_t *def_netdev_get_conv(rsbac_version_t
 						old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_DEF_NETDEV_OLD_LIST_VERSION:
 		return common_subconv;
+	case RSBAC_ACL_DEF_NETDEV_OLD_OLD_LIST_VERSION:
+		return common_old_subconv;
 	default:
 		return NULL;
 	}
 }
+#endif
 
-rsbac_list_conv_function_t *def_nettemp_nt_get_conv(rsbac_version_t
+static rsbac_list_conv_function_t *def_nettemp_nt_get_conv(rsbac_version_t
 						    old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_DEF_NETTEMP_NT_OLD_LIST_VERSION:
 		return common_subconv;
+	case RSBAC_ACL_DEF_NETTEMP_NT_OLD_OLD_LIST_VERSION:
+		return common_old_subconv;
 	default:
 		return NULL;
 	}
 }
 
-rsbac_list_conv_function_t *def_netobj_get_conv(rsbac_version_t
+static rsbac_list_conv_function_t *def_netobj_get_conv(rsbac_version_t
 						old_version)
 {
 	switch (old_version) {
 	case RSBAC_ACL_DEF_NETOBJ_OLD_LIST_VERSION:
 		return common_subconv;
+	case RSBAC_ACL_DEF_NETOBJ_OLD_OLD_LIST_VERSION:
+		return common_old_subconv;
 	default:
 		return NULL;
 	}
@@ -1152,12 +1383,21 @@
 				    (void **) &sub_desc_p);
 	if (tmp_count > 0) {
 		for (i = 0; i < tmp_count; i++) {
-			len += sprintf(buffer + len, " %s %u,",
+			if (RSBAC_UID_SET(sub_desc_p[i].subj_id))
+				len += sprintf(buffer + len, " %s %u/%u,",
 				       get_acl_subject_type_name(tmp1,
 								 sub_desc_p
 								 [i].
 								 subj_type),
-				       sub_desc_p[i].subj_id);
+				       RSBAC_UID_SET(sub_desc_p[i].subj_id),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
+			else
+				len += sprintf(buffer + len, " %s %u,",
+				       get_acl_subject_type_name(tmp1,
+								 sub_desc_p
+								 [i].
+								 subj_type),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
 			pos = begin + len;
 			if (pos < offset) {
 				len = 0;
@@ -1188,12 +1428,21 @@
 				    (void **) &sub_desc_p);
 	if (tmp_count > 0) {
 		for (i = 0; i < tmp_count; i++) {
-			len += sprintf(buffer + len, " %s %u,",
+			if (RSBAC_UID_SET(sub_desc_p[i].subj_id))
+				len += sprintf(buffer + len, " %s %u/%u,",
 				       get_acl_subject_type_name(tmp1,
 								 sub_desc_p
 								 [i].
 								 subj_type),
-				       sub_desc_p[i].subj_id);
+				       RSBAC_UID_SET(sub_desc_p[i].subj_id),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
+			else
+				len += sprintf(buffer + len, " %s %u,",
+				       get_acl_subject_type_name(tmp1,
+								 sub_desc_p
+								 [i].
+								 subj_type),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
 			pos = begin + len;
 			if (pos < offset) {
 				len = 0;
@@ -1224,12 +1473,21 @@
 				    (void **) &sub_desc_p);
 	if (tmp_count > 0) {
 		for (i = 0; i < tmp_count; i++) {
-			len += sprintf(buffer + len, " %s %u,",
+			if (RSBAC_UID_SET(sub_desc_p[i].subj_id))
+				len += sprintf(buffer + len, " %s %u/%u,",
 				       get_acl_subject_type_name(tmp1,
 								 sub_desc_p
 								 [i].
 								 subj_type),
-				       sub_desc_p[i].subj_id);
+				       RSBAC_UID_SET(sub_desc_p[i].subj_id),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
+			else
+				len += sprintf(buffer + len, " %s %u,",
+				       get_acl_subject_type_name(tmp1,
+								 sub_desc_p
+								 [i].
+								 subj_type),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
 			pos = begin + len;
 			if (pos < offset) {
 				len = 0;
@@ -1260,12 +1518,21 @@
 				    (void **) &sub_desc_p);
 	if (tmp_count > 0) {
 		for (i = 0; i < tmp_count; i++) {
-			len += sprintf(buffer + len, " %s %u,",
+			if (RSBAC_UID_SET(sub_desc_p[i].subj_id))
+				len += sprintf(buffer + len, " %s %u/%u,",
 				       get_acl_subject_type_name(tmp1,
 								 sub_desc_p
 								 [i].
 								 subj_type),
-				       sub_desc_p[i].subj_id);
+				       RSBAC_UID_SET(sub_desc_p[i].subj_id),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
+			else
+				len += sprintf(buffer + len, " %s %u,",
+				       get_acl_subject_type_name(tmp1,
+								 sub_desc_p
+								 [i].
