Commit 2af62280 authored by Kees Cook's avatar Kees Cook

LSM: drop bprm_secureexec hook

This removes the bprm_secureexec hook since the logic has been folded into
the bprm_set_creds hook for all LSMs now.

Cc: Eric W. Biederman <>
Signed-off-by: default avatarKees Cook <>
Reviewed-by: default avatarJohn Johansen <>
Acked-by: default avatarJames Morris <>
Acked-by: Serge Hallyn's avatarSerge Hallyn <>
parent ee67ae7e
......@@ -1343,8 +1343,6 @@ EXPORT_SYMBOL(would_dump);
void setup_new_exec(struct linux_binprm * bprm)
bprm->secureexec |= security_bprm_secureexec(bprm);
* Once here, prepare_binrpm() will not be called any more, so
* the final state of setuid/setgid/fscaps can be merged into the
......@@ -43,7 +43,11 @@
* interpreters. The hook can tell whether it has already been called by
* checking to see if @bprm->security is non-NULL. If so, then the hook
* may decide either to retain the security information saved earlier or
* to replace it.
* to replace it. The hook must set @bprm->secureexec to 1 if a "secure
* exec" has happened as a result of this hook call. The flag is used to
* indicate the need for a sanitized execution environment, and is also
* passed in the ELF auxiliary table on the initial stack to indicate
* whether libc should enable secure mode.
* @bprm contains the linux_binprm structure.
* Return 0 if the hook is successful and permission is granted.
* @bprm_check_security:
......@@ -71,12 +75,6 @@
* linux_binprm structure. This hook is a good place to perform state
* changes on the process such as clearing out non-inheritable signal
* state. This is called immediately after commit_creds().
* @bprm_secureexec:
* Return a boolean value (0 or 1) indicating whether a "secure exec"
* is required. The flag is passed in the auxiliary table
* on the initial stack to the ELF interpreter to indicate whether libc
* should enable secure mode.
* @bprm contains the linux_binprm structure.
* Security hooks for filesystem operations.
......@@ -1388,7 +1386,6 @@ union security_list_options {
int (*bprm_set_creds)(struct linux_binprm *bprm);
int (*bprm_check_security)(struct linux_binprm *bprm);
int (*bprm_secureexec)(struct linux_binprm *bprm);
void (*bprm_committing_creds)(struct linux_binprm *bprm);
void (*bprm_committed_creds)(struct linux_binprm *bprm);
......@@ -1710,7 +1707,6 @@ struct security_hook_heads {
struct list_head vm_enough_memory;
struct list_head bprm_set_creds;
struct list_head bprm_check_security;
struct list_head bprm_secureexec;
struct list_head bprm_committing_creds;
struct list_head bprm_committed_creds;
struct list_head sb_alloc_security;
......@@ -231,7 +231,6 @@ int security_bprm_set_creds(struct linux_binprm *bprm);
int security_bprm_check(struct linux_binprm *bprm);
void security_bprm_committing_creds(struct linux_binprm *bprm);
void security_bprm_committed_creds(struct linux_binprm *bprm);
int security_bprm_secureexec(struct linux_binprm *bprm);
int security_sb_alloc(struct super_block *sb);
void security_sb_free(struct super_block *sb);
int security_sb_copy_data(char *orig, char *copy);
......@@ -540,11 +539,6 @@ static inline void security_bprm_committed_creds(struct linux_binprm *bprm)
static inline int security_bprm_secureexec(struct linux_binprm *bprm)
return 0;
static inline int security_sb_alloc(struct super_block *sb)
return 0;
......@@ -351,11 +351,6 @@ void security_bprm_committed_creds(struct linux_binprm *bprm)
call_void_hook(bprm_committed_creds, bprm);
int security_bprm_secureexec(struct linux_binprm *bprm)
return call_int_hook(bprm_secureexec, 0, bprm);
int security_sb_alloc(struct super_block *sb)
return call_int_hook(sb_alloc_security, 0, sb);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment