--- olpc-2.6-master.00/drivers/block/loop.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/block/loop.c	2007-03-01 11:52:20.000000000 -0500
@@ -795,6 +796,7 @@ static int loop_set_fd(struct loop_devic
 	lo->lo_blocksize = lo_blocksize;
 	lo->lo_device = bdev;
 	lo->lo_flags = lo_flags;
+	lo->lo_xid = vx_current_xid();
 	lo->lo_backing_file = file;
 	lo->transfer = transfer_none;
 	lo->ioctl = NULL;
--- olpc-2.6-master.00/drivers/block/loop.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/block/loop.c	2007-03-01 11:52:20.000000000 -0500
@@ -935,7 +937,7 @@ loop_set_status(struct loop_device *lo, 
 	struct loop_func_table *xfer;
 
 	if (lo->lo_encrypt_key_size && lo->lo_key_owner != current->uid &&
-	    !capable(CAP_SYS_ADMIN))
+	    !vx_capable(CAP_SYS_ADMIN, VXC_ADMIN_CLOOP))
 		return -EPERM;
 	if (lo->lo_state != Lo_bound)
 		return -ENXIO;
--- olpc-2.6-master.00/drivers/block/loop.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/block/loop.c	2007-03-01 11:52:20.000000000 -0500
@@ -1015,7 +1017,8 @@ loop_get_status(struct loop_device *lo, 
 	memcpy(info->lo_crypt_name, lo->lo_crypt_name, LO_NAME_SIZE);
 	info->lo_encrypt_type =
 		lo->lo_encryption ? lo->lo_encryption->number : 0;
-	if (lo->lo_encrypt_key_size && capable(CAP_SYS_ADMIN)) {
+	if (lo->lo_encrypt_key_size &&
+		vx_capable(CAP_SYS_ADMIN, VXC_ADMIN_CLOOP)) {
 		info->lo_encrypt_key_size = lo->lo_encrypt_key_size;
 		memcpy(info->lo_encrypt_key, lo->lo_encrypt_key,
 		       lo->lo_encrypt_key_size);
--- olpc-2.6-master.00/drivers/block/loop.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/block/loop.c	2007-03-01 11:52:20.000000000 -0500
@@ -1326,6 +1329,9 @@ static int lo_open(struct inode *inode, 
 {
 	struct loop_device *lo = inode->i_bdev->bd_disk->private_data;
 
+	if (!vx_check(lo->lo_xid, VS_IDENT|VS_HOSTID))
+		return -EACCES;
+
 	mutex_lock(&lo->lo_ctl_mutex);
 	lo->lo_refcnt++;
 	mutex_unlock(&lo->lo_ctl_mutex);
--- olpc-2.6-master.00/drivers/md/dm.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm.c	2007-03-01 11:52:20.000000000 -0500
@@ -21,6 +21,7 @@
 #include <linux/hdreg.h>
 #include <linux/blktrace_api.h>
 #include <linux/smp_lock.h>
+#include <linux/vs_base.h>
 
 #define DM_MSG_PREFIX "core"
 
--- olpc-2.6-master.00/drivers/md/dm.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm.c	2007-03-01 11:52:20.000000000 -0500
@@ -77,6 +78,7 @@ struct mapped_device {
 	rwlock_t map_lock;
 	atomic_t holders;
 	atomic_t open_count;
+	xid_t xid;
 
 	unsigned long flags;
 
--- olpc-2.6-master.00/drivers/md/dm.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm.c	2007-03-01 11:52:20.000000000 -0500
@@ -223,6 +225,7 @@ static void __exit dm_exit(void)
 static int dm_blk_open(struct inode *inode, struct file *file)
 {
 	struct mapped_device *md;
+	int ret = -ENXIO;
 
 	spin_lock(&_minor_lock);
 
--- olpc-2.6-master.00/drivers/md/dm.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm.c	2007-03-01 11:52:20.000000000 -0500
@@ -231,10 +234,12 @@ static int dm_blk_open(struct inode *ino
 		goto out;
 
 	if (test_bit(DMF_FREEING, &md->flags) ||
-	    test_bit(DMF_DELETING, &md->flags)) {
-		md = NULL;
+	    test_bit(DMF_DELETING, &md->flags))
+		goto out;
+
+	ret = -EACCES;
+	if (!vx_check(md->xid, VS_IDENT|VS_HOSTID))
 		goto out;
-	}
 
 	dm_get(md);
 	atomic_inc(&md->open_count);
--- olpc-2.6-master.00/drivers/md/dm.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm.c	2007-03-01 11:52:20.000000000 -0500
@@ -238,11 +243,10 @@ *****
 
 	dm_get(md);
 	atomic_inc(&md->open_count);
-
+	ret = 0;
 out:
 	spin_unlock(&_minor_lock);
-
-	return md ? 0 : -ENXIO;
+	return ret;
 }
 
 static int dm_blk_close(struct inode *inode, struct file *file)
--- olpc-2.6-master.00/drivers/md/dm.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm.c	2007-03-01 11:52:20.000000000 -0500
@@ -438,6 +442,14 @@ int dm_set_geometry(struct mapped_device
 	return 0;
 }
 
+/*
+ * Get the xid associated with a dm device
+ */
+xid_t dm_get_xid(struct mapped_device *md)
+{
+	return md->xid;
+}
+
 /*-----------------------------------------------------------------
  * CRUD START:
  *   A more elegant soln is in the works that uses the queue
--- olpc-2.6-master.00/drivers/md/dm.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm.c	2007-03-01 11:52:20.000000000 -0500
@@ -991,6 +1003,7 @@ static struct mapped_device *alloc_dev(i
 	atomic_set(&md->holders, 1);
 	atomic_set(&md->open_count, 0);
 	atomic_set(&md->event_nr, 0);
+	md->xid = vx_current_xid();
 
 	md->queue = blk_alloc_queue(GFP_KERNEL);
 	if (!md->queue)
--- olpc-2.6-master.00/drivers/md/dm.h	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm.h	2007-03-01 11:52:20.000000000 -0500
@@ -91,6 +91,8 @@ void dm_put_target_type(struct target_ty
 int dm_target_iterate(void (*iter_func)(struct target_type *tt,
 					void *param), void *param);
 
+xid_t dm_get_xid(struct mapped_device *md);
+
 /*-----------------------------------------------------------------
  * Useful inlines.
  *---------------------------------------------------------------*/
--- olpc-2.6-master.00/drivers/md/dm-ioctl.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm-ioctl.c	2007-03-01 11:52:20.000000000 -0500
@@ -15,6 +15,7 @@
 #include <linux/slab.h>
 #include <linux/dm-ioctl.h>
 #include <linux/hdreg.h>
+#include <linux/vs_context.h>
 
 #include <asm/uaccess.h>
 
--- olpc-2.6-master.00/drivers/md/dm-ioctl.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm-ioctl.c	2007-03-01 11:52:20.000000000 -0500
@@ -100,7 +101,8 @@ static struct hash_cell *__get_name_cell
 	unsigned int h = hash_str(str);
 
 	list_for_each_entry (hc, _name_buckets + h, name_list)
-		if (!strcmp(hc->name, str)) {
+		if (vx_check(dm_get_xid(hc->md), VS_WATCH_P|VS_IDENT) &&
+			!strcmp(hc->name, str)) {
 			dm_get(hc->md);
 			return hc;
 		}
--- olpc-2.6-master.00/drivers/md/dm-ioctl.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm-ioctl.c	2007-03-01 11:52:20.000000000 -0500
@@ -114,7 +116,8 @@ static struct hash_cell *__get_uuid_cell
 	unsigned int h = hash_str(str);
 