+								 subj_type),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
 			pos = begin + len;
 			if (pos < offset) {
 				len = 0;
@@ -1296,12 +1563,21 @@
 				    (void **) &sub_desc_p);
 	if (tmp_count > 0) {
 		for (i = 0; i < tmp_count; i++) {
-			len += sprintf(buffer + len, " %s %u,",
+			if (RSBAC_UID_SET(sub_desc_p[i].subj_id))
+				len += sprintf(buffer + len, " %s %u/%u,",
 				       get_acl_subject_type_name(tmp1,
 								 sub_desc_p
 								 [i].
 								 subj_type),
-				       sub_desc_p[i].subj_id);
+				       RSBAC_UID_SET(sub_desc_p[i].subj_id),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
+			else
+				len += sprintf(buffer + len, " %s %u,",
+				       get_acl_subject_type_name(tmp1,
+								 sub_desc_p
+								 [i].
+								 subj_type),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
 			pos = begin + len;
 			if (pos < offset) {
 				len = 0;
@@ -1332,12 +1608,21 @@
 				    (void **) &sub_desc_p);
 	if (tmp_count > 0) {
 		for (i = 0; i < tmp_count; i++) {
-			len += sprintf(buffer + len, " %s %u,",
+			if (RSBAC_UID_SET(sub_desc_p[i].subj_id))
+				len += sprintf(buffer + len, " %s %u/%u,",
 				       get_acl_subject_type_name(tmp1,
 								 sub_desc_p
 								 [i].
 								 subj_type),
-				       sub_desc_p[i].subj_id);
+				       RSBAC_UID_SET(sub_desc_p[i].subj_id),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
+			else
+				len += sprintf(buffer + len, " %s %u,",
+				       get_acl_subject_type_name(tmp1,
+								 sub_desc_p
+								 [i].
+								 subj_type),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
 			pos = begin + len;
 			if (pos < offset) {
 				len = 0;
@@ -1368,12 +1653,21 @@
 				    (void **) &sub_desc_p);
 	if (tmp_count > 0) {
 		for (i = 0; i < tmp_count; i++) {
-			len += sprintf(buffer + len, " %s %u,",
+			if (RSBAC_UID_SET(sub_desc_p[i].subj_id))
+				len += sprintf(buffer + len, " %s %u/%u,",
 				       get_acl_subject_type_name(tmp1,
 								 sub_desc_p
 								 [i].
 								 subj_type),
-				       sub_desc_p[i].subj_id);
+				       RSBAC_UID_SET(sub_desc_p[i].subj_id),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
+			else
+				len += sprintf(buffer + len, " %s %u,",
+				       get_acl_subject_type_name(tmp1,
+								 sub_desc_p
+								 [i].
+								 subj_type),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
 			pos = begin + len;
 			if (pos < offset) {
 				len = 0;
@@ -1406,12 +1700,21 @@
 				    (void **) &sub_desc_p);
 	if (tmp_count > 0) {
 		for (i = 0; i < tmp_count; i++) {
-			len += sprintf(buffer + len, " %s %u,",
+			if (RSBAC_UID_SET(sub_desc_p[i].subj_id))
+				len += sprintf(buffer + len, " %s %u/%u,",
 				       get_acl_subject_type_name(tmp1,
 								 sub_desc_p
 								 [i].
 								 subj_type),
-				       sub_desc_p[i].subj_id);
+				       RSBAC_UID_SET(sub_desc_p[i].subj_id),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
+			else
+				len += sprintf(buffer + len, " %s %u,",
+				       get_acl_subject_type_name(tmp1,
+								 sub_desc_p
+								 [i].
