SMACK: how are smack blobs getting into cred->security and inode->i_security?
Denis Obrezkov
denisobrezkov at gmail.com
Sat Jan 1 21:34:54 UTC 2022
> The LSM infrastructure (security/security.c) allocates cred and inode
> security blobs. This allows multiple security modules to use them.
>
>> Also, when does it happen? (for a task and for a
>> file)
>
> security_cred_alloc() and security_inode_alloc().
>
I mean how is information from SMACK64EXEC and SMACK64 getting into
those blobs? Do I understand the sequence right:
First, both labels (SMACK64EXEC and SMACK64) are installed in
smack_inode_post_setxattr. Second, when we launch a program, there is a
hook smack_bprm_creds_for_exec that installs a security label from the
program file inode into the corresponding smack task structure. Third,
when the program tries to access a file, it is caught in the
smack_inode_permission.
I am also not sure what is happening in security_inode_alloc. Does it
just copy a pointer to a security structure of a current task?
I also can't find where security_cred_alloc is used. I found
security_cred_alloc_blank but it is called only from cred_alloc_blank
from cred.c (and I can't find from where the latter is called).
--
Regards, Denis Obrezkov
More information about the Linux-security-module-archive
mailing list