Merge tag 'lsm-pr-20241004' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

	  found at <https://tomoyo.sourceforge.net/>.

	  If you are unsure how to answer this question, answer N.

config SECURITY_TOMOYO_LKM

	bool "Cut out most of TOMOYO's code to a loadable kernel module"

	default n

	depends on SECURITY_TOMOYO

	depends on MODULES

	help

	  Say Y here if you want to include TOMOYO without bloating

	  vmlinux file. If you say Y, most of TOMOYO code is cut out to

	  a loadable kernel module named tomoyo.ko . This option will be

	  useful for kernels built by Linux distributors where TOMOYO is

	  included but TOMOYO is not enabled by default. Please be sure

	  to explicitly load tomoyo.ko if you want to activate TOMOYO

	  without calling userspace policy loader, for tomoyo.ko is

	  loaded immediately before calling userspace policy loader.

config SECURITY_TOMOYO_MAX_ACCEPT_ENTRY

	int "Default maximal count for learning mode"

	default 2048

# SPDX-License-Identifier: GPL-2.0

tomoyo-objs := audit.o common.o condition.o domain.o environ.o file.o gc.o group.o memory.o mount.o network.o proxy.o realpath.o securityfs_if.o util.o

obj-y += init.o load_policy.o

ifdef CONFIG_SECURITY_TOMOYO_LKM

obj-m += tomoyo.o

else

obj-y += tomoyo.o

endif

obj-y = audit.o common.o condition.o domain.o environ.o file.o gc.o group.o load_policy.o memory.o mount.o network.o realpath.o securityfs_if.o tomoyo.o util.o

targets += builtin-policy.h

			p = find_task_by_pid_ns(pid, &init_pid_ns);

		else

			p = find_task_by_vpid(pid);

		if (p) {

		if (p)

			domain = tomoyo_task(p)->domain_info;

#ifdef CONFIG_SECURITY_TOMOYO_LKM

			if (!domain)

				domain = &tomoyo_kernel_domain;

#endif

		}

		rcu_read_unlock();

	} else if (!strncmp(data, "domain=", 7)) {

		if (tomoyo_domain_def(data + 7))

		p = find_task_by_pid_ns(pid, &init_pid_ns);

	else

		p = find_task_by_vpid(pid);

	if (p) {

	if (p)

		domain = tomoyo_task(p)->domain_info;

#ifdef CONFIG_SECURITY_TOMOYO_LKM

		if (!domain)

			domain = &tomoyo_kernel_domain;

#endif

	}

	rcu_read_unlock();

	if (!domain)

		return;

int tomoyo_init_request_info(struct tomoyo_request_info *r,

			     struct tomoyo_domain_info *domain,

			     const u8 index);

int __init tomoyo_interface_init(void);

int tomoyo_mkdev_perm(const u8 operation, const struct path *path,

		      const unsigned int mode, unsigned int dev);

int tomoyo_mount_permission(const char *dev_name, const struct path *path,

 *

 * Returns pointer to "struct tomoyo_task" for specified thread.

 */

#ifdef CONFIG_SECURITY_TOMOYO_LKM

extern struct tomoyo_task *tomoyo_task(struct task_struct *task);

#else

static inline struct tomoyo_task *tomoyo_task(struct task_struct *task)

{

	return task->security + tomoyo_blob_sizes.lbs_task;

}

#endif

/**

 * tomoyo_same_name_union - Check for duplicated "struct tomoyo_name_union" entry.

		pos =  srcu_dereference((head)->next, &tomoyo_ss);	\

	for ( ; pos != (head); pos = srcu_dereference(pos->next, &tomoyo_ss))

#ifdef CONFIG_SECURITY_TOMOYO_LKM

#define LSM_HOOK(RET, DEFAULT, NAME, ...) typedef RET (NAME##_t)(__VA_ARGS__);

#include <linux/lsm_hook_defs.h>

#undef LSM_HOOK

struct tomoyo_hooks {

	cred_prepare_t *cred_prepare;

	bprm_committed_creds_t *bprm_committed_creds;

	task_alloc_t *task_alloc;

	task_free_t *task_free;

	bprm_check_security_t *bprm_check_security;

	file_fcntl_t *file_fcntl;

	file_open_t *file_open;

	file_truncate_t *file_truncate;

	path_truncate_t *path_truncate;

	path_unlink_t *path_unlink;

	path_mkdir_t *path_mkdir;

	path_rmdir_t *path_rmdir;

	path_symlink_t *path_symlink;

	path_mknod_t *path_mknod;

	path_link_t *path_link;

	path_rename_t *path_rename;

	inode_getattr_t *inode_getattr;

	file_ioctl_t *file_ioctl;

	file_ioctl_compat_t *file_ioctl_compat;

	path_chmod_t *path_chmod;

	path_chown_t *path_chown;

	path_chroot_t *path_chroot;

	sb_mount_t *sb_mount;

	sb_umount_t *sb_umount;

	sb_pivotroot_t *sb_pivotroot;

	socket_bind_t *socket_bind;

	socket_connect_t *socket_connect;

	socket_listen_t *socket_listen;

	socket_sendmsg_t *socket_sendmsg;

};

extern void tomoyo_register_hooks(const struct tomoyo_hooks *tomoyo_hooks);

struct tomoyo_operations {

	void (*check_profile)(void);

	int enabled;

};

extern struct tomoyo_operations tomoyo_ops;

/*

 * Temporary hack: functions needed by tomoyo.ko . This will be removed

 * after all functions are marked as EXPORT_STMBOL_GPL().

 */

struct tomoyo_tmp_exports {

	struct task_struct * (*find_task_by_vpid)(pid_t nr);

	struct task_struct * (*find_task_by_pid_ns)(pid_t nr, struct pid_namespace *ns);

	void (*put_filesystem)(struct file_system_type *fs);

	struct file * (*get_mm_exe_file)(struct mm_struct *mm);

	char * (*d_absolute_path)(const struct path *path, char *buf, int buflen);

};

extern const struct tomoyo_tmp_exports tomoyo_tmp_exports;

#define find_task_by_vpid tomoyo_tmp_exports.find_task_by_vpid

#define find_task_by_pid_ns tomoyo_tmp_exports.find_task_by_pid_ns

#define put_filesystem tomoyo_tmp_exports.put_filesystem

#define get_mm_exe_file tomoyo_tmp_exports.get_mm_exe_file

#define d_absolute_path tomoyo_tmp_exports.d_absolute_path

#endif /* defined(CONFIG_SECURITY_TOMOYO_LKM) */

#endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */

#include <linux/kthread.h>

#include <linux/slab.h>

/* Lock for GC. */

DEFINE_SRCU(tomoyo_ss);

/**

 * tomoyo_memory_free - Free memory for elements.

 *