+								 subj_type),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
 			pos = begin + len;
 			if (pos < offset) {
 				len = 0;
@@ -1444,12 +1747,21 @@
 				    (void **) &sub_desc_p);
 	if (tmp_count > 0) {
 		for (i = 0; i < tmp_count; i++) {
-			len += sprintf(buffer + len, " %s %u,",
+			if (RSBAC_UID_SET(sub_desc_p[i].subj_id))
+				len += sprintf(buffer + len, " %s %u/%u,",
 				       get_acl_subject_type_name(tmp1,
 								 sub_desc_p
 								 [i].
 								 subj_type),
-				       sub_desc_p[i].subj_id);
+				       RSBAC_UID_SET(sub_desc_p[i].subj_id),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
+			else
+				len += sprintf(buffer + len, " %s %u,",
+				       get_acl_subject_type_name(tmp1,
+								 sub_desc_p
+								 [i].
+								 subj_type),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
 			pos = begin + len;
 			if (pos < offset) {
 				len = 0;
@@ -1479,12 +1791,21 @@
 				    (void **) &sub_desc_p);
 	if (tmp_count > 0) {
 		for (i = 0; i < tmp_count; i++) {
-			len += sprintf(buffer + len, " %s %u,",
+			if (RSBAC_UID_SET(sub_desc_p[i].subj_id))
+				len += sprintf(buffer + len, " %s %u/%u,",
 				       get_acl_subject_type_name(tmp1,
 								 sub_desc_p
 								 [i].
 								 subj_type),
-				       sub_desc_p[i].subj_id);
+				       RSBAC_UID_SET(sub_desc_p[i].subj_id),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
+			else
+				len += sprintf(buffer + len, " %s %u,",
+				       get_acl_subject_type_name(tmp1,
+								 sub_desc_p
+								 [i].
+								 subj_type),
+				       RSBAC_UID_NUM(sub_desc_p[i].subj_id));
 			pos = begin + len;
 			if (pos < offset) {
 				len = 0;
@@ -1597,7 +1918,16 @@
 					for (k = 0;
 					     k < tmp_sub_count;
 					     k++) {
-						len +=
+			if (RSBAC_UID_SET(sub_desc_p[k].subj_id))
+				len += sprintf(buffer + len, " %s %u/%u,",
+				       get_acl_subject_type_name(tmp1,
+								 sub_desc_p
+								 [k].
+								 subj_type),
+				       RSBAC_UID_SET(sub_desc_p[k].subj_id),
+				       RSBAC_UID_NUM(sub_desc_p[k].subj_id));
+			else
+							len +=
 						    sprintf(buffer
 							    + len,
 							    "%s %u, ",
@@ -1606,9 +1936,9 @@
 							     sub_desc_p
 							     [k].
 							     subj_type),
-							    sub_desc_p
+							    RSBAC_UID_NUM(sub_desc_p
 							    [k].
-							    subj_id);
+							    subj_id));
 						pos = begin + len;
 						if (pos < offset) {
 							len = 0;
@@ -1709,14 +2039,23 @@
 							   &sub_desc_p);
 			if (tmp_sub_count > 0) {
 				for (j = 0; j < tmp_sub_count; j++) {
-					len +=
+					if (RSBAC_UID_SET(sub_desc_p[j].subj_id))
+						len += sprintf(buffer + len, " %s %u/%u,",
+						       get_acl_subject_type_name(tmp1,
+									 sub_desc_p
+									 [j].
+									 subj_type),
+						       RSBAC_UID_SET(sub_desc_p[j].subj_id),
+						       RSBAC_UID_NUM(sub_desc_p[j].subj_id));
+					else
+						len +=
 					    sprintf(buffer + len,
 						    "%s %u, ",
 						    get_acl_subject_type_name
 						    (tmp1,
 						     sub_desc_p[j].
 						     subj_type),
-						    sub_desc_p[j].subj_id);
+						    RSBAC_UID_NUM(sub_desc_p[j].subj_id));
 					pos = begin + len;
 					if (pos < offset) {
 						len = 0;
@@ -1791,14 +2130,23 @@
 			     (void **) &sub_desc_p);
 			if (tmp_sub_count > 0) {
 				for (j = 0; j < tmp_sub_count; j++) {
-					len +=
+					if (RSBAC_UID_SET(sub_desc_p[j].subj_id))
+						len += sprintf(buffer + len, " %s %u/%u,",
+						       get_acl_subject_type_name(tmp1,
+									 sub_desc_p
+									 [j].
