SMACK: how are smack blobs getting into cred->security and inode->i_security?

SMACK: how are smack blobs getting into cred->security and inode->i_security?

[Denis Obrezkov]

Hello,

I am trying to understand how smack works (looking at
smack_inode_permission hook). I can see that that smack security
information is taken from  cred->security and inode->i_security but how
did they get in there? Also, when does it happen? (for a task and for a
file)

-- 
Regards, Denis Obrezkov

Re: SMACK: how are smack blobs getting into cred->security and inode->i_security?

[Casey Schaufler]

On 12/31/2021 5:08 AM, Denis Obrezkov wrote:
> Hello,
>
> I am trying to understand how smack works (looking at
> smack_inode_permission hook). I can see that that smack security
> information is taken from  cred->security and inode->i_security but how
> did they get in there?

The LSM infrastructure (security/security.c) allocates cred and inode
security blobs. This allows multiple security modules to use them.

>   Also, when does it happen? (for a task and for a
> file)

security_cred_alloc() and security_inode_alloc().

I am the Smack maintainer. Feel free to ask anything you'd
like here and to me directly.

Re: SMACK: how are smack blobs getting into cred->security and inode->i_security?

[Denis Obrezkov]

> The LSM infrastructure (security/security.c) allocates cred and inode
> security blobs. This allows multiple security modules to use them.
> 
>>   Also, when does it happen? (for a task and for a
>> file)
> 
> security_cred_alloc() and security_inode_alloc().
> 
I mean how is information from SMACK64EXEC and SMACK64 getting into
those blobs? Do I understand the sequence right:

First, both labels (SMACK64EXEC and SMACK64) are installed in
smack_inode_post_setxattr. Second, when we launch a program, there is a
hook smack_bprm_creds_for_exec that installs a security label from the
program file inode into the corresponding smack task structure. Third,
when the program tries to access a file, it is caught in the
smack_inode_permission.

I am also not sure what is happening in security_inode_alloc. Does it
just copy a pointer to a security structure of a current task?

I also can't find where security_cred_alloc is used. I found
security_cred_alloc_blank but it is called only from cred_alloc_blank
from cred.c (and I can't find from where the latter is called).

-- 
Regards, Denis Obrezkov

Re: SMACK: how are smack blobs getting into cred->security and inode->i_security?

[Casey Schaufler]

On 1/1/2022 1:34 PM, Denis Obrezkov wrote:
>> The LSM infrastructure (security/security.c) allocates cred and inode
>> security blobs. This allows multiple security modules to use them.
>>
>>>    Also, when does it happen? (for a task and for a
>>> file)
>> security_cred_alloc() and security_inode_alloc().
>>
> I mean how is information from SMACK64EXEC and SMACK64 getting into
> those blobs? Do I understand the sequence right:
>
> First, both labels (SMACK64EXEC and SMACK64) are installed in
> smack_inode_post_setxattr. Second, when we launch a program, there is a
> hook smack_bprm_creds_for_exec that installs a security label from the
> program file inode into the corresponding smack task structure. Third,
> when the program tries to access a file, it is caught in the
> smack_inode_permission.

Seems right. Note that few programs use SMACK64EXEC, while
all files will have SMACK64.

> I am also not sure what is happening in security_inode_alloc. Does it
> just copy a pointer to a security structure of a current task?

Smack labels are stored on a list in the kernel. Once a label
is introduced (smk_import_entry()) it never gets forgotten. The
inode contains a pointer into this list.

> I also can't find where security_cred_alloc is used. I found
> security_cred_alloc_blank but it is called only from cred_alloc_blank
> from cred.c (and I can't find from where the latter is called).
>