Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6: SELinux: Remove security_get_policycaps() security: allow Kconfig to set default mmap_min_addr protection
2025-06-28 17:41:50 +00:00 · 2008-02-06 10:48:34 -08:00 · 2008-02-06 10:48:34 -08:00 · 8ed5de58cf
commit 8ed5de58cf
parent 2dd550b90b 394c675397
4 changed files with 21 additions and 35 deletions
--- a/security/Kconfig
+++ b/security/Kconfig
@ -104,6 +104,24 @@ config SECURITY_ROOTPLUG
 	  If you are unsure how to answer this question, answer N.
 config SECURITY_DEFAULT_MMAP_MIN_ADDR
        int "Low address space to protect from user allocation"
        depends on SECURITY
        default 0
        help
 	  This is the portion of low virtual memory which should be protected
 	  from userspace allocation.  Keeping a user from writing to low pages
 	  can help reduce the impact of kernel NULL pointer bugs.
 	  For most users with lots of address space a value of 65536 is
 	  reasonable and should cause no problems.  Programs which use vm86
 	  functionality would either need additional permissions from either
 	  the LSM or the capabilities module or have this protection disabled.
 	  This value can be changed after boot using the
 	  /proc/sys/vm/mmap_min_addr tunable.
 source security/selinux/Kconfig
 source security/smack/Kconfig
--- a/security/security.c
+++ b/security/security.c
@ -23,7 +23,9 @@ extern struct security_operations dummy_security_ops;
 extern void security_fixup_ops(struct security_operations *ops);
 struct security_operations *security_ops;	/* Initialized to NULL */
-unsigned long mmap_min_addr;		/* 0 means no protection */
+
 /* amount of vm to protect from userspace access */
 unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR;
 static inline int verify(struct security_operations *ops)
 {
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@ -107,7 +107,6 @@ int security_get_classes(char ***classes, int *nclasses);
 int security_get_permissions(char *class, char ***perms, int *nperms);
 int security_get_reject_unknown(void);
 int security_get_allow_unknown(void);
 int security_get_policycaps(int *len, int **values);
 #define SECURITY_FS_USE_XATTR		1 /* use xattr */
 #define SECURITY_FS_USE_TRANS		2 /* use transition SIDs, e.g. devpts/tmpfs */
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@ -2245,39 +2245,6 @@ int security_get_allow_unknown(void)
 	return policydb.allow_unknown;
 }
 /**
 * security_get_policycaps - Query the loaded policy for its capabilities
 * @len: the number of capability bits
 * @values: the capability bit array
 *
 * Description:
 * Get an array of the policy capabilities in @values where each entry in
 * @values is either true (1) or false (0) depending the policy's support of
 * that feature.  The policy capabilities are defined by the
 * POLICYDB_CAPABILITY_* enums.  The size of the array is stored in @len and it
 * is up to the caller to free the array in @values.  Returns zero on success,
 * negative values on failure.
 *
 */
 int security_get_policycaps(int *len, int **values)
 {
 	int rc = -ENOMEM;
 	unsigned int iter;
 	POLICY_RDLOCK;
 	*values = kcalloc(POLICYDB_CAPABILITY_MAX, sizeof(int), GFP_ATOMIC);
 	if (*values == NULL)
 		goto out;
 	for (iter = 0; iter < POLICYDB_CAPABILITY_MAX; iter++)
 		(*values)[iter] = ebitmap_get_bit(&policydb.policycaps, iter);
 	*len = POLICYDB_CAPABILITY_MAX;
 out:
 	POLICY_RDUNLOCK;
 	return rc;
 }
 /**
 * security_policycap_supported - Check for a specific policy capability
 * @req_cap: capability