From 2bfe15c5261212130f1a71f32a300bcf426443d4 Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Tue, 25 Jan 2022 15:33:04 +0100 Subject: mm: create security context for memfd_secret inodes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Create a security context for the inodes created by memfd_secret(2) via the LSM hook inode_init_security_anon to allow a fine grained control. As secret memory areas can affect hibernation and have a global shared limit access control might be desirable. Signed-off-by: Christian Göttsche Signed-off-by: Paul Moore --- mm/secretmem.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'mm/secretmem.c') diff --git a/mm/secretmem.c b/mm/secretmem.c index 206ed6b40c1d..f544ec66ebaf 100644 --- a/mm/secretmem.c +++ b/mm/secretmem.c @@ -180,11 +180,20 @@ static struct file *secretmem_file_create(unsigned long flags) { struct file *file = ERR_PTR(-ENOMEM); struct inode *inode; + const char *anon_name = "[secretmem]"; + const struct qstr qname = QSTR_INIT(anon_name, strlen(anon_name)); + int err; inode = alloc_anon_inode(secretmem_mnt->mnt_sb); if (IS_ERR(inode)) return ERR_CAST(inode); + err = security_inode_init_security_anon(inode, &qname, NULL); + if (err) { + file = ERR_PTR(err); + goto err_free_inode; + } + file = alloc_file_pseudo(inode, secretmem_mnt, "secretmem", O_RDWR, &secretmem_fops); if (IS_ERR(file)) -- cgit v1.2.3