[RFC][PATCH] trimming includes from linux/security.h

[RFC][PATCH] trimming includes from linux/security.h

[Al Viro]

	linux/security.h pulls a lot of garbage; most of it can be avoided
by several more struct ....; added in there, the rest is a matter of adding
explicit includes in places that (weirdly) relied on security.h to pull
what they wanted.  Plus taking round_hit_to_min() to the only place using
it (mm/mmap.c)...

	NOTE: it almost certainly won't build on some configs; it *does*
survive allmodconfig on amd64, but that's all it had been tested on.  Help
with review and (build-)testing would be very appreciated...  Fortunately,
all breakage will show up on build, which makes finding it less painful.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
index 1b7082d..82c5101 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -13,6 +13,7 @@
 #include <linux/init.h>
 #include <linux/wait.h>
 #include <linux/cdev.h>
+#include <linux/idr.h>
 #include <linux/fs.h>
 
 #include <net/net_namespace.h>
diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index 0fd96c1..3fd1bc4 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -23,6 +23,7 @@
 #include <linux/crypto.h>
 #include <linux/completion.h>
 #include <linux/module.h>
+#include <linux/idr.h>
 #include <asm/unaligned.h>
 #include <scsi/scsi_device.h>
 #include <scsi/iscsi_proto.h>
diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
index daad362..ae119af 100644
--- a/drivers/target/iscsi/iscsi_target_login.c
+++ b/drivers/target/iscsi/iscsi_target_login.c
@@ -21,6 +21,7 @@
 #include <linux/string.h>
 #include <linux/kthread.h>
 #include <linux/crypto.h>
+#include <linux/idr.h>
 #include <scsi/iscsi_proto.h>
 #include <target/target_core_base.h>
 #include <target/target_core_transport.h>
diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 873bf00..38f4530 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -36,6 +36,7 @@
 #include <linux/inet.h>
 #include <linux/in6.h>
 #include <linux/slab.h>
+#include <linux/idr.h>
 #include <net/ipv6.h>
 #include <linux/nfs_xdr.h>
 #include <linux/sunrpc/bc_xprt.h>
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index a6b6217..67bbf6e 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -6,7 +6,9 @@
 #include <linux/poll.h>
 #include <linux/proc_fs.h>
 #include <linux/security.h>
+#include <linux/sched.h>
 #include <linux/namei.h>
+#include <linux/mm.h>
 #include "internal.h"
 
 static const struct dentry_operations proc_sys_dentry_operations;
diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
index 5d81e92..e88b250 100644
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -71,6 +71,7 @@
 #include <linux/module.h>
 #include <linux/proc_fs.h>
 #include <linux/security.h>
+#include <linux/sched.h>
 #include <linux/kmod.h>
 #include <linux/namei.h>
 #include <linux/capability.h>
diff --git a/fs/super.c b/fs/super.c
index 66a12f9..3577b06 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -32,6 +32,7 @@
 #include <linux/backing-dev.h>
 #include <linux/rculist_bl.h>
 #include <linux/cleancache.h>
+#include <linux/fsnotify.h>
 #include "internal.h"
 
 
diff --git a/include/linux/security.h b/include/linux/security.h
index 410ea73..fab3d99 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -22,22 +22,33 @@
 #ifndef __LINUX_SECURITY_H
 #define __LINUX_SECURITY_H
 
-#include <linux/fs.h>
-#include <linux/fsnotify.h>
-#include <linux/binfmts.h>
-#include <linux/dcache.h>
-#include <linux/signal.h>
-#include <linux/resource.h>
-#include <linux/sem.h>
-#include <linux/shm.h>
-#include <linux/mm.h> /* PAGE_ALIGN */
-#include <linux/msg.h>
-#include <linux/sched.h>
 #include <linux/key.h>
-#include <linux/xfrm.h>
+#include <linux/capability.h>
 #include <linux/slab.h>
-#include <linux/xattr.h>
-#include <net/flow.h>
+
+struct linux_binprm;
+struct cred;
+struct rlimit;
+struct siginfo;
+struct sem_array;
+struct sembuf;
+struct kern_ipc_perm;
+struct audit_context;
+struct super_block;
+struct inode;
+struct dentry;
+struct vfsmount;
+struct path;
+struct qstr;
+struct nameidata;
+struct iattr;
+struct fown_struct;
+struct file_operations;
+struct shmid_kernel;
+struct msg_msg;
+struct msg_queue;
+struct xattr;
+struct xfrm_sec_ctx;
 
