@@ -, +, @@ 
---
---
--- a/include/linux/mm.h	2009-08-14 23:55:38.370712916 +0100
+++ a/include/linux/mm.h	2009-08-14 23:55:51.074712932 +0100
@@ -590,12 +590,10 @@ static inline void set_page_links(struct
  */
 static inline unsigned long round_hint_to_min(unsigned long hint)
 {
-#ifdef CONFIG_SECURITY
 	hint &= PAGE_MASK;
 	if (((void *)hint != NULL) &&
 	    (hint < mmap_min_addr))
 		return PAGE_ALIGN(mmap_min_addr);
-#endif
 	return hint;
 }
 
--- a/include/linux/security.h	2009-08-14 23:55:38.370712916 +0100
+++ a/include/linux/security.h	2009-08-14 23:55:51.074712932 +0100
@@ -2203,6 +2203,8 @@ static inline int security_file_mmap(str
 				     unsigned long addr,
 				     unsigned long addr_only)
 {
+	if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
+		return -EACCES;
 	return 0;
 }
 
--- a/kernel/sysctl.c	2009-08-14 23:55:38.417358190 +0100
+++ a/kernel/sysctl.c	2009-08-14 23:55:51.086713181 +0100
@@ -1221,7 +1221,6 @@ static struct ctl_table vm_table[] = {
 		.strategy	= &sysctl_jiffies,
 	},
 #endif
-#ifdef CONFIG_SECURITY
 	{
 		.ctl_name	= CTL_UNNUMBERED,
 		.procname	= "mmap_min_addr",
@@ -1230,7 +1229,6 @@ static struct ctl_table vm_table[] = {
 		.mode		= 0644,
 		.proc_handler	= &proc_doulongvec_minmax,
 	},
-#endif
 #ifdef CONFIG_NUMA
 	{
 		.ctl_name	= CTL_UNNUMBERED,
--- a/mm/Kconfig	2009-08-14 23:55:38.422713086 +0100
+++ a/mm/Kconfig	2009-08-14 23:55:51.090713501 +0100
@@ -216,3 +216,22 @@ config UNEVICTABLE_LRU
 
 config MMU_NOTIFIER
 	bool
+
+config DEFAULT_MMAP_MIN_ADDR
+	int "Low address space to protect from user allocation"
+	default 4096
+	help
+	This is the portion of low virtual memory which should be protected
+	from userspace allocation.  Keeping a user from writing to low pages
+	can help reduce the impact of kernel NULL pointer bugs.
+
+	For most ia64, ppc64 and x86 users with lots of address space
+	a value of 65536 is reasonable and should cause no problems.
+	On arm and other archs it should not be higher than 32768.
+	Programs which use vm86 functionality would either need additional
+	permissions from either the LSM or the capabilities module or have
+	this protection disabled.
+
+	This value can be changed after boot using the
+	/proc/sys/vm/mmap_min_addr tunable.
+
--- a/mm/mmap.c	2009-08-14 23:55:38.426713390 +0100
+++ a/mm/mmap.c	2009-08-14 23:55:51.090713501 +0100
@@ -86,6 +86,9 @@ int sysctl_overcommit_ratio = 50;	/* def
 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
 struct percpu_counter vm_committed_as;
 
+/* amount of vm to protect from userspace access */
+unsigned long mmap_min_addr = CONFIG_DEFAULT_MMAP_MIN_ADDR;
+
 /*
  * Check that a process has enough memory to allocate a new virtual
  * mapping. 0 means there is enough memory for the allocation to
--- a/security/Kconfig	2009-08-14 23:55:38.434713296 +0100
+++ a/security/Kconfig	2009-08-14 23:55:51.098713218 +0100
@@ -109,28 +109,8 @@ config SECURITY_ROOTPLUG
 
 	  See <http://www.linuxjournal.com/article.php?sid=6279> for
 	  more information about this module.
-	  
-	  If you are unsure how to answer this question, answer N.
-
-config SECURITY_DEFAULT_MMAP_MIN_ADDR
-        int "Low address space to protect from user allocation"
-        depends on SECURITY
-        default 0
-        help
-	  This is the portion of low virtual memory which should be protected
-	  from userspace allocation.  Keeping a user from writing to low pages
-	  can help reduce the impact of kernel NULL pointer bugs.
-
-	  For most ia64, ppc64 and x86 users with lots of address space
-	  a value of 65536 is reasonable and should cause no problems.
-	  On arm and other archs it should not be higher than 32768.
-	  Programs which use vm86 functionality would either need additional
-	  permissions from either the LSM or the capabilities module or have
-	  this protection disabled.
-
-	  This value can be changed after boot using the
-	  /proc/sys/vm/mmap_min_addr tunable.
 
+	  If you are unsure how to answer this question, answer N.
 
 source security/selinux/Kconfig
 source security/smack/Kconfig
--- a/security/security.c	2009-08-14 23:55:38.438713369 +0100
+++ a/security/security.c	2009-08-14 23:55:51.102713516 +0100
@@ -26,9 +26,6 @@ extern void security_fixup_ops(struct se
 
 struct security_operations *security_ops;	/* Initialized to NULL */
 
-/* amount of vm to protect from userspace access */
-unsigned long mmap_min_addr = CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR;
-
 static inline int verify(struct security_operations *ops)
 {
 	/* verify the security_operations structure exists */