Why is there an alignment from cred->security?
Casey Schaufler
casey at schaufler-ca.com
Tue Jan 18 15:01:15 UTC 2022
On 1/18/2022 3:33 AM, Denis Obrezkov wrote:
> I am digging through the SMACK code. There are the lines:
>
> static inline struct task_smack *smack_cred(const struct cred *cred)
> {
> return cred->security + smack_blob_sizes.lbs_cred;
> }
>
> and smack_blob_sizes are defined as:
>
> struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
> .lbs_cred = sizeof(struct task_smack),
> .lbs_file = sizeof(struct smack_known *),
> .lbs_inode = sizeof(struct inode_smack),
> .lbs_ipc = sizeof(struct smack_known *),
> .lbs_msg_msg = sizeof(struct smack_known *),
> };
>
> So, basically, to get a struct we take the size of the struct as an
> offset for cred->security, right? I can't understand why. So, we have
> the following memory layout:
>
> |_________(zeroes)__________|_____task_smack content____|
> ^ ^ ^
> cred->security cred->security + cred->security +
> sizeof(struct task_smack) 2*sizeof(struct task_smack)
>
> Do I misunderstand something?
There may be more than one security module that uses the credential
security blob. The lbs_cred value will be 0 if only Smack is using
the credential blob. If another security module is also using the
blob that value will reflect where in the blob the Smack data resides.
See security/security.c for the details.
More information about the Linux-security-module-archive
mailing list