 /* Maximum number of letters for an LSM name string */
 #define SECURITY_NAME_MAX	10
@@ -132,18 +143,6 @@ struct request_sock;
 #define LSM_UNSAFE_PTRACE_CAP	4
 
 #ifdef CONFIG_MMU
-/*
- * If a hint addr is less than mmap_min_addr change hint to be as
- * low as possible but still greater than mmap_min_addr
- */
-static inline unsigned long round_hint_to_min(unsigned long hint)
-{
-	hint &= PAGE_MASK;
-	if (((void *)hint != NULL) &&
-	    (hint < mmap_min_addr))
-		return PAGE_ALIGN(mmap_min_addr);
-	return hint;
-}
 extern int mmap_min_addr_handler(struct ctl_table *table, int write,
 				 void __user *buffer, size_t *lenp, loff_t *ppos);
 #endif
diff --git a/ipc/msgutil.c b/ipc/msgutil.c
index 8b5ce5d3..68cf82f 100644
--- a/ipc/msgutil.c
+++ b/ipc/msgutil.c
@@ -13,7 +13,9 @@
 #include <linux/security.h>
 #include <linux/slab.h>
 #include <linux/ipc.h>
+#include <linux/msg.h>
 #include <linux/ipc_namespace.h>
+#include <linux/utsname.h>
 #include <asm/uaccess.h>
 
 #include "util.h"
diff --git a/kernel/cred.c b/kernel/cred.c
index 5791612..97b36ee 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -16,6 +16,7 @@
 #include <linux/keyctl.h>
 #include <linux/init_task.h>
 #include <linux/security.h>
+#include <linux/binfmts.h>
 #include <linux/cn_proc.h>
 
 #if 0
diff --git a/kernel/exit.c b/kernel/exit.c
index d0b7d98..416b804 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -51,6 +51,7 @@
 #include <trace/events/sched.h>
 #include <linux/hw_breakpoint.h>
 #include <linux/oom.h>
+#include <linux/shm.h>
 
 #include <asm/uaccess.h>
 #include <asm/unistd.h>
diff --git a/kernel/sched.c b/kernel/sched.c
index 9d30d1d..d2508ad 100644
--- a/kernel/sched.c
+++ b/kernel/sched.c
@@ -71,6 +71,7 @@
 #include <linux/ctype.h>
 #include <linux/ftrace.h>
 #include <linux/slab.h>
+#include <linux/binfmts.h>
 
 #include <asm/tlb.h>
 #include <asm/irq_regs.h>
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index ae27196..eb10bea 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -58,6 +58,7 @@
 #include <linux/oom.h>
 #include <linux/kmod.h>
 #include <linux/capability.h>
+#include <linux/binfmts.h>
 
 #include <asm/uaccess.h>
 #include <asm/processor.h>
diff --git a/mm/mmap.c b/mm/mmap.c
index eae90af..28efb6d 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -936,6 +936,19 @@ void vm_stat_account(struct mm_struct *mm, unsigned long flags,
 #endif /* CONFIG_PROC_FS */
 
 /*
+ * If a hint addr is less than mmap_min_addr change hint to be as
+ * low as possible but still greater than mmap_min_addr
+ */
+static inline unsigned long round_hint_to_min(unsigned long hint)
+{
+	hint &= PAGE_MASK;
+	if (((void *)hint != NULL) &&
+	    (hint < mmap_min_addr))
+		return PAGE_ALIGN(mmap_min_addr);
+	return hint;
+}
+
+/*
  * The caller must hold down_write(&current->mm->mmap_sem).
  */
 
diff --git a/security/commoncap.c b/security/commoncap.c
index ee4f848..938d525 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -28,6 +28,7 @@
 #include <linux/prctl.h>
 #include <linux/securebits.h>
 #include <linux/user_namespace.h>
+#include <linux/binfmts.h>
 
