The devpts file system provides an interface to pseudo terminal (pty) devices. It is typically mounted at /dev/pts. A new pty device file is dynamically created when the /dev/ptmx pty master multiplex device is opened. At mount time, a user identity, group identity, and mode can be specified for all pty files in the devpts file system. Typically, this feature is used to set the group and mode to allow write access by programs that are setgid to the tty group. A user identity is typically not specified at mount time. In the absence of the corresponding mount option, the user and/or group identity is inherited from the process that created the pty.
As with the procfs file system, an initial SID was defined for the devpts file system and its root directory. The SIDs of the file system and root directory are set to this value by the fs/devpts/inode.c:devpts_read_super function. The devpts_statfs function returns this SID as the SID of the file system. The devpts_read_inode function returns this SID as the SID of the root inode.
To permit the security policy to control access to individual ptys, the devpts_pty_new function was modified to call the security server's security_transition_sid interface to obtain a SID for each new pty file. The SID of the creating process and the SID of the root directory of the devpts file system are passed to this interface as inputs. The security server returns a SID derived from these two SIDs. Pty files may need to be subsequently relabeled by programs to reflect changes in the label of the associated process. For example, the login program could relabel a pty created by rlogind based on the initial security context of the user shell.