security/talpa/Kconfig                  |   13 ++++
 security/talpa/Makefile                 |    1 +
 security/talpa/talpa.h                  |    2 +-
 security/talpa/talpa_common.c           |    2 +-
 security/talpa/talpa_evaluation_calls.h |    7 ++
 security/talpa/talpa_path_include.c     |  100 +++++++++++++++++++++++++++++++
 6 files changed, 123 insertions(+), 2 deletions(-)

diff --git a/security/talpa/Kconfig b/security/talpa/Kconfig
index 7b45eaf..8de7058 100644
--- a/security/talpa/Kconfig
+++ b/security/talpa/Kconfig
@@ -38,6 +38,19 @@ config TALPA_OPERATION_EXCLUSION
 	  If you are unsure how to answer this question, answer Y.
 
 
+config TALPA_PATH_INCLUDE
+	bool "Path inclusions"
+	depends on TALPA
+	default n
+	help
+	  Path inclusion filter enables limiting the scope of vetting
+	  operations on a subset of filesystem paths.
+
+	  When no paths are configured everything is intercepted.
+
+	  If you are unsure how to answer this question, answer N.
+
+
 config TALPA_FS_EXCLUDE
 	bool "Filesystem type exclusions"
 	depends on TALPA
diff --git a/security/talpa/Makefile b/security/talpa/Makefile
index a275788..8995c54 100644
--- a/security/talpa/Makefile
+++ b/security/talpa/Makefile
@@ -13,3 +13,4 @@ talpa-$(CONFIG_TALPA_OPERATION_EXCLUSION) += talpa_operation_exclude.o
 talpa-$(CONFIG_TALPA_FS_EXCLUDE) += talpa_fs_exclude.o
 talpa-$(CONFIG_TALPA_THREAD_EXCLUSION) += talpa_thread_exclude.o
 talpa-$(CONFIG_TALPA_PATH_EXCLUDE) += talpa_path_exclude.o
+talpa-$(CONFIG_TALPA_PATH_INCLUDE) += talpa_path_include.o
diff --git a/security/talpa/talpa.h b/security/talpa/talpa.h
index 86949d5..ead1cd3 100644
--- a/security/talpa/talpa.h
+++ b/security/talpa/talpa.h
@@ -121,7 +121,7 @@ extern ssize_t talpa_generic_get_ulong(struct talpa_configuration *cfg, char *bu
 extern ssize_t talpa_generic_set_ulong(struct talpa_configuration *cfg, char *buf, size_t len);
 extern ssize_t talpa_generic_get_long(struct talpa_configuration *cfg, char *buf, size_t len);
 
-#if defined CONFIG_TALPA_FS_EXCLUDE || defined CONFIG_TALPA_PATH_EXCLUDE
+#if defined CONFIG_TALPA_FS_EXCLUDE || defined CONFIG_TALPA_PATH_INCLUDE || defined CONFIG_TALPA_PATH_EXCLUDE
 /**
  * struct talpa_path_inclexcl - internal path inclusion or exclusion record
  * @path_len:length of this path
diff --git a/security/talpa/talpa_common.c b/security/talpa/talpa_common.c
index 17207d8..326c256 100644
--- a/security/talpa/talpa_common.c
+++ b/security/talpa/talpa_common.c
@@ -74,7 +74,7 @@ char *talpa_get_path(struct talpa_file_vetting *tfv)
 	return tfv->path;
 }
 
-#if defined CONFIG_TALPA_FS_EXCLUDE || defined CONFIG_TALPA_PATH_EXCLUDE
+#if defined CONFIG_TALPA_FS_EXCLUDE || CONFIG_TALPA_PATH_INCLUDE || defined CONFIG_TALPA_PATH_EXCLUDE
 static struct kmem_cache *path_list_cache;
 