 /*
  * If a non-root user executes a setuid-root binary in
diff --git a/security/security.c b/security/security.c
index 06007d7..f5f2df2 100644
--- a/security/security.c
+++ b/security/security.c
@@ -19,6 +19,8 @@
 #include <linux/integrity.h>
 #include <linux/ima.h>
 #include <linux/evm.h>
+#include <linux/fsnotify.h>
+#include <net/flow.h>
 
 #define MAX_LSM_EVM_XATTR	2
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4def4d9..eb71f3b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -81,6 +81,7 @@
 #include <linux/syslog.h>
 #include <linux/user_namespace.h>
 #include <linux/export.h>
+#include <linux/msg.h>
 
 #include "avc.h"
 #include "objsec.h"
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 7db62b4..0c917c7 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -36,6 +36,9 @@
 #include <linux/magic.h>
 #include <linux/dcache.h>
 #include <linux/personality.h>
+#include <linux/msg.h>
+#include <linux/shm.h>
+#include <linux/binfmts.h>
 #include "smack.h"
 
 #define task_security(task)	(task_cred_xxx((task), security))

Re: [RFC][PATCH] trimming includes from linux/security.h

[Tetsuo Handa]

Al Viro wrote:
> 	linux/security.h pulls a lot of garbage; most of it can be avoided
> by several more struct ....; added in there,

Does it make sense to create a header file that contains only "struct ....;"
lines? A lot of "struct ....;" lines are used for avoiding compiler warning.
This results in LXR (linux cross reference) showing like

Defined as a struct type in:

    * security/selinux/include/avc.h, line 35
    * fs/udf/udfdecl.h, line 78
    * fs/isofs/isofs.h, line 108
    * fs/gfs2/bmap.h, line 15
    * fs/gfs2/dir.h, line 16
    * fs/xfs/xfs_acl.h, line 21
    * fs/xfs/xfs_vnodeops.h, line 7
    * fs/freevxfs/vxfs_extern.h, line 44
    * include/linux/net.h, line 67
    * include/linux/exportfs.h, line 7
    * include/linux/seq_file.h, line 13
    * include/linux/mm.h, line 245
    * include/linux/syscalls.h, line 16
    * include/linux/reiserfs_xattr.h, line 32
    * include/linux/xattr.h, line 64
    * include/linux/cgroup.h, line 24
    * include/linux/fs.h, line 749
    * include/linux/audit.h, line 375
    * include/linux/cdev.h, line 9
    * include/linux/cred.h, line 23
    * include/linux/mtd/blktrans.h, line 31
    * include/linux/generic_acl.h, line 6
    * include/linux/futex.h, line 127 

and makes it difficult to find the location of actual definition.

Re: [RFC][PATCH] trimming includes from linux/security.h

[Al Viro]

On Wed, Nov 30, 2011 at 04:09:25PM +0900, Tetsuo Handa wrote:
> Al Viro wrote:
> > 	linux/security.h pulls a lot of garbage; most of it can be avoided
> > by several more struct ....; added in there,
> 
> Does it make sense to create a header file that contains only "struct ....;"
> lines? A lot of "struct ....;" lines are used for avoiding compiler warning.
> This results in LXR (linux cross reference) showing like
> 
> Defined as a struct type in:
> 
>     * security/selinux/include/avc.h, line 35

Er...  Then LXR sucks.  It's trivial to distinguish those from actual
definition; talks to LXR folks and let them fix their code...

struct <tag> ;

vs

struct <tag> {

is not that hard to handle, even if you bother with __attribute__ in weird
places like that.  They need to distinguish those from
	struct <tag> <ident>
etc., after all, so they do some amount of lookahead...