+									 subj_type),
+						       RSBAC_UID_SET(sub_desc_p[j].subj_id),
+						       RSBAC_UID_NUM(sub_desc_p[j].subj_id));
+					else
+						len +=
 					    sprintf(buffer + len,
 						    "%s %u, ",
 						    get_acl_subject_type_name
 						    (tmp1,
 						     sub_desc_p[j].
 						     subj_type),
-						    sub_desc_p[j].subj_id);
+						    RSBAC_UID_NUM(sub_desc_p[j].subj_id));
 					pos = begin + len;
 					if (pos < offset) {
 						len = 0;
@@ -1873,14 +2221,23 @@
 							   &sub_desc_p);
 			if (tmp_sub_count > 0) {
 				for (j = 0; j < tmp_sub_count; j++) {
-					len +=
+					if (RSBAC_UID_SET(sub_desc_p[j].subj_id))
+						len += sprintf(buffer + len, " %s %u/%u,",
+						       get_acl_subject_type_name(tmp1,
+									 sub_desc_p
+									 [j].
+									 subj_type),
+						       RSBAC_UID_SET(sub_desc_p[j].subj_id),
+						       RSBAC_UID_NUM(sub_desc_p[j].subj_id));
+					else
+						len +=
 					    sprintf(buffer + len,
 						    "%s %u, ",
 						    get_acl_subject_type_name
 						    (tmp1,
 						     sub_desc_p[j].
 						     subj_type),
-						    sub_desc_p[j].subj_id);
+						    RSBAC_UID_NUM(sub_desc_p[j].subj_id));
 					pos = begin + len;
 					if (pos < offset) {
 						len = 0;
@@ -1929,10 +2286,20 @@
 		for (i = 0; i < tmp_count; i++) {
 			if (!rsbac_list_lol_get_data
 			    (u_handle, &u_desc_p[i], &rights)) {
-				len +=
-				    sprintf(buffer + len,
+			        if (RSBAC_UID_SET(u_desc_p[i]))
+					len +=
+					    sprintf(buffer + len,
+					    "\n%u/%u\t  %3li\t%s\n\t\t",
+					    RSBAC_UID_SET(u_desc_p[i]),
+					    RSBAC_UID_NUM(u_desc_p[i]),
+					    rsbac_list_lol_subcount
+					    (u_handle, &u_desc_p[i]),
+					    u64tostracl(tmp1, rights));
+			        else
+					len +=
+					    sprintf(buffer + len,
 					    "\n%u\t  %3li\t%s\n\t\t",
-					    u_desc_p[i],
+					    RSBAC_UID_NUM(u_desc_p[i]),
 					    rsbac_list_lol_subcount
 					    (u_handle, &u_desc_p[i]),
 					    u64tostracl(tmp1, rights));
@@ -1953,14 +2320,23 @@
 							   &sub_desc_p);
 			if (tmp_sub_count > 0) {
 				for (j = 0; j < tmp_sub_count; j++) {
-					len +=
+					if (RSBAC_UID_SET(sub_desc_p[j].subj_id))
+						len += sprintf(buffer + len, " %s %u/%u,",
+						       get_acl_subject_type_name(tmp1,
+									 sub_desc_p
+									 [j].
+									 subj_type),
+						       RSBAC_UID_SET(sub_desc_p[j].subj_id),
+						       RSBAC_UID_NUM(sub_desc_p[j].subj_id));
+					else
+						len +=
 					    sprintf(buffer + len,
 						    "%s %u, ",
 						    get_acl_subject_type_name
 						    (tmp1,
 						     sub_desc_p[j].
 						     subj_type),
-						    sub_desc_p[j].subj_id);
+						    RSBAC_UID_NUM(sub_desc_p[j].subj_id));
 					pos = begin + len;
 					if (pos < offset) {
 						len = 0;
@@ -2010,10 +2386,20 @@
 		for (i = 0; i < tmp_count; i++) {
 			if (!rsbac_list_lol_get_data
 			    (g_handle, &g_desc_p[i], &rights)) {
-				len +=
-				    sprintf(buffer + len,
+			        if (RSBAC_GID_SET(g_desc_p[i]))
+					len +=
+					    sprintf(buffer + len,
+					    "\n%u/%u\t  %3li\t%s\n\t\t",
+					    RSBAC_GID_SET(g_desc_p[i]),
+					    RSBAC_GID_NUM(g_desc_p[i]),
+					    rsbac_list_lol_subcount
+					    (g_handle, &g_desc_p[i]),
+					    u64tostracl(tmp1, rights));
+			        else
+					len +=
+					    sprintf(buffer + len,
 					    "\n%u\t  %3li\t%s\n\t\t",
-					    g_desc_p[i],
+					    RSBAC_GID_NUM(g_desc_p[i]),
 					    rsbac_list_lol_subcount
 					    (g_handle, &g_desc_p[i]),
 					    u64tostracl(tmp1, rights));
@@ -2034,14 +2420,23 @@
 							   &sub_desc_p);
 			if (tmp_sub_count > 0) {
 				for (j = 0; j < tmp_sub_count; j++) {
-					len +=
+					if (RSBAC_GID_SET(sub_desc_p[j].subj_id))
+						len += sprintf(buffer + len, " %s %u/%u,",
+						       get_acl_subject_type_name(tmp1,
+									 sub_desc_p
+									 [j].
+									 subj_type),
+						       RSBAC_GID_SET(sub_desc_p[j].subj_id),
+						       RSBAC_GID_NUM(sub_desc_p[j].subj_id));
+					else
+						len +=
 					    sprintf(buffer + len,
 						    "%s %u, ",
 						    get_acl_subject_type_name
 						    (tmp1,
 						     sub_desc_p[j].
 						     subj_type),
-						    sub_desc_p[j].subj_id);
+						    RSBAC_UID_NUM(sub_desc_p[j].subj_id));
 					pos = begin + len;
 					if (pos < offset) {
 						len = 0;
@@ -2119,14 +2514,23 @@
 							   &sub_desc_p);
 			if (tmp_sub_count > 0) {
 				for (j = 0; j < tmp_sub_count; j++) {
-					len +=
+					if (RSBAC_UID_SET(sub_desc_p[j].subj_id))
+						len += sprintf(buffer + len, " %s %u/%u,",
+						       get_acl_subject_type_name(tmp1,
+									 sub_desc_p
+									 [j].
+									 subj_type),
+						       RSBAC_UID_SET(sub_desc_p[j].subj_id),
+						       RSBAC_UID_NUM(sub_desc_p[j].subj_id));
+					else
+						len +=
 					    sprintf(buffer + len,
 						    "%s %u, ",
 						    get_acl_subject_type_name
 						    (tmp1,
 						     sub_desc_p[j].
 						     subj_type),
-						    sub_desc_p[j].subj_id);
+						    RSBAC_UID_NUM(sub_desc_p[j].subj_id));
 					pos = begin + len;
 					if (pos < offset) {
 						len = 0;
@@ -2203,14 +2607,23 @@
 			     (void **) &sub_desc_p);
 			if (tmp_sub_count > 0) {
 				for (j = 0; j < tmp_sub_count; j++) {
-					len +=
+					if (RSBAC_UID_SET(sub_desc_p[j].subj_id))
+						len += sprintf(buffer + len, " %s %u/%u,",
+						       get_acl_subject_type_name(tmp1,
+									 sub_desc_p
+									 [j].
+									 subj_type),
+						       RSBAC_UID_SET(sub_desc_p[j].subj_id),
+						       RSBAC_UID_NUM(sub_desc_p[j].subj_id));
+					else
+						len +=
 					    sprintf(buffer + len,
 						    "%s %u, ",
 						    get_acl_subject_type_name
 						    (tmp1,
 						     sub_desc_p[j].
 						     subj_type),
-						    sub_desc_p[j].subj_id);
+						    RSBAC_UID_NUM(sub_desc_p[j].subj_id));
 					pos = begin + len;
 					if (pos < offset) {
 						len = 0;
@@ -2288,14 +2701,23 @@
 							   &sub_desc_p);
 			if (tmp_sub_count > 0) {
 				for (j = 0; j < tmp_sub_count; j++) {
-					len +=
+					if (RSBAC_UID_SET(sub_desc_p[j].subj_id))
+						len += sprintf(buffer + len, " %s %u/%u,",
+						       get_acl_subject_type_name(tmp1,
+									 sub_desc_p
+									 [j].
+									 subj_type),
+						       RSBAC_UID_SET(sub_desc_p[j].subj_id),
+						       RSBAC_UID_NUM(sub_desc_p[j].subj_id));
+					else
+						len +=
 					    sprintf(buffer + len,
 						    "%s %u, ",
 						    get_acl_subject_type_name
 						    (tmp1,
 						     sub_desc_p[j].
 						     subj_type),
-						    sub_desc_p[j].subj_id);
+						    RSBAC_UID_NUM(sub_desc_p[j].subj_id));
 					pos = begin + len;
 					if (pos < offset) {
 						len = 0;
@@ -2372,14 +2794,23 @@
 							   &sub_desc_p);
 			if (tmp_sub_count > 0) {
 				for (j = 0; j < tmp_sub_count; j++) {
-					len +=
+					if (RSBAC_UID_SET(sub_desc_p[j].subj_id))
+						len += sprintf(buffer + len, " %s %u/%u,",
+						       get_acl_subject_type_name(tmp1,
+									 sub_desc_p
+									 [j].
