mm: create security context for memfd_secret inodes

Create a security context for the inodes created by memfd_secret(2) via
the LSM hook inode_init_security_anon to allow a fine grained control.
As secret memory areas can affect hibernation and have a global shared
limit access control might be desirable.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/mm/secretmem.c b/mm/secretmem.c
index 206ed6b40c1d0fcfbb6abcbced65581c647c1892..f544ec66ebaf0520872cf3b16eafa7ba155c0ecd 100644 (file)
--- a/mm/secretmem.c
+++ b/mm/secretmem.c
@@ -180,11 +180,20 @@ static struct file *secretmem_file_create(unsigned long flags)
 {
        struct file *file = ERR_PTR(-ENOMEM);
        struct inode *inode;
+       const char *anon_name = "[secretmem]";
+       const struct qstr qname = QSTR_INIT(anon_name, strlen(anon_name));
+       int err;
 
        inode = alloc_anon_inode(secretmem_mnt->mnt_sb);
        if (IS_ERR(inode))
                return ERR_CAST(inode);
 
+       err = security_inode_init_security_anon(inode, &qname, NULL);
+       if (err) {
+               file = ERR_PTR(err);
+               goto err_free_inode;
+       }
+
        file = alloc_file_pseudo(inode, secretmem_mnt, "secretmem",
                                 O_RDWR, &secretmem_fops);
        if (IS_ERR(file))