summaryrefslogtreecommitdiff
path: root/include/linux/lsm_hooks.h
diff options
context:
space:
mode:
Diffstat (limited to 'include/linux/lsm_hooks.h')
-rw-r--r--include/linux/lsm_hooks.h21
1 files changed, 5 insertions, 16 deletions
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 3a90febadbe2..c9258124e417 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -43,7 +43,11 @@
* interpreters. The hook can tell whether it has already been called by
* checking to see if @bprm->security is non-NULL. If so, then the hook
* may decide either to retain the security information saved earlier or
- * to replace it.
+ * to replace it. The hook must set @bprm->secureexec to 1 if a "secure
+ * exec" has happened as a result of this hook call. The flag is used to
+ * indicate the need for a sanitized execution environment, and is also
+ * passed in the ELF auxiliary table on the initial stack to indicate
+ * whether libc should enable secure mode.
* @bprm contains the linux_binprm structure.
* Return 0 if the hook is successful and permission is granted.
* @bprm_check_security:
@@ -71,12 +75,6 @@
* linux_binprm structure. This hook is a good place to perform state
* changes on the process such as clearing out non-inheritable signal
* state. This is called immediately after commit_creds().
- * @bprm_secureexec:
- * Return a boolean value (0 or 1) indicating whether a "secure exec"
- * is required. The flag is passed in the auxiliary table
- * on the initial stack to the ELF interpreter to indicate whether libc
- * should enable secure mode.
- * @bprm contains the linux_binprm structure.
*
* Security hooks for filesystem operations.
*
@@ -530,11 +528,6 @@
*
* Security hooks for task operations.
*
- * @task_create:
- * Check permission before creating a child process. See the clone(2)
- * manual page for definitions of the @clone_flags.
- * @clone_flags contains the flags indicating what should be shared.
- * Return 0 if permission is granted.
* @task_alloc:
* @task task being allocated.
* @clone_flags contains the flags indicating what should be shared.
@@ -1388,7 +1381,6 @@ union security_list_options {
int (*bprm_set_creds)(struct linux_binprm *bprm);
int (*bprm_check_security)(struct linux_binprm *bprm);
- int (*bprm_secureexec)(struct linux_binprm *bprm);
void (*bprm_committing_creds)(struct linux_binprm *bprm);
void (*bprm_committed_creds)(struct linux_binprm *bprm);
@@ -1508,7 +1500,6 @@ union security_list_options {
int (*file_receive)(struct file *file);
int (*file_open)(struct file *file, const struct cred *cred);
- int (*task_create)(unsigned long clone_flags);
int (*task_alloc)(struct task_struct *task, unsigned long clone_flags);
void (*task_free)(struct task_struct *task);
int (*cred_alloc_blank)(struct cred *cred, gfp_t gfp);
@@ -1710,7 +1701,6 @@ struct security_hook_heads {
struct list_head vm_enough_memory;
struct list_head bprm_set_creds;
struct list_head bprm_check_security;
- struct list_head bprm_secureexec;
struct list_head bprm_committing_creds;
struct list_head bprm_committed_creds;
struct list_head sb_alloc_security;
@@ -1783,7 +1773,6 @@ struct security_hook_heads {
struct list_head file_send_sigiotask;
struct list_head file_receive;
struct list_head file_open;
- struct list_head task_create;
struct list_head task_alloc;
struct list_head task_free;
struct list_head cred_alloc_blank;