+									 subj_type),
+						       RSBAC_UID_SET(sub_desc_p[j].subj_id),
+						       RSBAC_UID_NUM(sub_desc_p[j].subj_id));
+					else
+						len +=
 					    sprintf(buffer + len,
 						    "%s %u, ",
 						    get_acl_subject_type_name
 						    (tmp1,
 						     sub_desc_p[j].
 						     subj_type),
-						    sub_desc_p[j].subj_id);
+						    RSBAC_UID_NUM(sub_desc_p[j].subj_id));
 					pos = begin + len;
 					if (pos < offset) {
 						len = 0;
@@ -2477,10 +2908,17 @@
 				type = 'G';
 			else
 				type = 'P';
-			len +=
-			    sprintf(buffer + len, "%u\t%c    %-18s %u\n",
-				    entry_p[i].id, type, entry_p[i].name,
-				    entry_p[i].owner);
+			if (RSBAC_UID_SET(entry_p[i].owner))
+				len +=
+				    sprintf(buffer + len, "%u\t%c    %-18s %u/%u\n",
+					    entry_p[i].id, type, entry_p[i].name,
+					    RSBAC_UID_SET(entry_p[i].owner),
+					    RSBAC_UID_NUM(entry_p[i].owner));
+			else
+				len +=
+				    sprintf(buffer + len, "%u\t%c    %-18s %u\n",
+					    entry_p[i].id, type, entry_p[i].name,
+					    RSBAC_UID_NUM(entry_p[i].owner));
 			pos = begin + len;
 			if (pos < offset) {
 				len = 0;
@@ -2517,9 +2955,17 @@
 							       (void **)
 							       &group_p,
 							       &ttl_p);
-			len +=
-			    sprintf(buffer + len, "\n%u\t%i\t", user_p[i],
-				    sub_count);
+			if (RSBAC_UID_SET(user_p[i]))
+				len +=
+				    sprintf(buffer + len, "\n%u/%u\t%i\t",
+					    RSBAC_UID_SET(user_p[i]),
+					    RSBAC_UID_NUM(user_p[i]),
+					    sub_count);
+			else
+				len +=
+				    sprintf(buffer + len, "\n%u\t%i\t",
+					    RSBAC_UID_NUM(user_p[i]),
+					    sub_count);
 			pos = begin + len;
 			if (pos < offset) {
 				len = 0;
@@ -3253,8 +3699,8 @@
 				      RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE,
 				      NULL,
 				      entry_compare,
-				      NULL,
-				      NULL,
+				      u_get_conv,
+				      u_get_subconv,
 				      &def_mask,
 				      NULL,
 				      RSBAC_ACL_U_FILENAME,
@@ -3321,8 +3767,8 @@
 				      RSBAC_LIST_PERSIST | RSBAC_LIST_AUTO_HASH_RESIZE,
 				      NULL,
 				      entry_compare,
-				      NULL,
-				      NULL,
+				      g_get_conv,
+				      g_get_subconv,
 				      &def_mask,
 				      NULL,
 				      RSBAC_ACL_G_FILENAME,
@@ -3488,8 +3934,8 @@
 				      RSBAC_LIST_AUTO_HASH_RESIZE,
 				      NULL,
 				      entry_compare,
-				      NULL,
-				      NULL,
+				      netobj_get_conv,
+				      netobj_get_subconv,
 				      &def_mask,
 				      NULL,
 				      RSBAC_ACL_NETOBJ_FILENAME,
@@ -3561,7 +4007,9 @@
 				      RSBAC_LIST_PERSIST |
 				      RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE,
 				      NULL,
-				      NULL, NULL, NULL,
+				      NULL,
+				      gm_get_conv,
+				      gm_get_subconv,
 				      NULL, NULL, RSBAC_ACL_GM_FILENAME,
 				      RSBAC_AUTO_DEV,
 					1,
=== rsbac/data_structures/auth_data_structures.c
==================================================================
--- rsbac/data_structures/auth_data_structures.c	(revision 2367)
+++ rsbac/data_structures/auth_data_structures.c	(local)
@@ -1,9 +1,9 @@
 /*************************************************** */
 /* Rule Set Based Access Control                     */
 /* Implementation of AUTH data structures            */
-/* Author and (c) 1999-2006: Amon Ott <ao@rsbac.org> */
+/* Author and (c) 1999-2007: Amon Ott <ao@rsbac.org> */
 /*                                                   */
-/* Last modified: 04/Jul/2006                        */