Re: [RFC][PATCH] trimming includes from linux/security.h

[Paul Gortmaker]

On Wed, Nov 30, 2011 at 1:50 AM, Al Viro <viro@zeniv.linux.org.uk> wrote:
>        linux/security.h pulls a lot of garbage; most of it can be avoided
> by several more struct ....; added in there, the rest is a matter of adding
> explicit includes in places that (weirdly) relied on security.h to pull
> what they wanted.  Plus taking round_hit_to_min() to the only place using
> it (mm/mmap.c)...
>
>        NOTE: it almost certainly won't build on some configs; it *does*
> survive allmodconfig on amd64, but that's all it had been tested on.  Help
> with review and (build-)testing would be very appreciated...  Fortunately,
> all breakage will show up on build, which makes finding it less painful.
>
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Hi Al,

I did some testing on this for powerpc and arm.  The one snag I came
across was that security.h uses things like current->mm and fields in
task_struct, so you get fallout like I've pasted below.  But to put
sched.h (and all its 300 sub-includes) back into security.h kind of
defeats the purpose of what you were trying to do, I think.

A proper fix would be to somehow really make security.h  a real
standalone header, via using defines instead of inlines or similar?

For now, I just added sched.h to the files that were breaking, but
it seems wrong to penalize random C files for the breakage in the
security.h header file.

This tree seems to survive most powerpc and arm defconfigs:

http://git.kernel.org/?p=linux/kernel/git/paulg/linux.git;a=shortlog;h=refs/heads/al-security-Nov30

but as I said above, I'm not really liking the last commit on it
that adds sched.h to 20-odd files.

Paul.
---

In file included from /home/paul/git/linux-head/fs/super.c:28:
/home/paul/git/linux-head/include/linux/security.h: In function
'security_real_capable':
/home/paul/git/linux-head/include/linux/security.h:1890: error:
dereferencing pointer to incomplete type
/home/paul/git/linux-head/include/linux/security.h:1890: warning: type
defaults to 'int' in declaration of '_________p1'
/home/paul/git/linux-head/include/linux/security.h:1890: error:
dereferencing pointer to incomplete type
/home/paul/git/linux-head/include/linux/security.h:1890: error:
dereferencing pointer to incomplete type
/home/paul/git/linux-head/include/linux/security.h:1890: error:
dereferencing pointer to incomplete type
/home/paul/git/linux-head/include/linux/security.h:1890: warning: type
defaults to 'int' in declaration of 'type name'
/home/paul/git/linux-head/include/linux/security.h:1890: warning: type
defaults to 'int' in declaration of 'type name'
/home/paul/git/linux-head/include/linux/security.h:1890: error:
dereferencing pointer to incomplete type
/home/paul/git/linux-head/include/linux/security.h:1890: warning: type
defaults to 'int' in declaration of 'type name'
/home/paul/git/linux-head/include/linux/security.h:1890: warning:
passing argument 2 of 'cap_capable' from incompatible pointer type
/home/paul/git/linux-head/include/linux/security.h:71: note: expected
'const struct cred *' but argument is of type 'int *'
/home/paul/git/linux-head/include/linux/security.h: In function
'security_real_capable_noaudit':
/home/paul/git/linux-head/include/linux/security.h:1901: error:
dereferencing pointer to incomplete type
/home/paul/git/linux-head/include/linux/security.h:1901: warning: type
defaults to 'int' in declaration of '_________p1'
/home/paul/git/linux-head/include/linux/security.h:1901: error:
dereferencing pointer to incomplete type
/home/paul/git/linux-head/include/linux/security.h:1901: error:
dereferencing pointer to incomplete type
/home/paul/git/linux-head/include/linux/security.h:1901: error:
dereferencing pointer to incomplete type
/home/paul/git/linux-head/include/linux/security.h:1901: warning: type
defaults to 'int' in declaration of 'type name'
/home/paul/git/linux-head/include/linux/security.h:1901: warning: type
defaults to 'int' in declaration of 'type name'
/home/paul/git/linux-head/include/linux/security.h:1901: error:
dereferencing pointer to incomplete type
/home/paul/git/linux-head/include/linux/security.h:1901: warning: type
defaults to 'int' in declaration of 'type name'
/home/paul/git/linux-head/include/linux/security.h:1902: warning:
passing argument 2 of 'cap_capable' from incompatible pointer type
/home/paul/git/linux-head/include/linux/security.h:71: note: expected
'const struct cred *' but argument is of type 'int *'
/home/paul/git/linux-head/include/linux/security.h: In function
'security_vm_enough_memory':
/home/paul/git/linux-head/include/linux/security.h:1931: error:
dereferencing pointer to incomplete type
/home/paul/git/linux-head/include/linux/security.h:1932: error:
dereferencing pointer to incomplete type
/home/paul/git/linux-head/include/linux/security.h: In function
'security_vm_enough_memory_kern':
/home/paul/git/linux-head/include/linux/security.h:1945: error:
dereferencing pointer to incomplete type
make[3]: *** [fs/super.o] Error 1

