Merge tag 'lsm-pr-20231030' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

					  cred->cap_inheritable));

}

/**

 * get_new_cred_many - Get references on a new set of credentials

 * @cred: The new credentials to reference

 * @nr: Number of references to acquire

 *

 * Get references on the specified set of new credentials.  The caller must

 * release all acquired references.

 */

static inline struct cred *get_new_cred_many(struct cred *cred, int nr)

{

	atomic_add(nr, &cred->usage);

	return cred;

}

/**

 * get_new_cred - Get a reference on a new set of credentials

 * @cred: The new credentials to reference

 */

static inline struct cred *get_new_cred(struct cred *cred)

{

	atomic_inc(&cred->usage);

	return cred;

	return get_new_cred_many(cred, 1);

}

/**

 * get_cred - Get a reference on a set of credentials

 * get_cred_many - Get references on a set of credentials

 * @cred: The credentials to reference

 * @nr: Number of references to acquire

 *

 * Get a reference on the specified set of credentials.  The caller must

 * release the reference.  If %NULL is passed, it is returned with no action.

 * Get references on the specified set of credentials.  The caller must release

 * all acquired reference.  If %NULL is passed, it is returned with no action.

 *

 * This is used to deal with a committed set of credentials.  Although the

 * pointer is const, this will temporarily discard the const and increment the

 * accidental alteration of a set of credentials that should be considered

 * immutable.

 */

static inline const struct cred *get_cred(const struct cred *cred)

static inline const struct cred *get_cred_many(const struct cred *cred, int nr)

{

	struct cred *nonconst_cred = (struct cred *) cred;

	if (!cred)

		return cred;

	validate_creds(cred);

	nonconst_cred->non_rcu = 0;

	return get_new_cred(nonconst_cred);

	return get_new_cred_many(nonconst_cred, nr);

}

/*

 * get_cred - Get a reference on a set of credentials

 * @cred: The credentials to reference

 *

 * Get a reference on the specified set of credentials.  The caller must

 * release the reference.  If %NULL is passed, it is returned with no action.

 *

 * This is used to deal with a committed set of credentials.

 */

static inline const struct cred *get_cred(const struct cred *cred)

{

	return get_cred_many(cred, 1);

}

static inline const struct cred *get_cred_rcu(const struct cred *cred)

/**

 * put_cred - Release a reference to a set of credentials

 * @cred: The credentials to release

 * @nr: Number of references to release

 *

 * Release a reference to a set of credentials, deleting them when the last ref

 * is released.  If %NULL is passed, nothing is done.

 * on task_struct are attached by const pointers to prevent accidental

 * alteration of otherwise immutable credential sets.

 */

static inline void put_cred(const struct cred *_cred)

static inline void put_cred_many(const struct cred *_cred, int nr)

{

	struct cred *cred = (struct cred *) _cred;

	if (cred) {

		validate_creds(cred);

		if (atomic_dec_and_test(&(cred)->usage))

		if (atomic_sub_and_test(nr, &cred->usage))

			__put_cred(cred);

	}

}

/*

 * put_cred - Release a reference to a set of credentials

 * @cred: The credentials to release

 *

 * Release a reference to a set of credentials, deleting them when the last ref

 * is released.  If %NULL is passed, nothing is done.

 */

static inline void put_cred(const struct cred *cred)

{

	put_cred_many(cred, 1);

}

/**

 * current_cred - Access the current task's subjective credentials

 *

};

static_assert(offsetof(struct filename, iname) % sizeof(long) == 0);

static inline struct mnt_idmap *file_mnt_idmap(struct file *file)

static inline struct mnt_idmap *file_mnt_idmap(const struct file *file)

{

	return mnt_idmap(file->f_path.mnt);

}

	 const kernel_cap_t *permitted)

LSM_HOOK(int, 0, capable, const struct cred *cred, struct user_namespace *ns,

	 int cap, unsigned int opts)

LSM_HOOK(int, 0, quotactl, int cmds, int type, int id, struct super_block *sb)

LSM_HOOK(int, 0, quotactl, int cmds, int type, int id, const struct super_block *sb)

LSM_HOOK(int, 0, quota_on, struct dentry *dentry)

LSM_HOOK(int, 0, syslog, int type)

LSM_HOOK(int, 0, settime, const struct timespec64 *ts,

	 const struct timezone *tz)

LSM_HOOK(int, 0, vm_enough_memory, struct mm_struct *mm, long pages)

LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm)

LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, struct file *file)

LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, const struct file *file)

LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm)

LSM_HOOK(void, LSM_RET_VOID, bprm_committing_creds, struct linux_binprm *bprm)

LSM_HOOK(void, LSM_RET_VOID, bprm_committed_creds, struct linux_binprm *bprm)

LSM_HOOK(void, LSM_RET_VOID, bprm_committing_creds, const struct linux_binprm *bprm)

LSM_HOOK(void, LSM_RET_VOID, bprm_committed_creds, const struct linux_binprm *bprm)

LSM_HOOK(int, 0, fs_context_submount, struct fs_context *fc, struct super_block *reference)

