From: Stephen Smalley <sds@epoch.ncsc.mil>

This patch adds an AT_SECURE auxv entry to pass a boolean flag indicating
whether "secure mode" should be enabled (i.e.  sanitize the environment,
initial descriptors, etc) and allows each security module to specify the
flag value via a new hook.

New userland can then simply obey this flag when present rather than
applying other methods of deciding (sample patch for glibc-2.3.2 can be
found at http://www.cs.utah.edu/~sds/glibc-secureexec.patch).

This change enables security modules like SELinux to request secure mode
upon changes to other security attributes (e.g.  capabilities,
roles/domains, etc) in addition to uid/gid changes or even to completely
override the legacy logic.

The legacy decision algorithm is preserved in the default hook functions
for the dummy and capability security modules.

Credit for the idea of adding an AT_SECURE auxv entry goes to Roland
McGrath.