From 41a4695ca46d8798f89b477855973eb2ad3f4f69 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Wed, 27 Feb 2013 08:37:56 -0800
Subject: Yama: do not modify global sysctl table entry

When the sysctl table is constified, we won't be able to directly modify
it. Instead, use a table copy that carries any needed changes.

Suggested-by: PaX Team <pageexec@freemail.hu>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 security/yama/yama_lsm.c | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

(limited to 'security')

diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 13c88fbcf037..24aae2ae2b30 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -379,20 +379,17 @@ static struct security_operations yama_ops = {
 static int yama_dointvec_minmax(struct ctl_table *table, int write,
 				void __user *buffer, size_t *lenp, loff_t *ppos)
 {
-	int rc;
+	struct ctl_table table_copy;
 
 	if (write && !capable(CAP_SYS_PTRACE))
 		return -EPERM;
 
-	rc = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
-	if (rc)
-		return rc;
-
 	/* Lock the max value if it ever gets set. */
-	if (write && *(int *)table->data == *(int *)table->extra2)
-		table->extra1 = table->extra2;
+	table_copy = *table;
+	if (*(int *)table_copy.data == *(int *)table_copy.extra2)
+		table_copy.extra1 = table_copy.extra2;
 
-	return rc;
+	return proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos);
 }
 
 static int zero;
-- 
cgit v1.2.3-59-g8ed1b


From 44aa1d4413876cca0962debc9483ba009d71737f Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 27 Feb 2015 16:23:59 -0500
Subject: security/yama: Remove unnecessary selects from Kconfig.

Yama selects SECURITYFS and SECURITY_PATH, but requires neither.
Remove them.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 security/yama/Kconfig | 2 --
 1 file changed, 2 deletions(-)

(limited to 'security')

diff --git a/security/yama/Kconfig b/security/yama/Kconfig
index 20ef5143c0c0..3123e1da2fed 100644
--- a/security/yama/Kconfig
+++ b/security/yama/Kconfig
@@ -1,8 +1,6 @@
 config SECURITY_YAMA
 	bool "Yama support"
 	depends on SECURITY
-	select SECURITYFS
-	select SECURITY_PATH
 	default n
 	help
 	  This selects Yama, which extends DAC support with additional
-- 
cgit v1.2.3-59-g8ed1b