Why is there an alignment from cred->security?

Casey Schaufler casey at schaufler-ca.com
Tue Jan 18 15:01:15 UTC 2022


On 1/18/2022 3:33 AM, Denis Obrezkov wrote:
> I am digging through the SMACK code. There are the lines:
>
> static inline struct task_smack *smack_cred(const struct cred *cred)
> {
>          return cred->security + smack_blob_sizes.lbs_cred;
> }
>
> and smack_blob_sizes are defined as:
>
> struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
>          .lbs_cred = sizeof(struct task_smack),
>          .lbs_file = sizeof(struct smack_known *),
>          .lbs_inode = sizeof(struct inode_smack),
>          .lbs_ipc = sizeof(struct smack_known *),
>          .lbs_msg_msg = sizeof(struct smack_known *),
> };
>
> So, basically, to get a struct we take the size of the struct as an
> offset for cred->security, right? I can't understand why. So, we have
> the following memory layout:
>
> |_________(zeroes)__________|_____task_smack content____|
> ^                           ^                           ^
> cred->security     cred->security +              cred->security +
>                   sizeof(struct task_smack)   2*sizeof(struct task_smack)
>
> Do I misunderstand something?

There may be more than one security module that uses the credential
security blob. The lbs_cred value will be 0 if only Smack is using
the credential blob. If another security module is also using the
blob that value will reflect where in the blob the Smack data resides.
See security/security.c for the details.



More information about the Linux-security-module-archive mailing list