* SMACK: how are smack blobs getting into cred->security and inode->i_security?
@ 2021-12-31 13:08 Denis Obrezkov
2021-12-31 17:25 ` Casey Schaufler
0 siblings, 1 reply; 4+ messages in thread
From: Denis Obrezkov @ 2021-12-31 13:08 UTC (permalink / raw)
To: linux-security-module
Hello,
I am trying to understand how smack works (looking at
smack_inode_permission hook). I can see that that smack security
information is taken from cred->security and inode->i_security but how
did they get in there? Also, when does it happen? (for a task and for a
file)
--
Regards, Denis Obrezkov
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: SMACK: how are smack blobs getting into cred->security and inode->i_security?
2021-12-31 13:08 SMACK: how are smack blobs getting into cred->security and inode->i_security? Denis Obrezkov
@ 2021-12-31 17:25 ` Casey Schaufler
2022-01-01 21:34 ` Denis Obrezkov
0 siblings, 1 reply; 4+ messages in thread
From: Casey Schaufler @ 2021-12-31 17:25 UTC (permalink / raw)
To: Denis Obrezkov, linux-security-module; +Cc: Casey Schaufler
On 12/31/2021 5:08 AM, Denis Obrezkov wrote:
> Hello,
>
> I am trying to understand how smack works (looking at
> smack_inode_permission hook). I can see that that smack security
> information is taken from cred->security and inode->i_security but how
> did they get in there?
The LSM infrastructure (security/security.c) allocates cred and inode
security blobs. This allows multiple security modules to use them.
> Also, when does it happen? (for a task and for a
> file)
security_cred_alloc() and security_inode_alloc().
I am the Smack maintainer. Feel free to ask anything you'd
like here and to me directly.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: SMACK: how are smack blobs getting into cred->security and inode->i_security?
2021-12-31 17:25 ` Casey Schaufler
@ 2022-01-01 21:34 ` Denis Obrezkov
2022-01-02 21:26 ` Casey Schaufler
0 siblings, 1 reply; 4+ messages in thread
From: Denis Obrezkov @ 2022-01-01 21:34 UTC (permalink / raw)
To: Casey Schaufler, linux-security-module
> The LSM infrastructure (security/security.c) allocates cred and inode
> security blobs. This allows multiple security modules to use them.
>
>> Also, when does it happen? (for a task and for a
>> file)
>
> security_cred_alloc() and security_inode_alloc().
>
I mean how is information from SMACK64EXEC and SMACK64 getting into
those blobs? Do I understand the sequence right:
First, both labels (SMACK64EXEC and SMACK64) are installed in
smack_inode_post_setxattr. Second, when we launch a program, there is a
hook smack_bprm_creds_for_exec that installs a security label from the
program file inode into the corresponding smack task structure. Third,
when the program tries to access a file, it is caught in the
smack_inode_permission.
I am also not sure what is happening in security_inode_alloc. Does it
just copy a pointer to a security structure of a current task?
I also can't find where security_cred_alloc is used. I found
security_cred_alloc_blank but it is called only from cred_alloc_blank
from cred.c (and I can't find from where the latter is called).
--
Regards, Denis Obrezkov
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: SMACK: how are smack blobs getting into cred->security and inode->i_security?
2022-01-01 21:34 ` Denis Obrezkov
@ 2022-01-02 21:26 ` Casey Schaufler
0 siblings, 0 replies; 4+ messages in thread
From: Casey Schaufler @ 2022-01-02 21:26 UTC (permalink / raw)
To: Denis Obrezkov, linux-security-module; +Cc: Casey Schaufler
On 1/1/2022 1:34 PM, Denis Obrezkov wrote:
>> The LSM infrastructure (security/security.c) allocates cred and inode
>> security blobs. This allows multiple security modules to use them.
>>
>>> Also, when does it happen? (for a task and for a
>>> file)
>> security_cred_alloc() and security_inode_alloc().
>>
> I mean how is information from SMACK64EXEC and SMACK64 getting into
> those blobs? Do I understand the sequence right:
>
> First, both labels (SMACK64EXEC and SMACK64) are installed in
> smack_inode_post_setxattr. Second, when we launch a program, there is a
> hook smack_bprm_creds_for_exec that installs a security label from the
> program file inode into the corresponding smack task structure. Third,
> when the program tries to access a file, it is caught in the
> smack_inode_permission.
Seems right. Note that few programs use SMACK64EXEC, while
all files will have SMACK64.
> I am also not sure what is happening in security_inode_alloc. Does it
> just copy a pointer to a security structure of a current task?
Smack labels are stored on a list in the kernel. Once a label
is introduced (smk_import_entry()) it never gets forgotten. The
inode contains a pointer into this list.
> I also can't find where security_cred_alloc is used. I found
> security_cred_alloc_blank but it is called only from cred_alloc_blank
> from cred.c (and I can't find from where the latter is called).
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-01-02 21:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-31 13:08 SMACK: how are smack blobs getting into cred->security and inode->i_security? Denis Obrezkov
2021-12-31 17:25 ` Casey Schaufler
2022-01-01 21:34 ` Denis Obrezkov
2022-01-02 21:26 ` Casey Schaufler
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.