LSM_HOOK(int, 0, fs_context_dup, struct fs_context *fc,

	 struct fs_context *src_sc)

LSM_HOOK(int, 0, sb_eat_lsm_opts, char *orig, void **mnt_opts)

LSM_HOOK(int, 0, sb_mnt_opts_compat, struct super_block *sb, void *mnt_opts)

LSM_HOOK(int, 0, sb_remount, struct super_block *sb, void *mnt_opts)

LSM_HOOK(int, 0, sb_kern_mount, struct super_block *sb)

LSM_HOOK(int, 0, sb_kern_mount, const struct super_block *sb)

LSM_HOOK(int, 0, sb_show_options, struct seq_file *m, struct super_block *sb)

LSM_HOOK(int, 0, sb_statfs, struct dentry *dentry)

LSM_HOOK(int, 0, sb_mount, const char *dev_name, const struct path *path,

		      const kernel_cap_t *effective,

		      const kernel_cap_t *inheritable,

		      const kernel_cap_t *permitted);

extern int cap_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file);

extern int cap_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file);

int cap_inode_setxattr(struct dentry *dentry, const char *name,

		       const void *value, size_t size, int flags);

int cap_inode_removexattr(struct mnt_idmap *idmap,

		       struct user_namespace *ns,

		       int cap,

		       unsigned int opts);

int security_quotactl(int cmds, int type, int id, struct super_block *sb);

int security_quotactl(int cmds, int type, int id, const struct super_block *sb);

int security_quota_on(struct dentry *dentry);

int security_syslog(int type);

int security_settime64(const struct timespec64 *ts, const struct timezone *tz);

int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);

int security_bprm_creds_for_exec(struct linux_binprm *bprm);

int security_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file);

int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file);

int security_bprm_check(struct linux_binprm *bprm);

void security_bprm_committing_creds(struct linux_binprm *bprm);

void security_bprm_committed_creds(struct linux_binprm *bprm);

void security_bprm_committing_creds(const struct linux_binprm *bprm);

void security_bprm_committed_creds(const struct linux_binprm *bprm);

int security_fs_context_submount(struct fs_context *fc, struct super_block *reference);

int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc);

int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param);

int security_sb_eat_lsm_opts(char *options, void **mnt_opts);

int security_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts);

int security_sb_remount(struct super_block *sb, void *mnt_opts);

int security_sb_kern_mount(struct super_block *sb);

int security_sb_kern_mount(const struct super_block *sb);

int security_sb_show_options(struct seq_file *m, struct super_block *sb);

int security_sb_statfs(struct dentry *dentry);

int security_sb_mount(const char *dev_name, const struct path *path,

}

static inline int security_quotactl(int cmds, int type, int id,

				     struct super_block *sb)

				     const struct super_block *sb)

{

	return 0;

}

}

static inline int security_bprm_creds_from_file(struct linux_binprm *bprm,

						struct file *file)

						const struct file *file)

{

	return cap_bprm_creds_from_file(bprm, file);

}

	return 0;

}

static inline void security_bprm_committing_creds(struct linux_binprm *bprm)

static inline void security_bprm_committing_creds(const struct linux_binprm *bprm)

{

}

static inline void security_bprm_committed_creds(struct linux_binprm *bprm)

static inline void security_bprm_committed_creds(const struct linux_binprm *bprm)

{

}

 */

void exit_creds(struct task_struct *tsk)

{

	struct cred *cred;

	struct cred *real_cred, *cred;

	kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,

	       atomic_read(&tsk->cred->usage),

	       read_cred_subscribers(tsk->cred));

	cred = (struct cred *) tsk->real_cred;

	real_cred = (struct cred *) tsk->real_cred;

	tsk->real_cred = NULL;

	validate_creds(cred);

	alter_cred_subscribers(cred, -1);

	put_cred(cred);

	cred = (struct cred *) tsk->cred;

	tsk->cred = NULL;

	validate_creds(cred);

	if (real_cred == cred) {

		alter_cred_subscribers(cred, -2);

		put_cred_many(cred, 2);

	} else {

		validate_creds(real_cred);

		alter_cred_subscribers(real_cred, -1);

		put_cred(real_cred);

		alter_cred_subscribers(cred, -1);

		put_cred(cred);

	}

#ifdef CONFIG_KEYS_REQUEST_CACHE

	key_put(tsk->cached_requested_key);

#endif

		clone_flags & CLONE_THREAD

	    ) {

		p->real_cred = get_cred(p->cred);

		get_cred(p->cred);

		p->real_cred = get_cred_many(p->cred, 2);

		alter_cred_subscribers(p->cred, 2);

		kdebug("share_creds(%p{%d,%d})",

		       p->cred, atomic_read(&p->cred->usage),

		proc_id_connector(task, PROC_EVENT_GID);

	/* release the old obj and subj refs both */

	put_cred(old);

	put_cred(old);

	put_cred_many(old, 2);

	return 0;

}

EXPORT_SYMBOL(commit_creds);