Re: [RFC][PATCH] trimming includes from linux/security.h

[Al Viro]

On Wed, Nov 30, 2011 at 03:41:04PM -0500, Paul Gortmaker wrote:
> A proper fix would be to somehow really make security.h  a real
> standalone header, via using defines instead of inlines or similar?

Whee... that says something about the amount of places pulling sched.h,
doesn't it?  FWIW, looking at that stuff makes me really wonder why
the hell do we have 3 functions there...  Look: on LSM-infested builds
we get
int security_vm_enough_memory(long pages)
{
        WARN_ON(current->mm == NULL);
        return security_ops->vm_enough_memory(current->mm, pages);
}
int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
{
        WARN_ON(mm == NULL);
        return security_ops->vm_enough_memory(mm, pages);
}
int security_vm_enough_memory_kern(long pages)
{
        /* If current->mm is a kernel thread then we will pass NULL,
           for this specific case that is fine */
        return security_ops->vm_enough_memory(current->mm, pages);
}
and on LSM-free ones
static inline int security_vm_enough_memory(long pages)
{
        WARN_ON(current->mm == NULL);
        return cap_vm_enough_memory(current->mm, pages);
}
static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
{
        WARN_ON(mm == NULL);
        return cap_vm_enough_memory(mm, pages);
}
static inline int security_vm_enough_memory_kern(long pages)
{
        /* If current->mm is a kernel thread then we will pass NULL,
           for this specific case that is fine */
        return cap_vm_enough_memory(current->mm, pages);
}

and looking at the callers, we get this:
	* mmap_region() calls ..._enough_memory(); current->mm has been
already read to local variable and we'd've oopsed already if it had been
NULL.  If anything, that's BUG_ON(!mm) in the beginning of function...
	* do_brk() - ditto.  Just before that call we have
        if (mm->map_count > sysctl_max_map_count)
                return -ENOMEM;
which renders that WARN_ON() rather pointless.
	* mprotect_fixup() - probably a bug, unless it's always called with
vma->vm_mm == current->mm.  Should it call ..._enough_memory_mm() instead?
Looking through the callers shows:
		+ mprotect(2) - we are guaranteed that, all right (and
incidentally we oops if current->mm is NULL; down_write(&current->mm->mmap_sem)
is done first).
		+ setup_arg_pages() - we rely on bprm->vma->mm ==
current->mm here.  And we oops first if it happens to be NULL.  bprm->vma
is set in __bprm_mm_init() and its ->mm is set to bprm->mm we used to have
at that point.  Which couldn't have been NULL *and* is what current->mm is
set to by flush_old_exec().  So we are OK as long as all setup_arg_pages()
follow a successful flush_old_exec() on the same bprm.  Which is true for
all callers (all are ->load_binary() instances).
	So we are actually OK, except that I'd still used ..._enough_memory_mm()
in mprotect_fixup() - will be much easier to verify that what we are doing is
correct, without detours through weird places.
	* vma_to_resize() - current->mm in local variable and we bugger
off to Efault first if it happens to be NULL.
	* acct_stack_growth() - calls ..._enough_memory_mm(), and if mm
happens to be NULL, well, we'd already accessed mm->total_vm, so that
WARN_ON() is too late for anything.
	* insert_vm_struct() - calls ..._enough_memory_mm(), oopses before
that point if mm is NULL (read from mm->mm_rb.rb_node in find_vma_prepare())
	* sys_swapoff() - root-only syscall and we'd better not have it
called with current->mm == NULL.
	* dup_mmap() - ..._enough_memory() is called; shouldn't that
be ..._enough_memory_mm() instead?  I really wonder about that one -
here we end up passing old ->mm to __vm_enough_memory().  Is that the
right thing to do?


