5 files changed, 37 insertions, 24 deletions

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 8db33a8b50c4..d5666d3cc21b 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -667,17 +667,29 @@ static struct security_operations apparmor_ops = {
  * AppArmor sysfs module parameters
  */
 
-static int param_set_aabool(const char *val, struct kernel_param *kp);
-static int param_get_aabool(char *buffer, struct kernel_param *kp);
+static int param_set_aabool(const char *val, const struct kernel_param *kp);
+static int param_get_aabool(char *buffer, const struct kernel_param *kp);
 #define param_check_aabool(name, p) __param_check(name, p, int)
+static struct kernel_param_ops param_ops_aabool = {
+        .set = param_set_aabool,
+        .get = param_get_aabool
+};
 
-static int param_set_aauint(const char *val, struct kernel_param *kp);
-static int param_get_aauint(char *buffer, struct kernel_param *kp);
+static int param_set_aauint(const char *val, const struct kernel_param *kp);
+static int param_get_aauint(char *buffer, const struct kernel_param *kp);
 #define param_check_aauint(name, p) __param_check(name, p, int)
+static struct kernel_param_ops param_ops_aauint = {
+        .set = param_set_aauint,
+        .get = param_get_aauint
+};
 
-static int param_set_aalockpolicy(const char *val, struct kernel_param *kp);
-static int param_get_aalockpolicy(char *buffer, struct kernel_param *kp);
+static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
+static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
 #define param_check_aalockpolicy(name, p) __param_check(name, p, int)
+static struct kernel_param_ops param_ops_aalockpolicy = {
+        .set = param_set_aalockpolicy,
+        .get = param_get_aalockpolicy
+};
 
 static int param_set_audit(const char *val, struct kernel_param *kp);
 static int param_get_audit(char *buffer, struct kernel_param *kp);
@@ -751,7 +763,7 @@ static int __init apparmor_enabled_setup(char *str)
 __setup("apparmor=", apparmor_enabled_setup);
 
 /* set global flag turning off the ability to load policy */
-static int param_set_aalockpolicy(const char *val, struct kernel_param *kp)
+static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
 {
         if (!capable(CAP_MAC_ADMIN))
                 return -EPERM;
@@ -760,35 +772,35 @@ static int param_set_aalockpolicy(const char *val, struct kernel_param *kp)
         return param_set_bool(val, kp);
 }
 
-static int param_get_aalockpolicy(char *buffer, struct kernel_param *kp)
+static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
 {
         if (!capable(CAP_MAC_ADMIN))
                 return -EPERM;
         return param_get_bool(buffer, kp);
 }
 
-static int param_set_aabool(const char *val, struct kernel_param *kp)
+static int param_set_aabool(const char *val, const struct kernel_param *kp)
 {
         if (!capable(CAP_MAC_ADMIN))
                 return -EPERM;
         return param_set_bool(val, kp);
 }
 
-static int param_get_aabool(char *buffer, struct kernel_param *kp)
+static int param_get_aabool(char *buffer, const struct kernel_param *kp)
 {
         if (!capable(CAP_MAC_ADMIN))
                 return -EPERM;
         return param_get_bool(buffer, kp);
 }
 
-static int param_set_aauint(const char *val, struct kernel_param *kp)
+static int param_set_aauint(const char *val, const struct kernel_param *kp)
 {
         if (!capable(CAP_MAC_ADMIN))
                 return -EPERM;
         return param_set_uint(val, kp);
 }
 
-static int param_get_aauint(char *buffer, struct kernel_param *kp)
+static int param_get_aauint(char *buffer, const struct kernel_param *kp)
 {
         if (!capable(CAP_MAC_ADMIN))
                 return -EPERM;
diff --git a/security/capability.c b/security/capability.c
index a0bbf30fb6dc..95a6599a37bb 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -411,7 +411,8 @@ static int cap_task_getioprio(struct task_struct *p)
         return 0;
 }
 
-static int cap_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
+static int cap_task_setrlimit(struct task_struct *p, unsigned int resource,
+                struct rlimit *new_rlim)
 {
         return 0;
 }
diff --git a/security/keys/internal.h b/security/keys/internal.h
index addb67b169f4..56a133d8f37d 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -15,11 +15,6 @@
 #include <linux/sched.h>
 #include <linux/key-type.h>
 
-static inline __attribute__((format(printf, 1, 2)))
-void no_printk(const char *fmt, ...)
-{
-}
-
 #ifdef __KDEBUG
 #define kenter(FMT, ...) \
         printk(KERN_DEBUG "==> %s("FMT")\n", __func__, ##__VA_ARGS__)
diff --git a/security/security.c b/security/security.c
index 7461b1bc296c..c53949f17d9e 100644
--- a/security/security.c
+++ b/security/security.c
@@ -780,9 +780,10 @@ int security_task_getioprio(struct task_struct *p)
         return security_ops->task_getioprio(p);
 }
 
-int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
+int security_task_setrlimit(struct task_struct *p, unsigned int resource,
+                struct rlimit *new_rlim)
 {
-        return security_ops->task_setrlimit(resource, new_rlim);
+        return security_ops->task_setrlimit(p, resource, new_rlim);
 }
 
 int security_task_setscheduler(struct task_struct *p,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9b40f4c0ac70..42043f96e54f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2284,12 +2284,15 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
                           PROCESS__RLIMITINH, NULL);
         if (rc) {
+                /* protect against do_prlimit() */
+                task_lock(current);
                 for (i = 0; i < RLIM_NLIMITS; i++) {
                         rlim = current->signal->rlim + i;
                         initrlim = init_task.signal->rlim + i;
                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
                 }
-                update_rlimit_cpu(current->signal->rlim[RLIMIT_CPU].rlim_cur);
+                task_unlock(current);
+                update_rlimit_cpu(current, rlimit(RLIMIT_CPU));
         }
 }
 
@@ -3333,16 +3336,17 @@ static int selinux_task_getioprio(struct task_struct *p)
         return current_has_perm(p, PROCESS__GETSCHED);
 }
 
-static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
+static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
+                struct rlimit *new_rlim)
 {
-        struct rlimit *old_rlim = current->signal->rlim + resource;
+        struct rlimit *old_rlim = p->signal->rlim + resource;
 
         /* Control the ability to change the hard limit (whether
            lowering or raising it), so that the hard limit can
            later be used as a safe reset point for the soft limit
            upon context transitions.  See selinux_bprm_committing_creds. */
         if (old_rlim->rlim_max != new_rlim->rlim_max)
-                return current_has_perm(current, PROCESS__SETRLIMIT);
+                return current_has_perm(p, PROCESS__SETRLIMIT);
 
         return 0;
 }