+/* Last modified: 27/Sep/2007                        */
 /*************************************************** */
 
 #include <linux/types.h>
@@ -122,6 +122,45 @@
 		return 0;
 }
 
+static int auth_subconv(void *old_desc,
+		       void *old_data, void *new_desc, void *new_data)
+{
+	struct rsbac_auth_cap_range_t *tmp_new_desc = new_desc;
+        struct rsbac_auth_old_cap_range_t *tmp_old_desc = old_desc;
+
+        tmp_new_desc->first = tmp_old_desc->first;
+        tmp_new_desc->last = tmp_old_desc->last;
+	return 0;
+}
+
+static rsbac_list_conv_function_t *auth_get_subconv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_AUTH_FD_OLD_LIST_VERSION:
+		return auth_subconv;
+	default:
+		return NULL;
+	}
+}
+
+static int auth_conv(void *old_desc,
+		       void *old_data, void *new_desc, void *new_data)
+{
+	memcpy(new_desc, old_desc, sizeof(rsbac_inode_nr_t));
+	return 0;
+}
+
+static rsbac_list_conv_function_t *auth_get_conv(rsbac_version_t old_version)
+{
+	switch (old_version) {
+	case RSBAC_AUTH_FD_OLD_LIST_VERSION:
+		return auth_conv;
+	default:
+		return NULL;
+	}
+}
+
+
 /* auth_register_fd_lists() */
 /* register fd ACL lists for device */
 
@@ -149,7 +188,8 @@
 					 RSBAC_LIST_PERSIST |
 					 RSBAC_LIST_DEF_DATA | RSBAC_LIST_AUTO_HASH_RESIZE,
 					 NULL,
-					 cap_compare, NULL, NULL,
+					 cap_compare,
+					 auth_get_conv, auth_get_subconv,
 					 NULL, NULL,
 					 RSBAC_AUTH_FD_FILENAME, kdev,
 					 nr_fd_hashes,
@@ -1334,20 +1374,41 @@
 			if (member_count > 0) {
 				for (j = 0; j < member_count; j++) {
 					if (cap_list[j].first !=
-					    cap_list[j].last)
+					    cap_list[j].last) {
+					    
+#ifdef CONFIG_RSBAC_UM_VIRTUAL
+						if (RSBAC_UID_SET(cap_list[j].first)
+						    || RSBAC_UID_SET(cap_list[j].last)
+						   )
+						  len +=
+						    sprintf(buffer + len,
+							    "%u/%u:%u/%u ",
+							    RSBAC_UID_SET(cap_list[j].first),
+							    RSBAC_UID_NUM(cap_list[j].first),
+							    RSBAC_UID_SET(cap_list[j].last),
+							    RSBAC_UID_NUM(cap_list[j].last));
+						else
+#endif
 						len +=
 						    sprintf(buffer + len,
 							    "%u:%u ",
-							    cap_list[j].
-							    first,
-							    cap_list[j].
-							    last);
-					else
+							    RSBAC_UID_NUM(cap_list[j].first),
+							    RSBAC_UID_NUM(cap_list[j].last));
+					} else {
+#ifdef CONFIG_RSBAC_UM_VIRTUAL
+						if (RSBAC_UID_SET(cap_list[j].first))
+						  len +=
+						    sprintf(buffer + len,
+							    "%u/%u ",
+							    RSBAC_UID_SET(cap_list[j].first),
+							    RSBAC_UID_NUM(cap_list[j].first));
+						else
+#endif
 						len +=
 						    sprintf(buffer + len,
 							    "%u ",
-							    cap_list[j].
-							    first);
+							    RSBAC_UID_NUM(cap_list[j].first));
+					}
 					pos = begin + len;
 					if (pos < offset) {
 						len = 0;
@@ -1413,20 +1474,41 @@
 			if (member_count > 0) {
 				for (j = 0; j < member_count; j++) {
 					if (cap_list[j].first !=
-					    cap_list[j].last)
+					    cap_list[j].last) {
+					    
+#ifdef CONFIG_RSBAC_UM_VIRTUAL
+						if (RSBAC_UID_SET(cap_list[j].first)
+						    || RSBAC_UID_SET(cap_list[j].last)
+						   )
+						  len +=
+						    sprintf(buffer + len,
+							    "%u/%u:%u/%u ",
+							    RSBAC_UID_SET(cap_list[j].first),
+							    RSBAC_UID_NUM(cap_list[j].first),
+							    RSBAC_UID_SET(cap_list[j].last),
+							    RSBAC_UID_NUM(cap_list[j].last));
+						else
+#endif
 						len +=
 						    sprintf(buffer + len,
 							    "%u:%u ",
-							    cap_list[j].