Frankly, I would very much prefer to reduce these 3 functions to one
(..._mm() variant, sans the WARN_ON()) and had callers pass current->mm
explicitly.  I.e. something like this (preserving the current behaviour):

collapse security_vm_enough_memory() variants together

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
diff --git a/include/linux/security.h b/include/linux/security.h
index fab3d99..384485e 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1683,9 +1683,7 @@ int security_quotactl(int cmds, int type, int id, struct super_block *sb);
 int security_quota_on(struct dentry *dentry);
 int security_syslog(int type);
 int security_settime(const struct timespec *ts, const struct timezone *tz);
-int security_vm_enough_memory(long pages);
 int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
-int security_vm_enough_memory_kern(long pages);
 int security_bprm_set_creds(struct linux_binprm *bprm);
 int security_bprm_check(struct linux_binprm *bprm);
 void security_bprm_committing_creds(struct linux_binprm *bprm);
@@ -1923,25 +1921,11 @@ static inline int security_settime(const struct timespec *ts,
 	return cap_settime(ts, tz);
 }
 
-static inline int security_vm_enough_memory(long pages)
-{
-	WARN_ON(current->mm == NULL);
-	return cap_vm_enough_memory(current->mm, pages);
-}
-
 static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
 {
-	WARN_ON(mm == NULL);
 	return cap_vm_enough_memory(mm, pages);
 }
 
-static inline int security_vm_enough_memory_kern(long pages)
-{
-	/* If current->mm is a kernel thread then we will pass NULL,
-	   for this specific case that is fine */
-	return cap_vm_enough_memory(current->mm, pages);
-}
-
 static inline int security_bprm_set_creds(struct linux_binprm *bprm)
 {
 	return cap_bprm_set_creds(bprm);
diff --git a/kernel/fork.c b/kernel/fork.c
index da4a6a1..dac8e63 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -351,7 +351,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
 		charge = 0;
 		if (mpnt->vm_flags & VM_ACCOUNT) {
 			unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
-			if (security_vm_enough_memory(len))
+			if (security_vm_enough_memory_mm(oldmm, len)) /* sic */
 				goto fail_nomem;
 			charge = len;
 		}
diff --git a/mm/mmap.c b/mm/mmap.c
index 28efb6d..a6900f8 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1248,7 +1248,7 @@ munmap_back:
 	 */
 	if (accountable_mapping(file, vm_flags)) {
 		charged = len >> PAGE_SHIFT;
-		if (security_vm_enough_memory(charged))
+		if (security_vm_enough_memory_mm(mm, charged))
 			return -ENOMEM;
 		vm_flags |= VM_ACCOUNT;
 	}
@@ -2202,7 +2202,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
 	if (mm->map_count > sysctl_max_map_count)
 		return -ENOMEM;
 
-	if (security_vm_enough_memory(len >> PAGE_SHIFT))
+	if (security_vm_enough_memory_mm(mm, len >> PAGE_SHIFT))
 		return -ENOMEM;
 
 	/* Can we just expand an old private anonymous mapping? */
diff --git a/mm/mprotect.c b/mm/mprotect.c
index 5a688a2..9599fa2 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -168,7 +168,7 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
 		if (!(oldflags & (VM_ACCOUNT|VM_WRITE|VM_HUGETLB|
 						VM_SHARED|VM_NORESERVE))) {
 			charged = nrpages;
-			if (security_vm_enough_memory(charged))
+			if (security_vm_enough_memory_mm(mm, charged))
 				return -ENOMEM;
 			newflags |= VM_ACCOUNT;
 		}
diff --git a/mm/mremap.c b/mm/mremap.c
index d6959cb..eb6f39d 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -320,7 +320,7 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
 
