diff options
author | Christian Göttsche <cgzones@googlemail.com> | 2022-01-25 15:33:04 +0100 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2022-06-13 20:15:23 +0200 |
commit | 2bfe15c5261212130f1a71f32a300bcf426443d4 (patch) | |
tree | 7dc146d23b463c610fe0e4df97f389cd08022a64 /mm/secretmem.c | |
parent | selinux: fix typos in comments (diff) | |
download | linux-2bfe15c5261212130f1a71f32a300bcf426443d4.tar.xz linux-2bfe15c5261212130f1a71f32a300bcf426443d4.zip |
mm: create security context for memfd_secret inodes
Create a security context for the inodes created by memfd_secret(2) via
the LSM hook inode_init_security_anon to allow a fine grained control.
As secret memory areas can affect hibernation and have a global shared
limit access control might be desirable.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'mm/secretmem.c')
-rw-r--r-- | mm/secretmem.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/mm/secretmem.c b/mm/secretmem.c index 206ed6b40c1d..f544ec66ebaf 100644 --- a/mm/secretmem.c +++ b/mm/secretmem.c @@ -180,11 +180,20 @@ static struct file *secretmem_file_create(unsigned long flags) { struct file *file = ERR_PTR(-ENOMEM); struct inode *inode; + const char *anon_name = "[secretmem]"; + const struct qstr qname = QSTR_INIT(anon_name, strlen(anon_name)); + int err; inode = alloc_anon_inode(secretmem_mnt->mnt_sb); if (IS_ERR(inode)) return ERR_CAST(inode); + err = security_inode_init_security_anon(inode, &qname, NULL); + if (err) { + file = ERR_PTR(err); + goto err_free_inode; + } + file = alloc_file_pseudo(inode, secretmem_mnt, "secretmem", O_RDWR, &secretmem_fops); if (IS_ERR(file)) |