[PATCH] selinux: fix clearing of new personality bit on security transitions

This patch moves the clearing of the new personality bit from
selinux_bprm_apply_creds (called from compute_creds) to
selinux_bprm_set_security (called from prepare_binprm).  This ensures that the
bit is cleared at the same point in exec processing as for setuid/setgid
binaries, prior to setting up the new image.
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

security/selinux/hooks.c

@@ -1685,6 +1685,9 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
 		if (rc)
 			return rc;
 
+		/* Clear any possibly unsafe personality bits on exec: */
+		current->personality &= ~PER_CLEAR_ON_SETID;
+
 		/* Set the security field to the new SID. */
 		bsec->sid = newsid;
 	}
@@ -1895,9 +1898,6 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
 			task_unlock(current);
 		}
 
-		/* Clear any possibly unsafe personality bits on exec: */
-		current->personality &= ~PER_CLEAR_ON_SETID;
-
 		/* Close files for which the new task SID is not authorized. */
 		flush_unauthorized_files(current->files);