security: Add a cred_getsecid hook For IMA purposes, we want to be able to obtain the prepared secid in the bprm structure before the credentials are committed. Add a cred_getsecid hook that makes this possible. Issue: SEC-3292 Signed-off-by: Matthew Garrett <mjg59@google.com> Acked-by: Paul Moore <paul@paul-moore.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Change-Id: I308732c44cf70fc6358620bc125c4651cc960d22

commit: e7ef24deb32f10db64652df3be04f72b2e783067 [log] [tgz]
author: Matthew Garrett <mjg59@google.com> Mon Jan 08 13:36:19 2018 -0800
committer: Luca Weiss <luca.weiss@fairphone.com> Wed Mar 16 09:53:57 2022 +0100
tree: 8b37b39fd5030a926e57aff3dbc2f3ba459b0f5a
parent: 466c30cb09f748c03fd7ecffa1685dbc50f25384 [diff] [blame]
diff --git a/security/capability.c b/security/capability.c
index b2ee5ae..4a5191f 100644
--- a/security/capability.c
+++ b/security/capability.c

@@ -400,6 +400,10 @@
 {
 }
 
+static void cap_cred_getsecid(const struct cred *c, u32 *secid)
+{
+}
+
 static int cap_kernel_act_as(struct cred *new, u32 secid)
 {
 	return 0;
@@ -987,6 +991,7 @@
 	set_to_cap_if_null(ops, cred_free);
 	set_to_cap_if_null(ops, cred_prepare);
 	set_to_cap_if_null(ops, cred_transfer);
+	set_to_cap_if_null(ops, cred_getsecid);
 	set_to_cap_if_null(ops, kernel_act_as);
 	set_to_cap_if_null(ops, kernel_create_files_as);
 	set_to_cap_if_null(ops, kernel_module_request);
commit	e7ef24deb32f10db64652df3be04f72b2e783067	[log] [tgz]
author	Matthew Garrett <mjg59@google.com>	Mon Jan 08 13:36:19 2018 -0800
committer	Luca Weiss <luca.weiss@fairphone.com>	Wed Mar 16 09:53:57 2022 +0100
tree	8b37b39fd5030a926e57aff3dbc2f3ba459b0f5a
parent	466c30cb09f748c03fd7ecffa1685dbc50f25384 [diff] [blame]