 	list_for_each_entry (hc, _uuid_buckets + h, uuid_list)
-		if (!strcmp(hc->uuid, str)) {
+		if (vx_check(dm_get_xid(hc->md), VS_WATCH_P|VS_IDENT) &&
+			!strcmp(hc->uuid, str)) {
 			dm_get(hc->md);
 			return hc;
 		}
--- olpc-2.6-master.00/drivers/md/dm-ioctl.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm-ioctl.c	2007-03-01 11:52:20.000000000 -0500
@@ -349,6 +352,9 @@ typedef int (*ioctl_fn)(struct dm_ioctl 
 
 static int remove_all(struct dm_ioctl *param, size_t param_size)
 {
+	if (!vx_check(0, VS_ADMIN))
+		return -EPERM;
+
 	dm_hash_remove_all(1);
 	param->data_size = 0;
 	return 0;
--- olpc-2.6-master.00/drivers/md/dm-ioctl.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm-ioctl.c	2007-03-01 11:52:20.000000000 -0500
@@ -396,6 +402,8 @@ static int list_devices(struct dm_ioctl 
 	 */
 	for (i = 0; i < NUM_BUCKETS; i++) {
 		list_for_each_entry (hc, _name_buckets + i, name_list) {
+			if (!vx_check(dm_get_xid(hc->md), VS_WATCH_P|VS_IDENT))
+				continue;
 			needed += sizeof(struct dm_name_list);
 			needed += strlen(hc->name) + 1;
 			needed += ALIGN_MASK;
--- olpc-2.6-master.00/drivers/md/dm-ioctl.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm-ioctl.c	2007-03-01 11:52:20.000000000 -0500
@@ -419,6 +427,8 @@ static int list_devices(struct dm_ioctl 
 	 */
 	for (i = 0; i < NUM_BUCKETS; i++) {
 		list_for_each_entry (hc, _name_buckets + i, name_list) {
+			if (!vx_check(dm_get_xid(hc->md), VS_WATCH_P|VS_IDENT))
+				continue;
 			if (old_nl)
 				old_nl->next = (uint32_t) ((void *) nl -
 							   (void *) old_nl);
--- olpc-2.6-master.00/drivers/md/dm-ioctl.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm-ioctl.c	2007-03-01 11:52:20.000000000 -0500
@@ -609,10 +619,11 @@ static struct hash_cell *__find_device_h
 	if (!md)
 		goto out;
 
-	mdptr = dm_get_mdptr(md);
+	if (vx_check(dm_get_xid(md), VS_WATCH_P|VS_IDENT))
+		mdptr = dm_get_mdptr(md);
+
 	if (!mdptr)
 		dm_put(md);
-
 out:
 	return mdptr;
 }
--- olpc-2.6-master.00/drivers/md/dm-ioctl.c	2007-02-28 20:05:26.000000000 -0500
+++ olpc-2.6-master-vs22x.02/drivers/md/dm-ioctl.c	2007-03-01 11:52:20.000000000 -0500
@@ -1409,8 +1420,8 @@ static int ctl_ioctl(struct inode *inode
 	ioctl_fn fn = NULL;
 	size_t param_size;
 
-	/* only root can play with this */
-	if (!capable(CAP_SYS_ADMIN))
+	/* only root and certain contexts can play with this */
+	if (!vx_capable(CAP_SYS_ADMIN, VXC_ADMIN_MAPPER))
 		return -EACCES;
 
 	if (_IOC_TYPE(command) != DM_IOCTL)
--- olpc-2.6-master.00/include/linux/loop.h	2007-02-28 20:05:29.000000000 -0500
+++ olpc-2.6-master-vs22x.02/include/linux/loop.h	2007-03-01 11:52:20.000000000 -0500
@@ -45,6 +45,7 @@ struct loop_device {
 	struct loop_func_table *lo_encryption;
 	__u32           lo_init[2];
 	uid_t		lo_key_owner;	/* Who set the key */
+	xid_t		lo_xid;
 	int		(*ioctl)(struct loop_device *, int cmd, 
 				 unsigned long arg);