 	if (vma->vm_flags & VM_ACCOUNT) {
 		unsigned long charged = (new_len - old_len) >> PAGE_SHIFT;
-		if (security_vm_enough_memory(charged))
+		if (security_vm_enough_memory_mm(mm, charged))
 			goto Efault;
 		*p = charged;
 	}
diff --git a/mm/shmem.c b/mm/shmem.c
index c288256..262e495 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -127,7 +127,7 @@ static inline struct shmem_sb_info *SHMEM_SB(struct super_block *sb)
 static inline int shmem_acct_size(unsigned long flags, loff_t size)
 {
 	return (flags & VM_NORESERVE) ?
-		0 : security_vm_enough_memory_kern(VM_ACCT(size));
+		0 : security_vm_enough_memory_mm(current->mm, VM_ACCT(size));
 }
 
 static inline void shmem_unacct_size(unsigned long flags, loff_t size)
@@ -145,7 +145,7 @@ static inline void shmem_unacct_size(unsigned long flags, loff_t size)
 static inline int shmem_acct_block(unsigned long flags)
 {
 	return (flags & VM_NORESERVE) ?
-		security_vm_enough_memory_kern(VM_ACCT(PAGE_CACHE_SIZE)) : 0;
+		security_vm_enough_memory_mm(current->mm, VM_ACCT(PAGE_CACHE_SIZE)) : 0;
 }
 
 static inline void shmem_unacct_blocks(unsigned long flags, long pages)
diff --git a/mm/swapfile.c b/mm/swapfile.c
index b1cd120..f678b98 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -1562,6 +1562,8 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile)
 	if (!capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
+	BUG_ON(!current->mm);
+
 	pathname = getname(specialfile);
 	err = PTR_ERR(pathname);
 	if (IS_ERR(pathname))
@@ -1589,7 +1591,7 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile)
 		spin_unlock(&swap_lock);
 		goto out_dput;
 	}
-	if (!security_vm_enough_memory(p->pages))
+	if (!security_vm_enough_memory_mm(current->mm, p->pages))
 		vm_unacct_memory(p->pages);
 	else {
 		err = -ENOMEM;
diff --git a/security/security.c b/security/security.c
index f5f2df2..6b9e648 100644
--- a/security/security.c
+++ b/security/security.c
@@ -208,25 +208,11 @@ int security_settime(const struct timespec *ts, const struct timezone *tz)
 	return security_ops->settime(ts, tz);
 }
 
-int security_vm_enough_memory(long pages)
-{
-	WARN_ON(current->mm == NULL);
-	return security_ops->vm_enough_memory(current->mm, pages);
-}
-
 int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
 {
-	WARN_ON(mm == NULL);
 	return security_ops->vm_enough_memory(mm, pages);
 }
 
-int security_vm_enough_memory_kern(long pages)
-{
-	/* If current->mm is a kernel thread then we will pass NULL,
-	   for this specific case that is fine */
-	return security_ops->vm_enough_memory(current->mm, pages);
-}
-
 int security_bprm_set_creds(struct linux_binprm *bprm)
 {
 	return security_ops->bprm_set_creds(bprm);

Re: [RFC][PATCH] trimming includes from linux/security.h

[Paul Gortmaker]

On 11-11-30 05:29 PM, Al Viro wrote:

[...]

> 
> 
> Frankly, I would very much prefer to reduce these 3 functions to one
> (..._mm() variant, sans the WARN_ON()) and had callers pass current->mm
> explicitly.  I.e. something like this (preserving the current behaviour):

I dropped my scattered sched.h additions, and added this in to fix
the current->mm users.

I also had to macro-ize two static inlines in security.h to avoid
needing sched.h for incomplete types on task->real_cred, but that
meant I could drop the add of linux/cred.h to linux/security.h

Found one more trivial build error in selinux/hooks.c needing shm.h
but that was it.  I've got more builds running, but I've already built
a bunch of arm, mips, powerpc, and sparc without seeing any more fallout.

http://git.kernel.org/?p=linux/kernel/git/paulg/linux.git;a=shortlog;h=refs/heads/al-security-Nov30

If you want to squash the security.h commits all into one, change
commit logs, or anything like that, by all means, go ahead.

Paul.