-							    first,
-							    cap_list[j].
-							    last);
-					else
+							    RSBAC_UID_NUM(cap_list[j].first),
+							    RSBAC_UID_NUM(cap_list[j].last));
+					} else {
+#ifdef CONFIG_RSBAC_UM_VIRTUAL
+						if (RSBAC_UID_SET(cap_list[j].first))
+						  len +=
+						    sprintf(buffer + len,
+							    "%u/%u ",
+							    RSBAC_UID_SET(cap_list[j].first),
+							    RSBAC_UID_NUM(cap_list[j].first));
+						else
+#endif
 						len +=
 						    sprintf(buffer + len,
 							    "%u ",
-							    cap_list[j].
-							    first);
+							    RSBAC_UID_NUM(cap_list[j].first));
+					}
 					pos = begin + len;
 					if (pos < offset) {
 						len = 0;
@@ -1490,20 +1572,41 @@
 			if (member_count > 0) {
 				for (j = 0; j < member_count; j++) {
 					if (cap_list[j].first !=
-					    cap_list[j].last)
+					    cap_list[j].last) {
+					    
+#ifdef CONFIG_RSBAC_UM_VIRTUAL
+						if (RSBAC_UID_SET(cap_list[j].first)
+						    || RSBAC_UID_SET(cap_list[j].last)
+						   )
+						  len +=
+						    sprintf(buffer + len,
+							    "%u/%u:%u/%u ",
+							    RSBAC_UID_SET(cap_list[j].first),
+							    RSBAC_UID_NUM(cap_list[j].first),
+							    RSBAC_UID_SET(cap_list[j].last),
+							    RSBAC_UID_NUM(cap_list[j].last));
+						else
+#endif
 						len +=
 						    sprintf(buffer + len,
 							    "%u:%u ",
-							    cap_list[j].
-							    first,
-							    cap_list[j].
-							    last);
-					else
+							    RSBAC_UID_NUM(cap_list[j].first),
+							    RSBAC_UID_NUM(cap_list[j].last));
+					} else {
+#ifdef CONFIG_RSBAC_UM_VIRTUAL
+						if (RSBAC_UID_SET(cap_list[j].first))
+						  len +=
+						    sprintf(buffer + len,
+							    "%u/%u ",
+							    RSBAC_UID_SET(cap_list[j].first),
+							    RSBAC_UID_NUM(cap_list[j].first));
+						else
+#endif
 						len +=
 						    sprintf(buffer + len,
 							    "%u ",
-							    cap_list[j].
-							    first);
+							    RSBAC_UID_NUM(cap_list[j].first));
+					}
 					pos = begin + len;
 					if (pos < offset) {
 						len = 0;
@@ -1570,20 +1673,41 @@
 			if (member_count > 0) {
 				for (j = 0; j < member_count; j++) {
 					if (cap_list[j].first !=
-					    cap_list[j].last)
+					    cap_list[j].last) {
+					    
+#ifdef CONFIG_RSBAC_UM_VIRTUAL
+						if (RSBAC_UID_SET(cap_list[j].first)
+						    || RSBAC_UID_SET(cap_list[j].last)
+						   )
+						  len +=
+						    sprintf(buffer + len,
+							    "%u/%u:%u/%u ",
+							    RSBAC_UID_SET(cap_list[j].first),
+							    RSBAC_UID_NUM(cap_list[j].first),
+							    RSBAC_UID_SET(cap_list[j].last),
+							    RSBAC_UID_NUM(cap_list[j].last));
+						else
+#endif
 						len +=
 						    sprintf(buffer + len,
 							    "%u:%u ",
-							    cap_list[j].
-							    first,
-							    cap_list[j].
-							    last);
-					else
+							    RSBAC_UID_NUM(cap_list[j].first),
+							    RSBAC_UID_NUM(cap_list[j].last));
+					} else {
+#ifdef CONFIG_RSBAC_UM_VIRTUAL
+