[PATCH] selinux: inherit /proc/self/attr/keycreate across fork

Update SELinux to cause the keycreate process attribute held in /proc/self/attr/keycreate to be inherited across a fork and reset upon execve. This is consistent with the handling of the other process attributes provided by SELinux and also makes it simpler to adapt logon programs to properly handle the keycreate attribute. Signed-off-by: Michael LeMay <mdlemay@epoch.ncsc.mil> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] selinux: inherit /proc/self/attr/keycreate across fork
Update SELinux to cause the keycreate process attribute held in /proc/self/attr/keycreate to be inherited across a fork and reset upon execve. This is consistent with the handling of the other process attributes provided by SELinux and also makes it simpler to adapt logon programs to properly handle the keycreate attribute. Signed-off-by: Michael LeMay <mdlemay@epoch.ncsc.mil> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Michael LeMay · Linus Torvalds
1 parent 76b67ed9dc
Showing 1 changed file with 4 additions and 2 deletions Side-by-side Diff
security/selinux/hooks.c
@@ -1532,8 +1532,9 @@
 	/* Default to the current task SID. */
 	bsec->sid = tsec->sid;
  
-	/* Reset create and sockcreate SID on execve. */
+	/* Reset fs, key, and sock SIDs on execve. */
 	tsec->create_sid = 0;
+	tsec->keycreate_sid = 0;
 	tsec->sockcreate_sid = 0;
  
 	if (tsec->exec_sid) {
  
@@ -2586,9 +2587,10 @@
 	tsec2->osid = tsec1->osid;
 	tsec2->sid = tsec1->sid;
  
-	/* Retain the exec, create, and sock SIDs across fork */
+	/* Retain the exec, fs, key, and sock SIDs across fork */
 	tsec2->exec_sid = tsec1->exec_sid;
 	tsec2->create_sid = tsec1->create_sid;
+	tsec2->keycreate_sid = tsec1->keycreate_sid;
 	tsec2->sockcreate_sid = tsec1->sockcreate_sid;
  
 	/* Retain ptracer SID across fork, if any.
...	...	@@ -1532,8 +1532,9 @@
1532	1532	/* Default to the current task SID. */
1533	1533	bsec->sid = tsec->sid;
1534	1534
1535		- /* Reset create and sockcreate SID on execve. */
	1535	+ /* Reset fs, key, and sock SIDs on execve. */
1536	1536	tsec->create_sid = 0;
	1537	+ tsec->keycreate_sid = 0;
1537	1538	tsec->sockcreate_sid = 0;
1538	1539
1539	1540	if (tsec->exec_sid) {
1540	1541
...	...	@@ -2586,9 +2587,10 @@
2586	2587	tsec2->osid = tsec1->osid;
2587	2588	tsec2->sid = tsec1->sid;
2588	2589
2589		- /* Retain the exec, create, and sock SIDs across fork */
	2590	+ /* Retain the exec, fs, key, and sock SIDs across fork */
2590	2591	tsec2->exec_sid = tsec1->exec_sid;
2591	2592	tsec2->create_sid = tsec1->create_sid;
	2593	+ tsec2->keycreate_sid = tsec1->keycreate_sid;
2592	2594	tsec2->sockcreate_sid = tsec1->sockcreate_sid;
2593	2595
2594	2596	/* Retain ptracer SID across fork, if any.