Commit 2bfe15c5 authored by Christian Göttsche's avatar Christian Göttsche Committed by Paul Moore
Browse files

mm: create security context for memfd_secret inodes 



Create a security context for the inodes created by memfd_secret(2) via
the LSM hook inode_init_security_anon to allow a fine grained control.
As secret memory areas can affect hibernation and have a global shared
limit access control might be desirable.

Signed-off-by: default avatarChristian Göttsche <cgzones@googlemail.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 9691e4f9

mm/secretmem.c

+9 −0
Original line number Diff line number Diff line
@@ -180,11 +180,20 @@ static struct file *secretmem_file_create(unsigned long flags) 
{

	struct file *file = ERR_PTR(-ENOMEM);

	struct inode *inode;

	const char *anon_name = "[secretmem]";

	const struct qstr qname = QSTR_INIT(anon_name, strlen(anon_name));

	int err;



	inode = alloc_anon_inode(secretmem_mnt->mnt_sb);

	if (IS_ERR(inode))

		return ERR_CAST(inode);



	err = security_inode_init_security_anon(inode, &qname, NULL);

	if (err) {

		file = ERR_PTR(err);

		goto err_free_inode;

	}



	file = alloc_file_pseudo(inode, secretmem_mnt, "secretmem",

				 O_RDWR, &secretmem_fops);

	if (IS_ERR(file))