UBUNTU: SAUCE: security: unconditionally chain to Yama LSM

This patch forces the LSM to always chain through the Yama LSM
regardless of which LSM is selected as the primary LSM.

This is not intended for upstream. This is, however, what Ubuntu
and ChromeOS are doing.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

1 files changed, 42 insertions, 0 deletions

diff --git a/include/linux/security.h b/include/linux/security.h
index 673afbb8238..4efe351a3dc 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -3021,5 +3021,47 @@ static inline void free_secdata(void *secdata)
 { }
 #endif /* CONFIG_SECURITY */
 
+#ifdef CONFIG_SECURITY_YAMA
+extern int yama_ptrace_access_check(struct task_struct *child,
+				    unsigned int mode);
+extern int yama_path_link(struct dentry *old_dentry, struct path *new_dir,
+			  struct dentry *new_dentry);
+extern int yama_inode_follow_link(struct dentry *dentry,
+				  struct nameidata *nameidata);
+extern void yama_task_free(struct task_struct *task);
+extern int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
+			   unsigned long arg4, unsigned long arg5);
+#else
+static inline int yama_ptrace_access_check(struct task_struct *child,
+					   unsigned int mode)
+{
+	return 0;
+}
+
+static inline int yama_path_link(struct dentry *old_dentry,
+				 struct path *new_dir,
+				 struct dentry *new_dentry)
+{
+	return 0;
+}
+
+static inline int yama_inode_follow_link(struct dentry *dentry,
+					 struct nameidata *nameidata)
+{
+	return 0;
+}
+
+static inline void yama_task_free(struct task_struct *task)
+{
+}
+
+static inline int yama_task_prctl(int option, unsigned long arg2,
+				  unsigned long arg3, unsigned long arg4,
+				  unsigned long arg5)
+{
+	return -ENOSYS;
+}
+#endif /* CONFIG_SECURITY_YAMA */
+
 #endif /* ! __LINUX_SECURITY_H */