diff --git a/security/slsm/lsm.c b/security/slsm/lsm.c
index 257f7bcc81cbf0bd4a5448f257302a07562e930e..eeece114f553f48b19d4b15fbfea6bedabdfe081 100644
--- a/security/slsm/lsm.c
+++ b/security/slsm/lsm.c
@@ -16,14 +16,12 @@ static char *init = "<<init>>";
 
 
 /**
- * new_passt_task - allocate a task security blob
- * @lbl: a pointer to the label for the running task
- * @gfp: type of the memory for the allocation
+ * passt_dup_task - duplicates all resources related to @old_pt
  *
- * Returns the new blob or NULL if there's no memory available
+ * Returns the new passt_task or NULL if there's no memory available
  */
-static struct passt_task *new_passt_task(char *lbl, gfp_t gfp) {
-	struct passt_task *pt = kzalloc(sizeof(struct passt_task), gfp);
+static struct passt_task *passt_dup_task(const struct passt_task *old_pt, gfp_t gfp) {
+	struct passt_task *pt = kmemdup(old_pt, sizeof(struct passt_task), gfp);
 	if (!pt)
 		return NULL;
 
@@ -31,7 +29,7 @@ static struct passt_task *new_passt_task(char *lbl, gfp_t gfp) {
 	 * TODO: global cache for labels, see SMACK
 	 * for now we duplicate everything to avoid refcounting headaches
 	 */
-	pt->label = kstrdup(lbl, gfp);
+	pt->label = kstrdup(old_pt->label, gfp);
 	if (!pt->label) {
 		kfree(pt);
 		return NULL;
@@ -68,7 +66,7 @@ static int passt_cred_prepare(struct cred *new, const struct cred *old,
 			      gfp_t gfp) {
 	struct passt_task *new_pt, *old_pt = old->security;
 
-	new_pt = new_passt_task(old_pt->label, gfp);
+	new_pt = passt_dup_task(old_pt, gfp);
 	if (!new_pt)
 		return -ENOMEM;
 
@@ -336,6 +334,7 @@ static struct security_hook_list passt_hooks[] = {
 static __init int passt_init(void) {
 	struct cred *cred;
 	struct passt_task *pt;
+	struct passt_task init_pt = { .label = init, .confined = 0 };
 
 	if (!security_module_enable("passt")) {
 		printk(KERN_INFO "PASST-MAC disabled by boot parameter\n");
@@ -348,7 +347,7 @@ static __init int passt_init(void) {
 	 * how do we find out what init actually is?
 	 * hardcode /sbin/init? beware symlinks
 	 */
-	pt = new_passt_task(init, GFP_KERNEL);
+	pt = passt_dup_task(&init_pt, GFP_KERNEL);
 	if (!pt)
 		/* TODO: panic? */
 		return -ENOMEM;