Add a /proc/<pid>/attr/keycreate entry that stores the appropriate context for
newly-created keys. Modify the selinux_key_alloc hook to make use of the new
entry. Update the flask headers to include a new "setkeycreate" permission
for processes. Update the flask headers to include a new "create" permission
for keys. Use the create permission to restrict which SIDs each task can
assign to newly-created keys. Add a new parameter to the security hook
"security_key_alloc" to indicate whether it is being invoked by the kernel, or
from userspace. If it is being invoked by the kernel, the security hook
should never fail. Update the documentation to reflect these changes.
Signed-off-by: Michael LeMay <mdlemay@epoch.ncsc.mil>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>