• Andrew Morton's avatar
    [PATCH] AT_SECURE auxv entry · 177be0a4
    Andrew Morton authored
    From: Stephen Smalley <sds@epoch.ncsc.mil>
    
    This patch adds an AT_SECURE auxv entry to pass a boolean flag indicating
    whether "secure mode" should be enabled (i.e.  sanitize the environment,
    initial descriptors, etc) and allows each security module to specify the
    flag value via a new hook.
    
    New userland can then simply obey this flag when present rather than
    applying other methods of deciding (sample patch for glibc-2.3.2 can be
    found at http://www.cs.utah.edu/~sds/glibc-secureexec.patch).
    
    This change enables security modules like SELinux to request secure mode
    upon changes to other security attributes (e.g.  capabilities,
    roles/domains, etc) in addition to uid/gid changes or even to completely
    override the legacy logic.
    
    The legacy decision algorithm is preserved in the default hook functions
    for the dummy and capability security modules.
    
    Credit for the idea of adding an AT_SECURE auxv entry goes to Roland
    McGrath.
    177be0a4
binfmt_elf.c 38.7 KB