SMACK: how are smack blobs getting into cred->security and inode->i_security?
Casey Schaufler
casey at schaufler-ca.com
Sun Jan 2 21:26:54 UTC 2022
On 1/1/2022 1:34 PM, Denis Obrezkov wrote:
>> The LSM infrastructure (security/security.c) allocates cred and inode
>> security blobs. This allows multiple security modules to use them.
>>
>>> Also, when does it happen? (for a task and for a
>>> file)
>> security_cred_alloc() and security_inode_alloc().
>>
> I mean how is information from SMACK64EXEC and SMACK64 getting into
> those blobs? Do I understand the sequence right:
>
> First, both labels (SMACK64EXEC and SMACK64) are installed in
> smack_inode_post_setxattr. Second, when we launch a program, there is a
> hook smack_bprm_creds_for_exec that installs a security label from the
> program file inode into the corresponding smack task structure. Third,
> when the program tries to access a file, it is caught in the
> smack_inode_permission.
Seems right. Note that few programs use SMACK64EXEC, while
all files will have SMACK64.
> I am also not sure what is happening in security_inode_alloc. Does it
> just copy a pointer to a security structure of a current task?
Smack labels are stored on a list in the kernel. Once a label
is introduced (smk_import_entry()) it never gets forgotten. The
inode contains a pointer into this list.
> I also can't find where security_cred_alloc is used. I found
> security_cred_alloc_blank but it is called only from cred_alloc_blank
> from cred.c (and I can't find from where the latter is called).
>
More information about the Linux-security-module-archive
mailing list