 unsigned int talpa_match_path(const char *path, struct talpa_path_list *list)
diff --git a/security/talpa/talpa_evaluation_calls.h b/security/talpa/talpa_evaluation_calls.h
index 7b49ec9..78df254 100644
--- a/security/talpa/talpa_evaluation_calls.h
+++ b/security/talpa/talpa_evaluation_calls.h
@@ -6,6 +6,7 @@
 enum talpa_action talpa_opexcl_examine(struct talpa_file_vetting *tfv);
 enum talpa_action talpa_fs_exclude_examine(struct talpa_file_vetting *tfv);
 enum talpa_action talpa_path_exclude_examine(struct talpa_file_vetting *tfv);
+enum talpa_action talpa_path_include_examine(struct talpa_file_vetting *tfv);
 
 static inline int talpa_evaluation_calls(struct talpa_file_vetting *tfv)
 {
@@ -42,6 +43,12 @@ static inline int talpa_evaluation_calls(struct talpa_file_vetting *tfv)
 		return ret;
 #endif /* CONFIG_TALPA_FS_EXCLUDE */
 
+#ifdef CONFIG_TALPA_PATH_INCLUDE
+	ret = talpa_path_include_examine(tfv);
+	if (ret != TALPA_NEXT)
+		return ret;
+#endif /* CONFIG_TALPA_PATH_INCLUDE */
+
 #ifdef CONFIG_TALPA_PATH_EXCLUDE
 	ret = talpa_path_exclude_examine(tfv);
 	if (ret != TALPA_NEXT)
diff --git a/security/talpa/talpa_path_include.c b/security/talpa/talpa_path_include.c
new file mode 100644
index 0000000..a5bb10e
--- /dev/null
+++ b/security/talpa/talpa_path_include.c
@@ -0,0 +1,100 @@
+/*
+ *  Copyright 2008 Sophos Plc
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2, or (at your option)
+ *  any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; see the file COPYING.  If not, write to
+ *  the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/talpa.h>
+
+#include "talpa.h"
+
+
+static unsigned long talpa_path_inc_enbl;
+static TALPA_PATH_LIST(talpa_path_inclusions);
+static unsigned long talpa_path_inc_auth = 1;
+
+/* Filter examine function. */
+enum talpa_action talpa_path_include_examine(struct talpa_file_vetting *tfv)
+{
+	char *path;
+	unsigned int matched = 0;
+
+	if (!talpa_path_inc_enbl || talpa_path_list_empty(&talpa_path_inclusions))
+		return TALPA_NEXT;
+
+	path = talpa_get_path(tfv);
+	if (!IS_ERR(path))
+		matched = talpa_match_path(path, &talpa_path_inclusions);
+
+	/* If path does not match any of our inclusions stop
+	   the vetting process right now. */
+	if (!matched) {
+		tfv->authoritative = talpa_path_inc_auth;
+		return TALPA_ALLOW;
+	}
+
+	return TALPA_NEXT;
+}
+
+static struct talpa_configuration talpa_include_cfg[] = {
+	{
+		.name = "enabled",
+		.mode = S_IRUSR|S_IWUSR|S_IRGRP,
+		.data = &talpa_path_inc_enbl,
+		.get = talpa_generic_get_ulong,
+		.set = talpa_generic_set_ulong,
+	},
+	{
+		.name = "authoritative",
+		.mode = S_IRUSR|S_IWUSR|S_IRGRP,
+		.data = &talpa_path_inc_auth,
+		.get = talpa_generic_get_ulong,
+		.set = talpa_generic_set_ulong,
+	},
+	{
+		.name = "list",
+		.data = &talpa_path_inclusions,
+		.mode = S_IRUSR|S_IRGRP,
+		.get = talpa_path_list,
+	},
+	{
+		.name = "add",
+		.data = &talpa_path_inclusions,
+		.mode = S_IWUSR|S_IWGRP,
+		.set = talpa_path_add,
+	},
+	{
+		.name = "remove",
+		.data = &talpa_path_inclusions,
+		.mode = S_IWUSR|S_IWGRP,
+		.set = talpa_path_remove,
+	},
+	{
+	},
+};
+
+static __init int talpa_include_init(void)
+{
+	int ret;
+
+	ret = talpa_register_configuration("path_inclusions", talpa_include_cfg);
+	if (ret)
+		pr_err("talpa: Failed to register path inclusion filter!\n");
+
+	return ret;
+}
+
+__initcall(talpa_include_init);