Merge branch 'master' of /home/davem/src/GIT/linux-2.6/

[safe/jmp/linux-2.6] / kernel / seccomp.c

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index c3391b6..57d4b13 100644 (file)
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -8,8 +8,10 @@
 
 #include <linux/seccomp.h>
 #include <linux/sched.h>
+#include <linux/compat.h>
 
 /* #define SECCOMP_DEBUG 1 */
+#define NR_SECCOMP_MODES 1
 
 /*
  * Secure computing mode 1 allows only read/write/exit/sigreturn.
@@ -21,7 +23,7 @@ static int mode1_syscalls[] = {
        0, /* null terminated */
 };
 
-#ifdef TIF_32BIT
+#ifdef CONFIG_COMPAT
 static int mode1_syscalls_32[] = {
        __NR_seccomp_read_32, __NR_seccomp_write_32, __NR_seccomp_exit_32, __NR_seccomp_sigreturn_32,
        0, /* null terminated */
@@ -36,8 +38,8 @@ void __secure_computing(int this_syscall)
        switch (mode) {
        case 1:
                syscall = mode1_syscalls;
-#ifdef TIF_32BIT
-               if (test_thread_flag(TIF_32BIT))
+#ifdef CONFIG_COMPAT
+               if (is_compat_task())
                        syscall = mode1_syscalls_32;
 #endif
                do {
@@ -54,3 +56,31 @@ void __secure_computing(int this_syscall)
 #endif
        do_exit(SIGKILL);
 }
+
+long prctl_get_seccomp(void)
+{
+       return current->seccomp.mode;
+}
+
+long prctl_set_seccomp(unsigned long seccomp_mode)
+{
+       long ret;
+
+       /* can set it only once to be even more secure */
+       ret = -EPERM;
+       if (unlikely(current->seccomp.mode))
+               goto out;
+
+       ret = -EINVAL;
+       if (seccomp_mode && seccomp_mode <= NR_SECCOMP_MODES) {
+               current->seccomp.mode = seccomp_mode;
+               set_thread_flag(TIF_SECCOMP);
+#ifdef TIF_NOTSC
+               disable_TSC();
+#endif
+               ret = 0;
+       }
+
+ out:
+       return ret;
+}