security: Add a cred_getsecid hook
For IMA purposes, we want to be able to obtain the prepared secid in the bprm structure before the credentials are committed. Add a cred_getsecid hook that makes this possible. Signed-off-by: Matthew Garrett <mjg59@google.com> Acked-by: Paul Moore <paul@paul-moore.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Matthew Garrett
committed by
Mimi Zohar
Mimi Zohar
parent
5893ed18a2
commit
3ec3011326
@@ -3844,6 +3844,11 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
|
||||
*tsec = *old_tsec;
|
||||
}
|
||||
|
||||
static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
|
||||
{
|
||||
*secid = cred_sid(c);
|
||||
}
|
||||
|
||||
/*
|
||||
* set the security data for a kernel service
|
||||
* - all the creation contexts are set to unlabelled
|
||||
@@ -6482,6 +6487,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
|
||||
LSM_HOOK_INIT(cred_free, selinux_cred_free),
|
||||
LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
|
||||
LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
|
||||
LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
|
||||
LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
|
||||
LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
|
||||
LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
|
||||
|
||||
Reference in New Issue
Block a user