[PATCH] lsm: constify the 'mm' parameter in security_vm_enough_memory_mm()

Khadija Kamran kamrankhadijadj at gmail.com
Wed Aug 23 06:53:57 UTC 2023


The 'vm_enough_memory' hook has implementations registered in SELinux
and commoncap. Looking at the function implementations we observe that
the 'mm' parameter is not changing.

Mark the 'mm' parameter of LSM hook security_vm_enough_memory_mm() as
'const' since it will not be changing in the LSM hook.

Signed-off-by: Khadija Kamran <kamrankhadijadj at gmail.com>
---
 include/linux/lsm_hook_defs.h | 2 +-
 include/linux/mm.h            | 2 +-
 include/linux/security.h      | 6 +++---
 security/commoncap.c          | 2 +-
 security/security.c           | 2 +-
 security/selinux/hooks.c      | 2 +-
 6 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 6bb55e61e8e8..aabf13482721 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -48,7 +48,7 @@ LSM_HOOK(int, 0, quota_on, struct dentry *dentry)
 LSM_HOOK(int, 0, syslog, int type)
 LSM_HOOK(int, 0, settime, const struct timespec64 *ts,
 	 const struct timezone *tz)
-LSM_HOOK(int, 0, vm_enough_memory, struct mm_struct *mm, long pages)
+LSM_HOOK(int, 0, vm_enough_memory, const struct mm_struct *mm, long pages)
 LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm)
 LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, struct file *file)
 LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 27ce77080c79..52d43c5c20cd 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3064,7 +3064,7 @@ void anon_vma_interval_tree_verify(struct anon_vma_chain *node);
 	     avc; avc = anon_vma_interval_tree_iter_next(avc, start, last))
 
 /* mmap.c */
-extern int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin);
+extern int __vm_enough_memory(const struct mm_struct *mm, long pages, int cap_sys_admin);
 extern int vma_expand(struct vma_iterator *vmi, struct vm_area_struct *vma,
 		      unsigned long start, unsigned long end, pgoff_t pgoff,
 		      struct vm_area_struct *next);
diff --git a/include/linux/security.h b/include/linux/security.h
index e2734e9e44d5..442495335ffd 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -169,7 +169,7 @@ extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
 extern int cap_task_setscheduler(struct task_struct *p);
 extern int cap_task_setioprio(struct task_struct *p, int ioprio);
 extern int cap_task_setnice(struct task_struct *p, int nice);
-extern int cap_vm_enough_memory(struct mm_struct *mm, long pages);
+extern int cap_vm_enough_memory(const struct mm_struct *mm, long pages);
 
 struct msghdr;
 struct sk_buff;
@@ -287,7 +287,7 @@ int security_quotactl(int cmds, int type, int id, struct super_block *sb);
 int security_quota_on(struct dentry *dentry);
 int security_syslog(int type);
 int security_settime64(const struct timespec64 *ts, const struct timezone *tz);
-int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
+int security_vm_enough_memory_mm(const struct mm_struct *mm, long pages);
 int security_bprm_creds_for_exec(struct linux_binprm *bprm);
 int security_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file);
 int security_bprm_check(struct linux_binprm *bprm);
@@ -600,7 +600,7 @@ static inline int security_settime64(const struct timespec64 *ts,
 	return cap_settime(ts, tz);
 }
 
-static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
+static inline int security_vm_enough_memory_mm(const struct mm_struct *mm, long pages)
 {
 	return __vm_enough_memory(mm, pages, cap_vm_enough_memory(mm, pages));
 }
diff --git a/security/commoncap.c b/security/commoncap.c
index 0b3fc2f3afe7..b7193f916b2c 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1397,7 +1397,7 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
  *
  * Return: 1 if permission is granted, 0 if not.
  */
-int cap_vm_enough_memory(struct mm_struct *mm, long pages)
+int cap_vm_enough_memory(const struct mm_struct *mm, long pages)
 {
 	int cap_sys_admin = 0;
 
diff --git a/security/security.c b/security/security.c
index d5ff7ff45b77..f9c3dbc2376b 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1017,7 +1017,7 @@ int security_settime64(const struct timespec64 *ts, const struct timezone *tz)
  * Return: Returns 0 if permission is granted by the LSM infrastructure to the
  *         caller.
  */
-int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
+int security_vm_enough_memory_mm(const struct mm_struct *mm, long pages)
 {
 	struct security_hook_list *hp;
 	int cap_sys_admin = 1;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 79b4890e9936..8ae9cc81902c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2158,7 +2158,7 @@ static int selinux_syslog(int type)
  * Do not audit the selinux permission check, as this is applied to all
  * processes that allocate mappings.
  */
-static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
+static int selinux_vm_enough_memory(const struct mm_struct *mm, long pages)
 {
 	int rc, cap_sys_admin = 0;
 
-- 
2.34.1



More information about the Linux-security-module-archive mailing list