Merge tag 'selinux-pr-20170831' of git://git.kernel.org/pub/scm/linux/kernel/git...

[sfrench/cifs-2.6.git] / include / linux / lsm_hooks.h

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 3a90febadbe20e6756819dcd04e235a05fb7d99e..c9258124e41757187cdb8b2f83c5901966345902 100644 (file)
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -43,7 +43,11 @@
  *     interpreters.  The hook can tell whether it has already been called by
  *     checking to see if @bprm->security is non-NULL.  If so, then the hook
  *     may decide either to retain the security information saved earlier or
- *     to replace it.
+ *     to replace it.  The hook must set @bprm->secureexec to 1 if a "secure
+ *     exec" has happened as a result of this hook call.  The flag is used to
+ *     indicate the need for a sanitized execution environment, and is also
+ *     passed in the ELF auxiliary table on the initial stack to indicate
+ *     whether libc should enable secure mode.
  *     @bprm contains the linux_binprm structure.
  *     Return 0 if the hook is successful and permission is granted.
  * @bprm_check_security:
@@ -71,12 +75,6 @@
  *     linux_binprm structure.  This hook is a good place to perform state
  *     changes on the process such as clearing out non-inheritable signal
  *     state.  This is called immediately after commit_creds().
- * @bprm_secureexec:
- *     Return a boolean value (0 or 1) indicating whether a "secure exec"
- *     is required.  The flag is passed in the auxiliary table
- *     on the initial stack to the ELF interpreter to indicate whether libc
- *     should enable secure mode.
- *     @bprm contains the linux_binprm structure.
  *
  * Security hooks for filesystem operations.
  *
@@ -530,11 +528,6 @@
  *
  * Security hooks for task operations.
  *
- * @task_create:
- *     Check permission before creating a child process.  See the clone(2)
- *     manual page for definitions of the @clone_flags.
- *     @clone_flags contains the flags indicating what should be shared.
- *     Return 0 if permission is granted.
  * @task_alloc:
  *     @task task being allocated.
  *     @clone_flags contains the flags indicating what should be shared.
@@ -1388,7 +1381,6 @@ union security_list_options {
 
        int (*bprm_set_creds)(struct linux_binprm *bprm);
        int (*bprm_check_security)(struct linux_binprm *bprm);
-       int (*bprm_secureexec)(struct linux_binprm *bprm);
        void (*bprm_committing_creds)(struct linux_binprm *bprm);
        void (*bprm_committed_creds)(struct linux_binprm *bprm);
 
@@ -1508,7 +1500,6 @@ union security_list_options {
        int (*file_receive)(struct file *file);
        int (*file_open)(struct file *file, const struct cred *cred);
 
-       int (*task_create)(unsigned long clone_flags);
        int (*task_alloc)(struct task_struct *task, unsigned long clone_flags);
        void (*task_free)(struct task_struct *task);
        int (*cred_alloc_blank)(struct cred *cred, gfp_t gfp);
@@ -1710,7 +1701,6 @@ struct security_hook_heads {
        struct list_head vm_enough_memory;
        struct list_head bprm_set_creds;
        struct list_head bprm_check_security;
-       struct list_head bprm_secureexec;
        struct list_head bprm_committing_creds;
        struct list_head bprm_committed_creds;
        struct list_head sb_alloc_security;
@@ -1783,7 +1773,6 @@ struct security_hook_heads {
        struct list_head file_send_sigiotask;
        struct list_head file_receive;
        struct list_head file_open;
-       struct list_head task_create;
        struct list_head task_alloc;
        struct list_head task_free;
        struct list_head cred_alloc_blank;