1 files changed, 45 insertions, 14 deletions

diff --git a/include/linux/security.h b/include/linux/security.h
index 1f2ab6353c00..1f16eea2017b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -28,10 +28,12 @@
 #include <linux/resource.h>
 #include <linux/sem.h>
 #include <linux/shm.h>
+#include <linux/mm.h> /* PAGE_ALIGN */
 #include <linux/msg.h>
 #include <linux/sched.h>
 #include <linux/key.h>
 #include <linux/xfrm.h>
+#include <linux/gfp.h>
 #include <net/flow.h>
 
 /* Maximum number of letters for an LSM name string */
@@ -65,6 +67,9 @@ extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
 extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
 extern int cap_inode_need_killpriv(struct dentry *dentry);
 extern int cap_inode_killpriv(struct dentry *dentry);
+extern int cap_file_mmap(struct file *file, unsigned long reqprot,
+                         unsigned long prot, unsigned long flags,
+                         unsigned long addr, unsigned long addr_only);
 extern int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags);
 extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
                           unsigned long arg4, unsigned long arg5);
@@ -91,6 +96,7 @@ extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
 extern int cap_netlink_recv(struct sk_buff *skb, int cap);
 
 extern unsigned long mmap_min_addr;
+extern unsigned long dac_mmap_min_addr;
 /*
  * Values used in the task_security_ops calls
  */
@@ -115,6 +121,21 @@ struct request_sock;
 #define LSM_UNSAFE_PTRACE       2
 #define LSM_UNSAFE_PTRACE_CAP   4
 
+/*
+ * If a hint addr is less than mmap_min_addr change hint to be as
+ * low as possible but still greater than mmap_min_addr
+ */
+static inline unsigned long round_hint_to_min(unsigned long hint)
+{
+        hint &= PAGE_MASK;
+        if (((void *)hint != NULL) &&
+            (hint < mmap_min_addr))
+                return PAGE_ALIGN(mmap_min_addr);
+        return hint;
+}
+extern int mmap_min_addr_handler(struct ctl_table *table, int write, struct file *filp,
+                                 void __user *buffer, size_t *lenp, loff_t *ppos);
+
 #ifdef CONFIG_SECURITY
 
 struct security_mnt_opts {
@@ -880,11 +901,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *      @sock contains the listening socket structure.
  *      @newsock contains the newly created server socket for connection.
  *      Return 0 if permission is granted.
- * @socket_post_accept:
- *      This hook allows a security module to copy security
- *      information into the newly created socket's inode.
- *      @sock contains the listening socket structure.
- *      @newsock contains the newly created server socket for connection.
  * @socket_sendmsg:
  *      Check permission before transmitting a message to another socket.
  *      @sock contains the socket structure.
@@ -1554,8 +1570,6 @@ struct security_operations {
                                struct sockaddr *address, int addrlen);
         int (*socket_listen) (struct socket *sock, int backlog);
         int (*socket_accept) (struct socket *sock, struct socket *newsock);
-        void (*socket_post_accept) (struct socket *sock,
-                                    struct socket *newsock);
         int (*socket_sendmsg) (struct socket *sock,
                                struct msghdr *msg, int size);
         int (*socket_recvmsg) (struct socket *sock,
@@ -2203,7 +2217,7 @@ static inline int security_file_mmap(struct file *file, unsigned long reqprot,
                                      unsigned long addr,
                                      unsigned long addr_only)
 {
-        return 0;
+        return cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
 }
 
 static inline int security_file_mprotect(struct vm_area_struct *vma,
@@ -2537,7 +2551,6 @@ int security_socket_bind(struct socket *sock, struct sockaddr *address, int addr
 int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen);
 int security_socket_listen(struct socket *sock, int backlog);
 int security_socket_accept(struct socket *sock, struct socket *newsock);
-void security_socket_post_accept(struct socket *sock, struct socket *newsock);
 int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size);
 int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
                             int size, int flags);
@@ -2616,11 +2629,6 @@ static inline int security_socket_accept(struct socket *sock,
         return 0;
 }
 
-static inline void security_socket_post_accept(struct socket *sock,
-                                               struct socket *newsock)
-{
-}
-
 static inline int security_socket_sendmsg(struct socket *sock,
                                           struct msghdr *msg, int size)
 {
@@ -2966,5 +2974,28 @@ static inline void securityfs_remove(struct dentry *dentry)
 
 #endif
 
+#ifdef CONFIG_SECURITY
+
+static inline char *alloc_secdata(void)
+{
+        return (char *)get_zeroed_page(GFP_KERNEL);
+}
+
+static inline void free_secdata(void *secdata)
+{
+        free_page((unsigned long)secdata);
+}
+
+#else
+
+static inline char *alloc_secdata(void)
+{
+        return (char *)1;
+}
+
+static inline void free_secdata(void *secdata)
+{ }
+#endif /* CONFIG_SECURITY */
+
 #endif /* ! __LINUX_SECURITY_H */