summaryrefslogtreecommitdiffstats
path: root/mm
diff options
context:
space:
mode:
authorChristian Göttsche <cgzones@googlemail.com>2022-01-25 15:33:04 +0100
committerPaul Moore <paul@paul-moore.com>2022-06-13 20:15:23 +0200
commit2bfe15c5261212130f1a71f32a300bcf426443d4 (patch)
tree7dc146d23b463c610fe0e4df97f389cd08022a64 /mm
parentselinux: fix typos in comments (diff)
downloadlinux-2bfe15c5261212130f1a71f32a300bcf426443d4.tar.xz
linux-2bfe15c5261212130f1a71f32a300bcf426443d4.zip
mm: create security context for memfd_secret inodes
Create a security context for the inodes created by memfd_secret(2) via the LSM hook inode_init_security_anon to allow a fine grained control. As secret memory areas can affect hibernation and have a global shared limit access control might be desirable. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'mm')
-rw-r--r--mm/secretmem.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/mm/secretmem.c b/mm/secretmem.c
index 206ed6b40c1d..f544ec66ebaf 100644
--- a/mm/secretmem.c
+++ b/mm/secretmem.c
@@ -180,11 +180,20 @@ static struct file *secretmem_file_create(unsigned long flags)
{
struct file *file = ERR_PTR(-ENOMEM);
struct inode *inode;
+ const char *anon_name = "[secretmem]";
+ const struct qstr qname = QSTR_INIT(anon_name, strlen(anon_name));
+ int err;
inode = alloc_anon_inode(secretmem_mnt->mnt_sb);
if (IS_ERR(inode))
return ERR_CAST(inode);
+ err = security_inode_init_security_anon(inode, &qname, NULL);
+ if (err) {
+ file = ERR_PTR(err);
+ goto err_free_inode;
+ }
+
file = alloc_file_pseudo(inode, secretmem_mnt, "secretmem",
O_RDWR, &secretmem_fops);
if (IS_ERR(file))