New file descriptors are labeled using the credentials set in the 'f_cred'
field of the same structure. This permits to distinguish objects directly
managed by a user process from those created by a kernel service acting
on behalf of the application.
Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxx>
---
security/selinux/hooks.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f9c3764..6772687 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -232,7 +232,7 @@ static void inode_free_security(struct inode *inode)
static int file_alloc_security(struct file *file)
{
struct file_security_struct *fsec;
- u32 sid = current_sid();
+ u32 sid = cred_sid(file->f_cred);
fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
if (!fsec)
--
1.7.4.4
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
